🕵️

Creative Penetration Testing Techniques

Dec 4, 2024

Creative Web Application Penetration Test Lecture Notes

Introduction

  • Focus on a creative web application penetration test.
  • Demonstration of a junior-level web app penetration test.
  • Detailed explanation of each step.

Initial Scanning

  • Tool Used: nmap
  • Command: nmap -SS
    • Requires sudo privileges.
  • Ports Found:
    • Port 80 (HTTP)
    • Port 22 (SSH)
  • Conduct full port scan with nmap -p-.
    • Results confirm only SSH and HTTP are open.

Service Detection

  • Use nmap -SV -SC to gather more information.
  • SSH Port:
    • Operating System: Linux (Ubuntu distribution).
  • Confirmation with nmap -O option.

Website Inspection

  • Port 80 indicates a website hosting.
  • Problem: Website not accessible due to DNS.
  • Solution: Map IP to domain in the hosts file.
  • Inspect page source and robots.txt.
    • Hosted on Apache server.

Directory Enumeration

  • Tool Used: Gobuster
  • Identified multiple directories and files.
  • Status Codes:
    • 403 Forbidden
    • 200 OK for index.php (already known).

Login Form Exploration

  • Attempt random usernames/passwords.
  • Observation:
    • Error message changes indicating correct username.
    • Username: admin is correct.
  • Options:
    • Brute force admin password.
    • Enumerate more usernames.

Username Enumeration

  • Tools Used: Burp Suite, Foxy Proxy
  • Capture requests and use Intruder module in Burp Suite.
  • Attack Type: Sniper for brute forcing usernames.
  • Result:
    • Length of 301 indicates a different response for admin.
    • Discovered user jose.

Password Brute Forcing

  • Tool Used: Hydra
  • Command:
    • hydra -L <username> -P <wordlist> http-post-form '<URL>:<params>:<error_check>'
    • Password found but blurred in video.
  • Log into the website with found credentials.

Subdomain Access

  • Redirected to a subdomain upon login.
  • Add subdomain to hosts file.
  • Access a file server-like site.

Vulnerability Identification

  • Site runs Alinder web file manager v2.1.47.
  • Search for exploits using Searchsploit.
  • Use Metasploit to exploit vulnerability.

Exploiting with Metasploit

  • Set rhost and lhost.
  • Successfully receive a reverse shell.
  • Enumerate system information.

Privilege Escalation

  • Found pwm file that calls id command.
  • Objective:
    • Manipulate id command to read passwords.
  • Utilize PATH variable to redirect command execution.

User Password Brute Forcing

  • Crack user think password using the password list discovered.
  • Log in as think user.

Root Privilege Escalation

  • Use sudo permissions to run ld.so for root access.
  • Retrieve root password hashes.
  • Check SSH keys for root login.
  • Adjust file permissions and login via SSH as root.

Conclusion

  • Successfully pwned the target.
  • Emphasized importance of securing web applications.
  • Encourage vigilance and continued learning.

Note: These notes capture the key steps and methodologies in a creative web application penetration test, providing a comprehensive overview of the process from reconnaissance to exploitation and privilege escalation. Use them as a study guide for similar scenarios.

Full transcript