Posted on Leave a comment

Follina : Explained with POC

Hello aspiring Ethical Hackers. In this article, readers will learn about Follina, the latest Zero-Day vulnerability in Microsoft.

Vulnerability & Impact

Follina is the name given to a remote code execution (RCE) vulnerability in the Microsoft Support Diagnostic Tool (MSDT). This vulnerability allows a remote attacker to use a Microsoft Office document template to execute code via MSDT and download a malicious payload from a remote URL. It affects Office 2013, 2016, 2019, 2021, Office ProPlus and Office 365.  

What actually is Follina?

Follina is a municipality that is located 60 kms northwest of Venice in Italy. Completely unrelated, the vulnerability has been named Follina as the malicious file was referencing to an executable that was named 0438. This is the area code of Follina, hence the zero-day has been named so.

What is MSDT?

Follina exploits MSDT but what is MSDT? Microsoft Support Diagnostic Tool (MSDT) is a service used for gathering diagnostic data about the system.

Proof Of Concept

Let’s see how to exploit Follina practically. For this let’s download a exploit from Github. Navigate into the cloned directory and you will files as shown below.

Two files are important in this directory. The “clickme.docx” is the file that uses MSDT to connect to a remote website and execute the exploit. The exploit is present in the “exploit.html” file. If this POC is successful, the exploit will popup calc.exe.

I tested this exploit on MS Office 2019 running on Windows 10. I hosted the exploit using Wamp server running on localhost.

I opened the clickme.doc and waited. Nothing happened. Then I saved it as clickme.rtf file as shown below.

This time when I clicked on clickme.rtf file, this happened,

And the calculator popped up. The Proof Of Concept Is Successful.

Posted on

WordPress Enumeration with Metasploit

Hello aspiring Ethical Hackers. In this article, readers will learn how to perform WordPress enumeration using Metasploit. WordPress is one of the most popular CMS available and as of 2021, 39.5% percent of websites are powered by WordPress. Hence gauging the security of WordPress installation is always important.

Metasploit has a few modules that can be used to perform WordPress Enumeration. Let’s see a few of them. The first module we will see is the WordPress Scanner module that scans for installed themes, installed plugins, installed WordPress version and more information about target WordPress.

Let’s see how this Module works. Start Metasploit and load the WordPress scanner module. Then, type command “show options” to see the options we require for this module. We are testing this module on WordPress installed on Ubuntu 20.

After all the options are set and the module is executed,

the module successfully detected the target WordPress version as 6.0. It also detected plugins installed on the target WordPress along with their versions. The module will also try to enumerate users although it failed to detect any users here.

This module can be useful to find if there are any vulnerabilities on the WordPress target.  For example, one of the plugins installed on this target wp_pie_register has an exploit module related to it.

Some of the vulnerabilities in WordPress require credentials for successful exploitation. Metasploit also has a WordPress login enumeration module that not only helps in user enumeration but also brute forcing their password.

Load the WordPress user enumeration exploit as shown below. Type command “show options” to see the options this module requires.

Assuming we have no idea about any user credentials on the target machine, the first thing to do is enumerating and validating usernames. So set “bruteforce” option to false as shown below.

Validating usernames is a process where we check if a particular username is present on the target WordPress site. We can validate a single username or many usernames using a wordlist. For example, let’s use the wordlist “common.txt” as users file. We also want to set the STOP_ON_SUCCESS option to TRUE. This will stop the enumeration as soon as we get one valid username.

Let’s execute the module now.

The module found one valid username on the target. It’s “admin”. Since we have found one valid username on the target, lets try to find out the password for this user. For doing this, we need to set the options as shown below.

ENUMERATE_USERNAMES  :    FALSE

VALIDATE_USERS   : FALSE

BRUTEFORCE : TRUE

We need to also set the password file for that is required for brute forcing. Since we now know the username, we set it using option “username” option.

We need to also set the password file for that is required for brute forcing. Since we now know the username, we set it using option “username” option.

The module found one successful LOGIN using credentials “admin : admin”. See how to perform WordPress Enumeration with WPScan.

