Core Impact Agent and BWAPP Command Injection – Part 1

Hi Friends,

I would like to whish “Merry Cristmast and Happy New Year 2022” for those who are celebrating it.

I would like to share a small tutorial on how to use Core Impact application on your red teaming or Penetration Testing during exploitation phase. This post will explain steps on how to deploy Core Impact network agent on the victim server by exploiting the web vulnerability

Core Impact has a great capability on the attack automation but also giving you capability to custom the modules based on your need and do manual attack

In this first part, I am going to share Core Impact agent with automation attack. Automation attack means that we allow Core Impact to analyze the vulnerability by itself and deploy the web agent which we can follow up with Core Impact OS agent deployment

Core Impact as Web Proxy

We need to setup the core impact as our web proxy to allow you to browse the target web and get the page captured by the core impact

To start, We need to create the blank workspace to work. After the workspace is successfully created then we can go to the “Web” tab

Then click on the Information Gathering and Click on the Next Button

You can “Create a new scenario” or “Use an existing scenario” to group the captured traffic during the analyses. I will create new scenarion for this tutorial and press Next Button

To activate the proxy then you should select “Interactive web crawling” and press Next Button

You can press Next Button untill Finish button comes. Press Finish Button

You can see the status of the web proxy creation by checking in the “Executed Modules” window

Before we browse the victim’s webpage, We need to set the proxy of the browser to connect to the Core Impact

BWAPP

After the proxy is set then you can start browsing the Web (BWAPP) and go to the OS Command Injection and Press Lookup

When you do the browsing, You will see that every page that you have browsed will also appear in the Core Impact complete with the data that you posted to the server

Automatic Exploitation

As I mentioned earlier that we will use automation provided by Core Impact to do the exploitation that will provide Us with the agent deployment.

To start the exploitation, We should find the module that will analyze the vulnerability

As we know that the vulnerabilty that we are going to exploit in the BWAPP is OS Command injection, then we can use the OS Command Injection Analyzer provided by the Core Impact

After that we can drag that module into the URL that we are going to analyze and press OK Button

Core Impact will do the automatic vulnerability analysis and directly deploy the exploit when it found. You can see that the module is running under the Executed Module window

After view second, Core Impact has successfully found the vulnerability and directly deploy the exploit temporary agent as shown in the below image as OS Command Injection Agent (0) that allow you to interact with server such as giving you shell

The interaction with the temporary agent is very limitted. If we want to have more features to leverage our capabilities for laternal movement then we need to deploy OS Agent

OS Agent Deployment

To leverage our interaction with the victim’s server, We need to deploy Network Agent. Core Impact is giving a very easy deployment of Network Agent when we have had the web temporary agent running

You can find the module in the module list “Install OS Agent using OS Command Injection Agent”

You can drag that Module onto the OS Command Injection Agent (0) that we have established in the previous steps and press OK Button

We can see that the OS Agent is successfully deployed to the victim’s server by going to the Network Tab and go the IP of the victim and see the installed agent(0)

If we right click on the agent(0) that we can see it provides more interaction capabilities such as (Shell, Browse File, Set as Source for pivoting point and etc)

Take an example of browsing file. it will give you a pop up windows for browsing files in the victim’s server

Conclusion

We can see that Core Impact make all the work become very easy and still give us a very good flexibility to custom control to stay hidden

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s