1. Home
  2. Training Library
  3. Programming
  4. Programming Courses
  5. Pentesting and Privilege Escalation with Wakanda

Web Service

Contents

keyboard_tab

The course is part of this learning path

Web Service
Overview
Difficulty
Intermediate
Duration
1h 7m
Students
13
Ratings
5/5
starstarstarstarstar
Description

This course will walk you through how to solve a number of tasks as part of a capture-the-flag (CTF) game called Wakanda. You will learn the necessary skills to excel in penetration testing and privilege escalation.

Transcript

Hi. Within this lecture, we're going to analyze Nmap scan results and we're going to try and find a vulnerable service so that we can go into and hack this machine, right? So, here we go. We have the 10.0.2.14 over here. So, we have many of the ports closed, but we have the 80 port open, so this is a web server. Obviously, it runs in Apache, and of course, we're going to take a look at that as a normal human being, right? We're going to write the IP address in our Mozilla, and we can just see what it has inside of the Apache server. So, it has the title of Vibranium Market. I believe this has to do something with the movie itself or the Black Panther itself. So, over here we have the rpcbind service and we have 2 and 4. Maybe this's kind of the version numbers and it's actually worth a shot to search for the exploits for the rpcbind. Maybe it has to do something with that, but we don't know it. So, let me just open a new tab over here and just search for it. I'm going to searchsploit, okay? I'm going to use searchsploit and I'm going to search everything regarding to rpcbind. Here you go. We have the exploit titles over here. But as you can see, it doesn't look promising. It's all regarding to DDoS or denial of service, DoS, okay? Rather than the DDoS, it's DoS. And I don't think it's going to help us in this case, right? So, it's all DoS. So, what happens if we just deny the service? Or out of here, nothing, right? So, I'm going to just ignore that for a while. I believe this rpcbind will not be effective in order to gain access. Maybe we can use it later on. So, great. And as you can see, there is nothing helpful regarding to these version numbers over here as well. There are a lot of things going on in the rpcbind but I don't think it's going to help us at all. So, we're going to focus on the port 80, but right now let me just see if we have something funny over here. As you can see, we have the  ssh but it resides under port 3333 and it's a little bit weird, okay? So, you know the  ssh port is 22, generally. So, maybe there is something wrong over there. Maybe it's not a safe service or something like that. We can always try to go into that server with  ssh as a root if they don't have a password or we can just use "anonymous" as a password, or we can use "password" or "admin" as a password. Try to make our way into that and see. Maybe it will work, maybe it won't, but it's worth a shot, right? We know that, there is an  ssh service on this port. So, maybe you can just come over here and try that in the other terminal as well. If it doesn't work, it's obviously going to be some kind of web service or web penetration testing but again, it's worth a shot. So, let me come over here and try that. So, I'm going to say, ssh root into 10.0.2.14. And for the port, I'm just going to say, 3333 and say, yes. And here you go. It asks for a password. So, we definitely need a password. So, you can try "anonymous", you can try "password", you can try "Wakanda" or "Vibranium". I don't know. But as you can see, the "anonymous" didn't work and the other ones, I believe, won't work as well. So, it's not that easy in this case. So again, we are not going to have a luck with this  ssh thingy. Of course, we can try brute forcing it, but since we have the other services, I believe we better focus on that right now. We have the RPC but again, we have looked at the RPC and it's not going to do much in this case. So, over here we know that the target machine is Linux which is very good, and here you go. I believe that's it. So, that leaves us with the port 80. So, we're going to have to focus on the website of the things and we're going to do some web penetration tests, right? So, we don't have anything over here, like a Kernel thingy, like a Kernel Exploit, something like that. And even if we had, it would be helpful in the Privilege Escalation site rather than the gaining access site. So, here you go. We have this hackstricks.xyz and I'm going to show you what it is. This is a book, hacktrics.xyz and I believe it's book.hacktricks.xyz. So, Carlos Polop, so some guy has written this as a GitHub book and it's fantastic because I believe this guy was prepping for the OSCP. So, he took a lot of nice notes over here and he made it into a book. So, I actually overview or I actually read this book or just try to scan the related parts when I do my penetration tests or when I do my CTFs, okay? So, for example, if I want to take a look at the Privilege Escalation, then I can come over here and I can see all the related comments, all the related, different kind of methods over there. So, it helped me a lot. So, I'm just going to make you sure that you get this link in the resources of this lecture as well. But if you don't get it, just go for book.hacktricks.xyz. And, I actually will use this in this lecture as well, okay? So, that's why I brought it up. So far so good. So, these are helpful resources and I'm going to share some more resources at the end of this course as well. So, let's go into 10.0.2.14. Here you go. This is our