Posted on

Spring4Shell : Explained With POC

Hello, aspiring Ethical Hackers. In this article you will learn about Spring4shell, a new zero-day vulnerability that has been discovered in Spring Framework. Spring Framework is an open-source application framework for Java and is normally deployed with Apache Tomcat servers.

Vulnerability & Impact

There are two vulnerabilities affecting Spring Framework, one is in Spring Core and second is in Spring Cloud. The Spring Core RCE vulnerability impacts Java class objects.  The vulnerability in Spring Core has been given name Spring4shell in the lines of Log4shell as both vulnerabilities affect a library. Although, it took its name from Log4shell, it is not as dangerous as its namesake.

This vulnerability affects all versions of Spring Core Framework running on JDK versions 9 and after. This vulnerability is tracked as CVE-2022-22965. There is another RCE in Spring Cloud Function versions <=3.1.6 and <=3.2.2.

Proof Of Concept

It’s time to see the exploitation of Spring4shell practically. Let’s create a new directory named spring4shell.

Clone the repository shown in the image below. This repository contains both vulnerable docker image and exploit.

Build the Docker image vulnerable to spring4shell as shown below.

You can check if the target is set or not by visiting the URL in browser.

If you get the above message, the target is ready. Run the exploit. The python exploit uploads a java web shell on the target after exploiting vulnerability.

The exploit completed successfully. The web shell can be accessed at above highlighted address.

The POC is succesful,

Posted on

ms08-067 exploitation to hack Windows XP

Hello aspiring ethical hackers. In this article, we will see how to exploit ms08-067 vulnerability to hack Windows XP. As our readers may already know by now, ms08-067 is a vulnerability in Windows 2000, Windows Server 2003 and Windows XP.  It is a critical vulnerability that allows remote code execution on the target Windows system by sending a specially crafted RPC request to it.

This vulnerability doesn’t require any authentication or even user interaction on the target side. That’s the reason why it is ubiquitous in any ethical hacking course. We have exploited this vulnerability recently in our February 2021 Issue. But that was done using without Metasploit.

In this article, we will do this with Metasploit. For this, we have chosen our target as Windows XP SP2 and our Attacker system as Kali Linux. Most of the Antivirus ended their support to Windows XP SP2 (Windows XP SP3 is the minimum supported version. Even Real world systems running Windows XP SP2 are running without Anti Virus.)

So Nmap scan revealed a Windows target as shown below.

Start Metasploit and load the ms08_067 module.

Set all the required options and use check command to see if the target is indeed vulnerable.

The target is indeed vulnerable. Now, execute the module as shown below.

As readers can see, we successfully got a meterpreter session with SYSTEM privileges.

Posted on

CVE-2022-25636 : Linux Privilege Escalation

Hello aspiring Ethical Hackers. In this article you will learn about another Linux Privilege Escalation vulnerability tracked as CVE-2022-25636 and its exploitation. I am saying another because this vulnerability comes immediately after recently discovered Linux Dirty Pipe vulnerability.

CVE-2022-25636 is a vulnerability that affects the Linux Netfilter component. What is netfilter? It is an open source framework provided by the Linux kernel that allows various networking-related operations to be implemented in the form of customized handlers. Its functions include packet filtering, network address translation and port translation. All Linux Firewall utilities i.e Iptables, nftables, ufw etc use Netfilter in their operations.

Exploitation of this vulnerability can give attackers root privileges on the target system, allow them to escape containers and in worst case induce a kernel panic. This vulnerability affects Linux kernel versions 5.4 to 5.6.10. The target OS include Ubuntu, Debian, RedHat etc.

However, there’s no clarity on which kernel versions are actually vulnerable. In my testing, this failed to work on Ubuntu 21.10 kernel version 5.13.0-10 but worked every time on Ubuntu 21.10 with kernel version 5.13.0-30 (without giving any panic). Let’s have a look at how the exploitation worked for me.

To exploit this privilege escalation vulnerability, anybody needs to have access on the target system with Low User Privileges as shown below.

Once I have a shell on the target, I download the exploit from Github as shown below.

Next, I navigate into the CVE-2022-25636 directory and compile the exploit as shown below.

Then I executed the exploit as shown below.

As readers can see, I successfully got a shell with root privileges.