The other day i was training EN1 and 2 and i had to set an exam that would cover much of what the student had learnt. So here it goes. The trick to passing the exam is what we call Threat Intelligence. Alot of pentesters out there have no idea how to do it, so i had found it important for my students to have a glimpse of what they are expected to do when they get back to their organizations.
First of all, the most important part of the Assessment is reconassaince.
Reconnaissance gives you a chance to get more information about the target and from here we start understanding the OS version, and what is running on the system. As you can see, we have port 80 open with Apache running on it. So lets load the website on our browser and see what we can view.
So we get to see we have a website running on this server, we can try login or even check it out, or even scan it with nikto which is located in /pentest/web/nikto in BackTrack.
Nikto gives us more information about the website and we get find some urls which are good for understanding the version of the webapp, license.txt and also some info disclosure via test.php as seen below.
So, by now we know that the OS is Linux and also we know the host name and the path to which the website is, the Apache version and also the php version. We do also know the exact version of the kernel running. We were also able to pick the version and the type of the web application which is called 1024CMS.
Now we need to do Threat Intelligence against the target running 1024CMS, and we visit exploit db website.
And we search for 1024cms in exploitdb database and you should find as below.
So lets go ahead and open the first exploit we have on the exploit-db website and see if it will run on the Target box.
As you can see, this vulnerability exploits a a flaw in code called Local File Inclusion, which is common on LAMP systems. With this we can download any file on the system that we have access to. One of the file interesting files is /etc/passwd and so we try to download from the box via the vulnerability as seen below.
As above you can see we are able to download the /etc/passwd and now we have a list of users for this box, as seen below;
# cat passwd
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin adm:x:3:4:adm:/var/adm:/sbin/nologin lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin sync:x:5:0:sync:/sbin:/bin/sync shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown halt:x:7:0:halt:/sbin:/sbin/halt mail:x:8:12:mail:/var/spool/mail:/sbin/nologin news:x:9:13:news:/etc/news: uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin operator:x:11:0:operator:/root:/sbin/nologin games:x:12:100:games:/usr/games:/sbin/nologin gopher:x:13:30:gopher:/var/gopher:/sbin/nologin ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin nobody:x:99:99:Nobody:/:/sbin/nologin apache:x:48:48:Apache:/var/www:/sbin/nologin rpc:x:32:32:Portmapper RPC user:/:/sbin/nologin rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin mailnull:x:47:47::/var/spool/mqueue:/sbin/nologin smmsp:x:51:51::/var/spool/mqueue:/sbin/nologin distcache:x:94:94:Distcache:/:/sbin/nologin nscd:x:28:28:NSCD Daemon:/:/sbin/nologin vcsa:x:69:69:virtual console memory owner:/dev:/sbin/nologin postgres:x:26:26:PostgreSQL Server:/var/lib/pgsql:/bin/bash sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin webalizer:x:67:67:Webalizer:/var/www/usage:/sbin/nologin dovecot:x:97:97:dovecot:/usr/libexec/dovecot:/sbin/nologin squid:x:23:23::/var/spool/squid:/sbin/nologin mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/bash pcap:x:77:77::/var/arpwatch:/sbin/nologin ntp:x:38:38::/etc/ntp:/sbin/nologin dbus:x:81:81:System message bus:/:/sbin/nologin haldaemon:x:68:68:HAL daemon:/:/sbin/nologin avahi:x:70:70:Avahi daemon:/:/sbin/nologin named:x:25:25:Named:/var/named:/sbin/nologin avahi-autoipd:x:100:101:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin xfs:x:43:43:X Font Server:/etc/X11/fs:/sbin/nologin gdm:x:42:42::/var/gdm:/sbin/nologin webmaster:x:501:501::/home/webmaster:/bin/bash webadmin:x:502:502::/home/webadmin:/bin/bash michele:x:503:503::/home/michele:/bin/bash avant:x:504:504::/home/avant:/bin/bash oscar:x:505:505::/home/oscar:/bin/bash
Now with the users we can start bruteforcing for their passwords from our password list, or rather the wordlist and we use xhydra.
And xhdra should gain a password in a few minutes.
Now we have a password, all we need to do is get into the box via 22 as we had that information from our Info gathering stage and we should see the zip file in the / of the system, we copy it to michele home directory since we dont have permissions to write in slash linux skeleton directory. and we should have the password to root.