Exercise : Scanning #1 BiluBox Penetration Test

Hi,

In this post I would like to continue my previous post regarding about the penetration testing at Bilu box from vulnhub.com. This post is not just a walkthrough to hack into the system but it will describe a bit detail regarding the process of the penetration testing.

This phase will dig into the second phase in the penetration testing which is scanning. this process is intended to find the vulnerability of the target system by using some tools.

This phase could be done in two process that are static and dynamic analyses.

Static analyses

This phase the penetration tester would try to find the vulnerability of the system by analyzing the target system code for example downloading from github or other versioning control available. this phase the penetration tester must know how to read the code of certain language such as perl, python, php c, c++ and etc. The most important thing for the penetration tester during static analyses they should know in detail the code pattern for vulnerable code to make them easier to find it during code reading.

Dynamic analyses

This phase the penetration tester would try the application by running the application or target system and passing various input to the system and analyse the feedback from the system. Penetration tester shall also know how to use debuger to trace the application logic and various low end application execution process such as assembly language.

I would combine the both technique above as needed, I will use the technique during penetration testing bilubox. here is the steps

As we know that the target machine is assigned ip 192.168.5.140 from our previous recon phase then it run service at port 80 web application and 22 as ssh.

Let start jump in analysing the web application at port 80. I would prepare some tools for this

  1. Firefox with Foxy Proxy installed to enable proxying to burpsuite
  2. Burpsuite (Free License)
  3. Gobuster and Dirbuster

To enable the firefox proxying to burpsuite, you can find the detail steps here

here is the steps of analysing the web

1. Open firefox and go to http://192.168.5.140

4-bb

2. We see there are two input box which a provicative “Show me your SQLI skills”

3. Lets do some SQL hack with that two input box. During this test I usually running gobuster or dirbuster running in the background to make effective time. I will explain about gobuster at later time within this post

# gobuster -u http://192.168.5.140 -w /usr/share/dirb/wordlists/big.txt -o gobuster.txt -t 4 -to 4s

the output (but lets discusse it later)

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.5.140/
[+] Threads : 4
[+] Wordlist : /usr/share/dirb/wordlists/big.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 4s
=====================================================
2018/12/22 02:02:46 Starting gobuster
=====================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/add (Status: 200)
/c (Status: 200)
/cgi-bin/ (Status: 403)
/head (Status: 200)
/images (Status: 301)
/in (Status: 200)
/index (Status: 200)
/panel (Status: 302)
/phpmy (Status: 301)
/server-status (Status: 403)
/show (Status: 200)
/test (Status: 200)
/uploaded_images (Status: 301)
=====================================================
2018/12/22 02:02:51 Finished
=====================================================

4. Let proxify the firefox to burpsuite by enabling the foxy proxy. Don’t forget to start your burpsuite provided in Kali linux (see blue circled)

5-bb

lets try post value example username : admin and password : admin and let check the post in the burp. burp by default will catch the traffic between your browser and server.

6-bb

as we can see the data you post to the webserver is catched by the burp and you can see the username and password with value you entered in the web “admin”

as we will do the SQL Injection, we will do alot of posting data to the webserver but it will not be so convenience inputing the sql command in username and password field then the best thing to do it is from burp that you can send the request to repeater by pressing ctrl+r or right click on the window and select send to repeater

7-bb

Then you can swtich to repeater tab

8-bb

Now you can leave your browser and start manipulating the input for username (un) and password (ps) in repeater module.

9-bb

here is the step to do the input manipulation for SQL Injection

1. change the un=admin and ps=admin’
adding ‘ at the end of the variable is the simplest way to check for sql injection vulnerability.

2. After you edit the variable, you can press Go to send the request to the web server

3. The server will response the request. You will see how the application’s behaviour to the input you entered. You may start analysing and testing.

I will not explain the detail how sql injection work, the idea of sql injection is to manipulate the programmers sql query code by your input in the box. Here is below interesting sql injection payload that you could try on.

https://github.com/swisskyrepo/PayloadsAllTheThings/blob/master/SQL%20injection/MySQL%20Injection.md

4. Lets get back to the gobuster result. Gobuster is actually has the same function as dirbuster which to force browse the web server to find some page that might not publish or linked from any available page.

Why I choosed gobuster rather than dirbuster? The answer is I found that gobuster is more stable and faster than dirbuster.

# gobuster -u http://192.168.5.140 -w /usr/share/dirb/wordlists/big.txt -o gobuster.txt -t 4 -to 4s

options desciption :

  1. -u : target url
  2. -w : word dictionary
  3. -o : output to file
  4. -t : number of concurrent threads
  5. -to : response timeout

=====================================================
Gobuster v2.0.1 OJ Reeves (@TheColonial)
=====================================================
[+] Mode : dir
[+] Url/Domain : http://192.168.5.140/
[+] Threads : 4
[+] Wordlist : /usr/share/dirb/wordlists/big.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 4s
=====================================================
2018/12/22 02:02:46 Starting gobuster
=====================================================
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/add (Status: 200)
/c (Status: 200)
/cgi-bin/ (Status: 403)
/head (Status: 200)
/images (Status: 301)
/in (Status: 200)
/index (Status: 200)
/panel (Status: 302)
/phpmy (Status: 301)
/server-status (Status: 403)
/show (Status: 200)
/test (Status: 200)
/uploaded_images (Status: 301)
=====================================================
2018/12/22 02:02:51 Finished
=====================================================

We can analyze the output of the above scanning result that there are some interesting directory and server exposed.

Lets start analyze, dont forget to activate browser proxy and burpsuite

1. lets open /add page. here we can find an interesting page which we can upload image to the server, one of the owasp is unrestricted file upload (detail https://www.owasp.org/index.php/Unrestricted_File_Upload), we keep it later.

10-bb

2. Browse /c, /cgi-bin/, /head,/panel, /server-status, /show: no interesting output

3. Browse /images/ another interesting page listing image. Perhaps the uploaded image is stored here.

11-bb

4. Browse /in the output is very interesting, it has php information page thus we can find alot of information what php support for this server.

12-bb

5. Browse /index : it gives us the first page

6.  Browse /phpmy : We can find that the web server is hosting phpmyadmin application to manage a database

13-bb

we can try to find the the version of the phpmyadmin installed by clicking the “?” beside the login caption

14-bb

7. Browse /test : I found an interesting error message that the page requires parameter file= shall be not be blank. This parameter could be post or get method

15-bb

8. Browse /uploaded_images : I found a list of image file in the directory

16-bb

 

We have done overviewing the application by browsing manually  the apps based on the output of nmap and gobuster. it is crucial step to get more detailed information of what application look likes in order to enable us setup a correct strategy to do the attack. Based on this we will have some vector attack in mind for example like below

  1. phpmyadmin
    Could be attacked by brute forcing the login page. another way we can search from the internet what is the vulnerability of application for specified version.
  2. /add page
    Could be attacked by uploading the malicious file to enable backdoor
  3. /test
    Could be attacked by manipulating file variable
  4. ssh
    Could be attacked by exploiting the vulnerability of the ssh service for specific version, we could check available exploit in the internet or we can do brute force using some tools in kali linux.

The above 4 attack vector are our focus to be exploited at this moment untill we could find another interesting information

The more detailed analyses will be done in the next post. I will be back soon 🙂

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s