website. As you can see, it says that Vibranium Market and coming soon. So, we have the title. We have kind of a menu over here, but it doesn't do anything. It says that, "made by Mamadou". And, here you go. We don't have anything at all, I believe, in this website. So, we only have this made by Mamadou. So, it can be a hint, okay? These are important things, especially in the CTFs. It can be a hint, it can be a user, it can be the administrator user, something like that. So, it's worth taking a note over there. So, "Made by Mamadou" . And, let me just try to go over here and inspect this element or just view the Page Source and see if we had something hidden in the HTML code. Let me zoom in a little bit. And, here you go. We have the HTML code, we have the characters tags, we have the title, and we have nothing fancy going on over here, I believe, right? We have the bootstrap.css, so it's all related to CSS, and we have a class, we have another header over here. This is just the things that make up this header over here, and this is the Vibranium Market title, as you can see. And we have a main role over here; its kind of inner cover. So, it says only "Coming Soon", and over here we have a command. So, if you see this thing over here like this syntax in the HTML, it means that it's a command, it's not the actual code, it's not going to get executed, or it's not going to get interpreted by our browser. But the developer has written this for some reason, like for writing clean code or maybe giving some message, something like that. And you can see a lot of hints in the CTFs, in the web penetration tests, in the form of commands. So, here we have something like that. So, nav link active. So, this is a navigation link, supposedly. And we have the href, which is the link itself over here, and it's related to home. So, it's related to this button. But rather than the link over here, we only have a hashtag which is nothing which just makes us redirect to the page itself. But at the bottom of this, in the next line, we have another href which is weird because it's been commented out and as you can see, at mamadou, we have this href here as well and here as well. So, no link works over here actually, right? They are all hashtags which doesn't do anything but in this case, we have an href, but it's commented out, and the href, the link itself, '?lang=fr'. So, I believe this is an opportunity for us to test something. So, as you can see, this is a parameter. Most probably it's going to change the language into French, and it's worth a shot. So, I'm going to copy this and just delete this and paste it over here and hit 'Enter'. And as you can see our language has been changed to French indeed. And even though it didn't, it won't matter if you try with other languages like English, Turkish, or something like Italian, it doesn't work, it only works in French. And so if you just try with the question mark itself, nothing happens. But this gives us an opportunity because once you see something like that, it takes in a parameter and it can be some kind of vulnerability. And I don't know about you, but when I see something like this, first thing came to my mind is the director to reversal, which is a vulnerability that we leverage, file inclusion vulnerabilities in order to see the files that we are not allowed to see in that server. So, all you have to do is just write that .._../../ and write the file that you want to see like etc/passwd, for example. And if you haven't heard about this vulnerability before, please, just take a look at our complete web penetration testing course or complete ethical hacking course because we do a lot of things over there. And as you can see, it didn't work, we didn't get any response in the HTML or in the browser over here, but it doesn't mean that it doesn't have this kind of vulnerability because we don't know the depth yet. So, we don't know how many things that we should put over here, maybe we should put aide of the ../ things. So, we're going to have to try and see. And this is not the only way to look for the directory traversal. For example, we have dotdotpwn. So, this is a tool that comes with Kali Linux, and it's a directory traversal father, okay? You can just give the URL that you want to test you and it can test it for you to see if it has any kind of directory traversal vulnerabilities and it can just give you the kind of way to exploit it as well. But again, I'm using some, this kind of manual this kind of automated tools can lead to some false things as well. So, I'm just going to try and be manual over here but you can try the data upon yourselves as well. So, as you can see, we cannot find it with six depths or any other depths over here. So, what I'm going to do, I'm going to show you the path traversal portion of this book that hackstricks.xyz because there are tons of ways to try and see if there is a directory traversal vulnerability in a website, okay? So, you have to see it for yourself. So, if you scroll down a little bit you can see it just starts with the exactly the same thing that we have started, and it just varies it has a lot of variations over here, like we have to try this. Of course, we started with this, okay? So, we started with the ../etc/passwd and it just converse it with some kind of other representation of the slashes. Maybe we can try this, okay? And we're not even sure how many ../ that we should use in this case but again, it doesn't work. So, you're going to have to try a lot of these things over here, okay? And I tried and tried and tried until I found the solution when I saw the CTF I