Welcome to the Web application lab walkthrough.
So we have two hosts here. One is a bit NAMI Wordpress stack, which is a Lennox host
and the other is a Windows host.
And like I told you before you need to go to WP scan dot com and get an api token
to scan this bit NAMI Wordpress site. Of course you can you can use end map to scan these. But since this is a web attack lab, you can be pretty sure it's either import 80 or 443
So we go to this site we notice it's in the Wordpress directory. That becomes important when we use WP scan so we can see if the bat it's a Wordpress site.
So what I'll do is I'll use WP scan.
1-50 Wordpress. Make sure you specify that directory,
otherwise it's not gonna work.
and put your api token
and start your skin.
Now you're gonna get a lot of information back and sometimes it's not that you have too little information
is that you have too much information that comes back.
You'll see the themes come back with a lot of information.
So you'll see that config backup is identified here. If you actually go to this site,
you might not see anything but you paid source. Here's a whole bunch of good information that you can see about the configuration of this. Wordpress site.
But is that going to get us a shell? Probably not.
So let me start looking at the vulnerabilities were identified and I actually made this box so hopefully you like it and sometimes it's not. Again, it's not too little information is too much information so you have to kind of pick
out of these three vulnerabilities, unauthenticated file inclusion
and authenticates sequel, injection
and this upload arbitrary code execution or arbitrary file upload Which one is most important. And this is where your hackers senses have to kick in.
So out of all these vulnerabilities, what was most interesting to me is an arbitrary file. Upload
the sequel injection. If you look at the pOC,
it will give you a sequel map
I kind of threw that in. There is a trick. I mean you can use this if you want but of course in Os CPU can't use this. And the other thing is I said the people that write this might not give you a lot of information. This will drop you in a sequel shell. So it will just be sitting there staring at you and if you don't know how to write sequel statements, you won't know what to do.
So understand what all this means. This is a lot of information to give you,
uh, in this exploitation example.
So if you want to use this, go ahead and research it.
Also. This unauthenticated file inclusion.
This is interesting.
And we can read the etc. Password file.
Let's go ahead and pace that.
So we can read the etc password file. We could read a bunch of files.
But again, my goal is to get a shell on this box.
So if I go back and look,
I did this on purpose here.
So if you look at the arbitrary file upload is actually to an exploit. DB1 is a medicine plate module. That's fun.
the other should be PHP A script in PHP. There's two PHP scripts, there's this one
and this one. And that's why I go back to being able to read these examples.
So this is we have to ask yourself, am I going to waste a medicine plate module? If you actually look at the code
is making a crow request,
you could do this from the command line and I will show you how easy this is. You don't even need to use the PHP.
So what I can do here
is I will open up another shell.
PHP reverse shell here.
And I'm going to rename it
to shell just to make it easy.
And of course this is the pen test monkey shell. So I have to have to edit some things.
So I'm going to edit
I can leave that port.
And how do I curl this? Well if I look at the poc
it tells me curl I in it
where I need to curl it to
Then I hope I spelled everything right.
Single quote for this.
I don't think like that.
Uh my wordpress twice.
So it tells us where our file should be. Of course what we need to do now is set up a listener
and go to that site that it gave us. Of course. I might just cut off my shell right there.
Yes. I cut off the shell.
moving your shell around.
And now we can see I'm a demon and I know it's kind of smushed but the screen is small and I apologize for the labs
I am on this box now. 19216812 50. So I've successfully now got gotten on the Lennox box. So that's the way I would get onto it. You don't need to use a medicine flight module. All you need is WP scan and figure out from all that information. Overload
what the vital information is. So that's just being able to look at these proof of concepts
and figuring out from here do I need to do wordpress? You could use wordpress and do this but you just wasted a module and I wouldn't do that when all you need to do is a simple, simple curl request which you can understand by looking at the PHP here. If you don't understand it. You know, just take a look and google all this and figure out
that's how I that's how I figured it out was googling
and I and basically came down to a curl request so that's how easy it is
for that and I made it that way on purpose
so now that we have a shell
on the Lennox box, I will close this out. So we've successfully completed one task.
So now let's move over to the windows box.
So I like to do robots dot txt
and see what I can find.
And I see there's a web Dav directory
now if I go here, if I'm thinking web dav
I'm thinking I can maybe use cadaver to get onto this. Now the problem is if I use cadaver to put files
web dive. It's gonna ask me for a user name and password. I don't know what that is.
So if I quit and I clear this I can use Derby, http
Now you can specify extensions I can duty txt
or sp or anything but let's do txt and see what we get
All right. So we found web dav dot txt.
This gives us the username and password that we want.
So now what we can do
as we can try to get a shell on here.
Now we can try to figure out the technology is is that doesn't use tick does it use
ESP I can use what? Web
Of course I like to use Apple Isar but we don't have that in the lab.
So I see it as PHP and PERL.
So if I have PHP on here,
I could probably upload that same web shell from Pandas monkey
onto this box with cadaver.
So let's go back and use cadaver
and now we know our credentials, right, user name
wamp password, Zampa,
So we see index and web dav dot txt Of course that was the file that gave us the information. What we can do now is put
shell dot PHP on here.
and of course we can do now
is like before when split the terminal vertically
So now that we have a shell on here, I should be able to go to the shell dot PHP
and I see that there's an error here.
So why is this? That's a great question to ask yourself. If you read the code. This shell is for
Lennox, not for Windows.
So what I could do is put
share web shells PHP
So this is an interesting one.
So we'll say usage now if I can etc. Password. Is that going to work? No. Why? Because this is a Windows box.
So a agnostic command that works on both is who am I? And I can see that I am anti authority system.
Is this enough for a web show?
Mm hmm. We can do better. Right.
is I can do an MSF venom payload.
I'll do Windows shell,
so what I can do now
is we can we can pearl this
Okay, so it's very important. 8000. So what am I trying to do here? I'm trying to get this
and execute it so that I can get a shell
Somebody use cert util
Split. I'm doing this from my off my top of my head. So hopefully this is right. 192168
output. Shell dot E X C
This is where I google.
and I can see that it got here.
So let's run directory and see if it's there.
So now we need to set up MSF console.
Actually I don't need to set up MSF console because
well you can if you want. Right,
is shell reverse TCP.
So I could use Net Cat or I could use
what I should see now is I am on web Dav here. I am
to see um system so that's great
And I see we are on 192168 100.
I can collapse this terminal here.
so there you go. So now I'm on the Windows box. So that's how you get a shell
and that's just basically from website enumeration
and knowing what tools you have. I don't think I mentioned cadaver at all in that web exploitation section.
So it's trying to think outside the box if you c webb dad, what should I do? And I believe that's covered the P W K material. So I kind of wanted to throw a few curveballs in there for you so you could try harder and also try smarter. So hopefully you got shells on both boxes and this walkthrough shows you how you can do that.