greetings everyone today's video will focus on a creative web application penetration test this session will also demonstrate how a junior level easy web app pen typically works I will explain every step in detail so you can maximize your learning experience let's dive in I will first start by scanning the target using nmap the- SS argument requires sudo privileges which explains the error I received we notice that two ports are open 80 and 22 but let's scan all ports using the- p- argument to make sure we did not miss any other open port the results are the same which means that only the SSH and HTT ptcp ports are open the next step will be to check if we can get any further information about the services Behind These ports using the- SV and- SCC arguments the service detection on the SSH Port reveals that the machine's operating system is Linux specifically the auntu distribution this can be confirmed using nmap with the dasho option now that the results are here and map has confirmed that the operating system is indeed Linux we now have the required information to proceed the N map scan shows that Port 80 is open indicating that a website is likely hosted on it let's check it out it seems like the website is not accessible however if we take a closer look at the URL we notice that the IP address has been replaced with a domain name the issue might lie with the DNS server so let's manually map the IP address to its domain name in the host's file with that out of the way let's reload the page to check if everything is working fine now great it's time to inspect the website now that we have access to the default page let's take a look at The Code by clicking on view page Source the website calls login.php so there's nothing very interesting here as usual I will check for the robots. text file and other default directories there's nothing here but we do get some information indicating that the site is hosted on an Apache server all this process can be automated using tools such as gobster which I will be using now now that gobster is installed we can proceed with file enumeration on the domain gobster identified multiple directories and files however we notice HTTP status code 403 indicating that access to these pages is forbidden additionally index.php returns a 200 status code meaning it is accessible but we already knew that don't forget to join my Discord Channel where I share cheat sheets on HTTP codes and a lot of other useful information about networking and hacking now that we have enumerated all ports services and directories let's return to the initial website and explore how we can go through the login form I will try random username and password to observe how the login process behaves an error message appears with the redirection after 3 seconds stating that the username or password is incorrect let's try the username admin with the random password we notice that the error message now changes saying wrong password only this indicates that the username is correct we can proceed in two ways either Brute Force the admin password or exploit this vulnerability to enumerate more usernames let's go with the second option and enumerate more usernames to see what else we can discover to do that I'm going to use burp Suite along with a Firefox extension called foxy proxy which redirects all my browser traffic to the burp Suite proxy for analysis or [Music] manipulation I will now capture the request via the burp Suite proxy and follow up with the username Brute Force attack using the Intruder module in burp Suite this could also be done with a python script but I prefer to go the no code route the captured request shows that it is a post request and the parameters for the username and password are simply called username and password I will send this request to the Intruder module by pressing contrl plus I on my keyboard I am going to use the sniper attack type for the brute force and set the username parameter as the one I want to Brute Force then I will load the word list I'm going to use for this attack I have already done this prior to the video as BB Suite takes a lot of time to Brute Force if you're using the free version however I will show you how I did it as well as a video of the results I got the word list has now been loaded all you have to do is click Start attack and burp Suite will Brute Force the username field sending you the result for each attempt as you can see the attack has started the field we need to pay attention to is the length field which shows the length of the response we should look for a number that is different from the others this is because in a failed attempt the length is usually 335 or 336 so anything different from these two numbers might indicate a successful attempt if we check the response tab we can confirm that these two lengths represent an error now it's time to show you what the length of a successful attempt looks like and how to identify it as you can see in the video above the length for the username admin is 301 which is very different from the others this indicates that the username admin triggered a different response from the website in our case we know this means the password was incorrect as opposed to a wrong username or password which results in a length of 335 or 336 just like the admin username with a length of 301 after some time you will find a similar length for a user named Jose let's manually check what's going on with this username it is now confirmed that this user exists on the website it's time to bruteforce the password using Hydra a well-known forcing tool in this Hydra command- L specifies the username to try dasp defines the word list for password attempts HTTP post form and the URL that I typed in between the quotation mark specifies the post request for the login form with placeholders for the username and password and checks if the response contains wrong to determine failure the password has been found I have blurred it so you can try to Discover it on your own let's now use it to log into the [Music] website it seems to have worked as we have been redirected