believe a couple of years ago. And it turns out that we have some PHP parameter thingy going on over here. I'm going to show you where it resides. So, let me find the thing over there. So, that's it. So, PHP wrappers. As you can see, it starts with the PHP itself, so php://filter/read=string/ and it just encodes it with base64 or rot13 like we have seen before right in the Bandit CTF. and it just takes in a resource. So, maybe we can try those things, PHP filter things. So, I'm going to take and see if this works. I'm going to copy this, and I'm going to come back to our Vibranium Market over there. I'm going to delete everything over here and just paste the thing over there and say 'Enter'. So, now it tries to read the ROT... It tries to just read the index.php by using the rot13 encryption over here. So, we are seeing the index PHP, but we're not getting I believe anything else like we're not getting a funny thing over there. So, let me try with this one. Okay, so, basics to for encoding, I'm going to come over here and just zoom in a little bit so that you can see it in a better way what I'm doing. So, rather than taking the whole link, I'm just taking the PHP over here, okay? So, it starts with the PHP column // and I'm pasting over here after the language parameter. If I hit 'Enter', nothing happens. Let me just go to the source and see if this works or not. So, what we have here, maybe we can have to try with this one as well. So, this is basically the same thing but it alters the PHP uppercase, lowercase. So, maybe it's being blocked by some firewall, it can bypass that kind of thing, and we don't get anything back here at all. And as you can see, we're trying new stuff and we're not getting anything different back. Now, it doesn't mean again, it doesn't have directory traversal vulnerability rather it means that we're going to have to change something over there. So, as you can see. it starts with the PHP. It's fine and it's filtering something. It's converting it to base64, which is good. But over here, we have the index PHP. So, rather than index PHP, if we write only index, we get the message. So, that's weird. We get something like this. So, we don't know what it is yet, so I'm just going to view the page source. Yes, we have the HTML code one more time but we have a new line over here which breaks the html code so we cannot see the website properly. It looks like it's base64 because we were doing it with base64. So, I'm just going to search for base64 decode, okay? I'm just going to do this online rather than using an offline tool within Kali because it's much more easier this way. I'm just going to say decode. And here you go. Apparently, we have actually found a new things like a new PHP command or new PHP thing over here. And here you go. We have a new password. So, this password can be a password for anything. I don't know yet, but we're going to try and see it right like that right here, okay. So, Niamey4Ever227, so maybe this is related with movie again. I don't know it. So, I'm just going to copy it and take note of it because it actually includes some exclamation points. We're definitely going to forget about it if we don't take a note of it later on. So, I'm going to just nano into my nano note.Txt. Okay, so I'm going to go to the bottom of this page. I'm just going to paste it over here. So, this is a password and we don't know where to use it yet. But of course, this is a very good lead that will lead us to something definitely. And here you go. Let me just close this down and this one as well. Let me try to go to the regular web page over here. Let me just delete everything over there, okay? And let me try to find if there is an Admin page over here, like maybe this password is for admins and maybe we can search for the robots.txt. And robots.txt should have been the first thing that we have looked into over here, but I forget about it. So, I don't think anything else is there. So, maybe we going to have to go back to our map and cut the note.txt over here. Remember, we had this ssh thingy over here and we can try to look into it. Maybe we can try to log in with that password, right? So, let me try and log in as root over here and copy that. I don't think it's going to work because it shouldn't be that easy, right? The root password just put it over the Internet and as you can see it doesn't work. But maybe we can use another user over here. And remember, we have seen that user, maybe it's a user, we don't know yet, maybe it was a hint, maybe it was some kind of false alarm or something like that. But we know that our Vibranium Market website has been made by mamadou, right? So, mamadou over here. So, there's a great possibility that this's a user in the server as well. So, I'm going to try that and I'm going to try and see if mamadou has chosen this Niamey4Ever. So, let me just try this mamadou and just paste the selection over there and let's see if we can log in. No, it doesn't work. Let me copy and paste one more time to make sure. Come over here, let me just see if this works or not. And here we go. We managed to go into the server. Finally, we found our way into the server. We managed to use the ssh and that's it. So, we managed to log in to the server. Now, we are done with the website as well. We're going to see what we can do over here in the next lecture.

 

About the Author
Students
437
Courses
55
Learning Paths
3

Atil is an instructor at Bogazici University, where he graduated back in 2010. He is also co-founder of Academy Club, which provides training, and Pera Games, which operates in the mobile gaming industry.