Web Server Hacking (Simulation) [help]

i have set up a testing environment using VMs. The server is win8 running WAMP server with some sample websites that my friend created. one site is purely informational ie with no user input whatsoever the second site has sql server and user input etc. **The Questions:**1. Attack Vectors?? ( I did a nmap and nikto scan, all i was able to gather was that port 80 is open, nothing else, due to white box testing i know that firewall is on and working) 2. Gain full access of the system?? (this is on of my main target, but no idea how to achieve) 3. site defacement?? (obviously has to be done after root/admin access, but still how) 4. anything else i need -any help would be greatly appreciated Sql injection. Vulnerability on apache (exploit-db). Hello DarkAngel, Lalit gave an incredibly brief response here. I'd like to add a little bit more to it. Just because a website appears to be informational, doesn't mean that it doesn't have user input. Have you tried browsing the website with a mobile device? Perhaps something on the server side reads the user agent to determine to redirect you to the mobile website. Try playing with other headers and looking for any form tags (w/ possible hidden fields?), and/or parameters. A website that may appear purely static across the board may have an administration panel associated with it where a user can login and manually update its content. Use a tool like Dirbuster to attempt to discover any non-linked directories in the web server. A tool like this can locate new areas on the web server to start your attack surface on. Nothing beats the standard Recon -> Mapping -> Discovery -> Exploitation phases in a Web Application Penetration Test. Spend most of your time gathering information on your targets. If you can't find any hidden directories or can't find any headers you can tweak to leverage a vulnerability, check for any AJAX requests being made on pages to see if the websites dynamic. Programmers will write their web methods to often accept parameters using AJAX requests and you aren't going to visibly notice these actions being called in the web browser. A tool like Firebug -> Network -> XHR Tab is perfect for this. Others recommend a standard Proxy tool such as Burp Suite or OWASP ZAP. Pick your poison. Both tools have their own spidering capabilities for assisting with reconnaissance. Moving onto the second website. If you know it utilizes SQL Server, of course check for SQL Injection. The days of programmers letting their applications visibly throw SQL errors should be out the window. This will of course aid you in SQL Injection, but all you need is just 1 injection point. Hunt around for any dynamic SQL being used (areas like custom searching within the application). Everyone recommends SQL Map, but be sure to know some basic T-SQL incase you're doing any manual testing. ORM's like Entity Framework (if it's coded on a .NET Stack) are harder to exploit with SQLi, but not necessarily impossible. You said you're using Apache here to host the website, I doubt the website is running on top of IIS, but if it's an ASP.NET application with apache, its running Mono. You may want to start here and try to break into this server then make your way onto the other one. Both are hosted on the same box so if you can PWN one, you likely own the other one. The likeliness of you finding a working Apache exploit for Windows 8 sounds low to me. It's a no brainer here to correlate any exploits found on Exploit-DB to the enumerated Apache Version. Regardless if you break in with a Remote Exploit (which always makes the job easier), your task is still to find the flaws within the Web Site, not the Web Server. Follow the Recon -> Mapping -> Discovery -> Exploitation methodology and take it step by step. We all want Admin/Domain Admin/System/root but it'll more than likely start out with www-data. You're web server is Windows. It's going to be simple to escalate your privileges if you can get a Meterpreter Shell. Goodluck @sonofwidow thanks for your help ... you have given me a lot of things to google for :P but still a few questions 1. there is an admin panel at hxxp://localhost/phpmyadmin but it is only accessible through localhost (WAMP configurations are like this) so shouldn't i first gain access to server to modify these settings etc.? 2. the sql site uses that escape\_string() thing that is secure (as far as i know) what about that? Glad my response helped you out. You're right about #1. If you're hacking it locally where it's hosted, you're already localhost so you can access it from the web. PHP MyAdmin is something that comes with XAMPP by default, and it's higher than likely that if you're friend was hosting the site on the web, he clearly wouldn't be exposing the URL or would have it properly configured. If he was having you attack it from the outside and left that URL exposed, I'd say take a swing at it. If he just gave you his application in PHP form and have you the database to import locally via PHP My Admin, you attacking PHP My Admin locally when you already have the login isn't relevant. Escape strong is pretty effective against SQLi from my understanding, the real question is was he sure to use it everywhere? I haven't been given any steps on how to bypass escape string in my experience, but that causes for some research. I wouldn't be surprised these days if there was a sneaky way to bypass it. Sorry I got thrown off when you mentioned SQL Server vs MySQL. I originally posted about you having to know T-SQL when you're just attacking a standard PHP MySQL back-end. I stand corrected here. Thanks for sharing. You might want to lookup WAMP Server scripts for vulnerabilities, sourcecode is on github here: https://sourceforge.net/projects/wampserver/files/WampServer%203/WampServer%203.0.0/ Also you might want to try some already known attack vectors check exploit-db: https://www.exploit-db.com/papers/12871/ @t13ru thanks ... you have also give me more insight where to begin my research I almost forgot, it is usefull to create another VM and install server on it just to see how it responds and how default filesystem looks like. You might also observe which ports are open at default setting and try to find some weakspots there. For example 21, 22, 80, 443 ... etc. It is usefull to look for port references at: http://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml yeah i think my head will explode ... so much googling :P anyway thanks You are right. Googling vulnerabilities for win8, WAMP server, sql server. Then, you can start from there. For example, can you explore SQL infection since the server allows user to input data. Besides that, you can try brute force the root account by SSH login.