to a subdomain let's add this subdomain to our host file to ensure we can access the website without any DNS related issues [Music] I'm in we have successfully accessed the website let's see what kind of site this is at first glance it appears to be some sort of file server I will start by inspecting the various files it does not seem like there's anything interesting here this button here looks intriguing all right we have discovered that this is a web file manager called lunder and its version is 2.1.4 7 this information is Cru cral because it allows us to search for potential exploits or vulnerabilities specific to this version of the web file manager I'm going to use search exploit a tool that searches exploit DB for publicly available [Music] exploits there are two interesting exploits we could use but the second one is already integrated into metlo and targets versions of alinder prior to 2.1.48 which is exactly what we need let's launch met exploit and search for this [Music] exploit the exploit number four matches exactly what we need so let's use number four and start setting it up I'm going to set the r host option which specifies the target IP address to the IP address of our Target and the lhost to the IP address of my own machine this is needed so metas sploit can set up a listener to receive the reverse ship shell the reverse shell has been successfully received and we can now see that the session is open we officially have access to the [Music] Target we are logged in as 3w data let's take a look at what we can enumerate on the target starting with system information and checking for other users in the home directory it seems I have found another user called think there are two interesting files users. textt and a hidden file called passwords however we don't have sufficient permissions to read them I will check the past WD file to see if there are any other hidden users on the [Music] system it seems there are none this appears to be a dead end so I will move on to privilege [Music] escalation I will use a command to enumerate files I can run as route and see what useful information I can find I will add a redirection command to remove all error messages from the terminal and only display the ones that work this will basically remove all the permission denied error messages you're seeing on my screen making it easier to focus on the actual commands that can be run with Pudo after looking for a while I noticed something unusual that isn't typically present in other Mach machines this pwm file here looks interesting to me I will execute it to see what it's about this file calls the ID Linux command and appears to extract the user from its output then searches for a file called passwords inside that user's home directory however I remember that this file does exist but under the home directory of the user think so if we can manage to run this pwm file as root while replacing the user 3w data with the username think we might be able to read the contents of this file how interesting now comes the part where I will explain how we can manipulate the ID command but to fully understand it there are some Linux Concepts you need to be familiar with in Linux each command such as ID is linked to an executable file where its code is stored for example the ID command calls the USR bin ID file that executes the code inside and displays the output in your terminal in the case of the ID command it will return information about the current user so obviously there must be a way for each command to know where its respective code file is located there are two ways for Linux commands to find their code the first is to call the full path to the file directly and the second is if the full path is not specified the command will look into the path environment variable to find the location in our case the ID command does not have its full path specified in the pwm file that we saw earlier therefore it must be checking inside the path environment variable which I am showing here since we have the ability to edit the path variable we can create a new ID code file for the ID command and Link it in the path this way when the ID command is executed with sudo via the pwm file it will look for the code file in the specially crafted path we have set now that we have finished creating the file and set the correct permissions let's edit the path variable time to execute the pwm file it looks like we have a list of passwords time to Brute Force the password for the user think has finally been found let's log in through SSH now that we have access to the user think let's open the users. text file that we discovered earlier looks like it's our first flag I will let you guys figure out the first flag on your own now that we have our first flag it's time to escalate privileges to the root user let's see what we can find using the p-l command interesting we can use look ASO I will now head to GTFO bin to see how we can exploit this to gain root access I was able to find the following approach the first thing I can think of is to check the shadow file where password hashes are stored on a Linux system however it seems like the passwords are encrypted using sha 512 as indicated by the dollar 6 appearing before the hash therefore cracking these hashes might be timeconsuming another option I can explore since SSH is enabled is to check the SSH key for the root account and then log in Via SSH as roote using this key SSH doesn't rely only on passwords key based authentication can also be used I will now copy the key into a file and log into the root account via SSH using the s-i command the key was not being considered because the files permissions are too open I will restrict access to the file using chod 600 and try again I think this should work now I am now logged as route let's get the flag the flag has been retrieved and this box has been successfully fully ponded I hope you guys enjoyed this video feel free to contact me I always reply links will be in the description stay safe stay vigilant and most importantly keep an eye out [Music] [Applause] [Music]