DEV Community: Hjalte Abelskov

A Beginner's Guide to Penetration Testing (Part 2)

Hjalte Abelskov — Wed, 04 May 2022 11:23:20 +0000

Hey everyone! I’m back at it with another blogpost about information-security or, more specifically, penetration testing.

This blogpost constitutes the second part in my series on penetration testing. If you are not familiar with penetration testing in general, I highly recommend checking out my first post above where I go over penetration testing methodology and show you some tools that can be useful when enumerating a target.

To finish off this mini series on penetration testing, my blogpost today will go over a target from HackTheBox. To be more precise, we'll be looking at one of their retired boxes named Blocky.

For those of you who are new to HackTheBox, think of it as a big hacking playground with lots of targets varying in difficulty. For every target out there, you need to first gain a foothold and then escalate your privileges.

Two .txt files exist on the target, and your goal is to submit the contents of both. The first .txt file is named user.txt, and submitting that will prove to HackTheBox that you’ve achieved foothold. The second .txt file is named root.txt (even on Windows), and submitting that will prove to HackTheBox that you’ve achieved escalated privileges, a.k.a root privileges (Administrator for Windows).

The foothold flag is usually the hardest to obtain, or at least the one that requires the most steps, since it requires combing through lots of information about the services running on the server. I have intentionally not included some of the dead ends I ran into while doing this box.

Step 1: Foothold

We are given the following IP-address: 10.10.10.37
First thing I did was to run an nmap scan to see which services are running on the target. I specified -sV for versions and -p- for all ports. -oN tells nmap to output in “nmap format” to the specified file.

Here we see ftp, ssh, http and a minecraft server.
Let’s go ahead and visit the website.

It looks like a blog of some sort. Some might recognize that it resembles the standard Twenty Seventeen Wordpress theme. To find out more, I started a subdirectory-scan with Gobuster while continuing to explore the site manually. Here, I specified -u for url and -w for wordlist.

Looking at the source code, network traffic, etc. did not yield anything particularly useful, but eventually my Gobuster scan finished and showed me the following information:

Aha! Here, we see a bunch of sites with 403 (Forbidden) and some 301s (Redirects/Hits).
Also, we see /phpmyadmin and /plugins as well as some wordpress sites.
We can navigate to phpmyadmin and try some default credentials, such as root:root, admin:admin, root:admin etc.
We don’t get a hit, and since we don’t know any users, we are unable to progress much further in this direction right now.

However, there is a great tool for Wordpress sites called wpscan. It automatically looks through posts, authors, themes, assets etc. to spot anything vulnerable or out of the ordinary.

By running a command such as wpscan --url http://10.10.10.37/ --enumerate u, we find a user named notch.

Meanwhile, if we visit /plugins we see two .jar files.

I downloaded the first one, BlockyCore.jar, and unzipped it to find a BlockyCore.class file. Using a Java decompiler, I was able to read the contents.

Looks like we found some credentials!
We now have two users: root and notch.
Going back to the website, we can visit the /phpmyadmin endpoint and try logging in.

It worked! We now have access to phpMyAdmin and can view the underlying database.

Usually, when gaining access to admin panels, you want to look for ways to upload files, read credentials, update permissions and such. Since phpmyadmin is using SQL, we can query the database and such. We can try uploading a webshell, which would allow us to execute commands on the server. The following command takes an input and writes it to /phpmyadmin/cmd.php (assuming the folder exists under /var/www/).

SELECT "<?php if($_GET['cmd']) {system($_GET['cmd']);} ?>" INTO OUTFILE '/var/www/phpMyAdmin/cmd.php
We are denied access though. But it was worth a shot.

So far so good…

Okay, so where are we with all the gathered information? Well, we have obtained two usernames and a password from diving into port 80. We were able to log into phpmyadmin but unable to run any SQL queries from there.

However, a common scenario when dealing with lazy developers is the reuse of passwords. Don’t do this, people. Get a password manager and generate a new unique password every time, please.
Anyhow, once we get credentials, it is usually a good idea to look for other services where we could try those credentials as well.

Let’s remind ourselves what the other services were:
Our nmap scan showed us that the services running were ftp, ssh, http and minecraft.

We try using the notch username with the password from before on the ftp server and manage to successfully log in.
Here, we see the user.txt file. We can use the “get” command to download files over ftp.

And we are rewarded with our first flag! Foothold achieved!

Step 2: Privilege Escalation

With the SAME notch credentials used for FTP, I was also able to SSH into the box.

One of the first things to enumerate, when looking to escalate privileges on a system, is which rights you have as a user. Are you able to run some commands with elevated privileges?
An easy way to see this on Linux is to run sudo -l which will list all your sudo rights.
Here, we see that we may run (ALL: ALL) ALL. This means we can run any command as the superuser.

This makes for a very easy win with sudo su root. Enter the credentials for notch and bam! We’re root.
We can see the root.txt file, readable by our user.

And that is both of the proofs we need to submit to gain full points on the box!

Were you able to follow along and understand everything that happened there?
Let’s quickly recap the steps we took:

We scanned the site with nmap
On port 80, we found a website and performed a subdirectory-listing scan with Gobuster
We saw Wordpress files and used wpscan to find a user named notch
In the /plugins folder, we found a .jar file with some credentials
We tried reusing the credentials on the other services (foothold)
We were able to SSH into the box
With sudo -l we listed our privileges and saw that we could run any command as root
We switched to root user with the sudo su root command which gave us root flag

Alright, that wraps up my second post and this series on penetration testing!
This post was a bit longer and a bit more technical than the first post, but translating theoretical knowledge into practical usage is often what helps you truly understand something new.
I hope you learned something from this mini series on penetration testing - or at least enjoyed the reading :-) Feel free to post your questions below!

A Beginner's Guide to Penetration Testing (Part 1)

Hjalte Abelskov — Thu, 21 Apr 2022 11:52:13 +0000

Disclaimer:

Before we start, I feel the need to write a short disclaimer: remember that these are real hacking tools that should never be used without a formal agreement in place between the parties involved. These posts are meant to be a teaser with the goal of giving you, the reader, a sense of what penetration testing is and what to be aware of when building your applications.

What is a pentest?

A pentest is essentially a simulated cyberattack on a computer system with the purpose of evaluating the security of the system. A pentest can be whitebox, meaning that the attacker has access to background and system information, or blackbox, meaning that the attacker has little or no information about the system.

Why do we pentest?

The UK National Cyber Security Center describes pentesting as

A method for gaining assurance in the security of an IT system by attempting to breach some or all of that system’s security, using the same tools and techniques as an adversary might

Let me start by going over some quick glossary to ensure that we are all on the same page:

Target: A target is typically a single IP address, but could also be a range of IP addresses.
Port: A communication endpoint for the computer, numbered between 0-65535. Ports can be either:
- OPEN (If you send a SYN, you get back a SYN/ACK)
- UNFILTERED (The special ACK scan, used for mapping firewall rule sets, can sometimes return RST. This means that the port is accessible, but we can’t determine if it is open or closed).
- FILTERED (Target is behind some sort of firewall and packets get dropped / no response)
- CLOSED (When you send a SYN, it responds back with a RST).
CVE: Short for “Common Vulnerabilities and Exposures”. This is a method of indexing and referencing publicly known software vulnerabilities. There are roughly between 15,000 - 20,000 new CVEs reported each year.

Phases of a pentest

You should know that there are 5 phases to professional pentesting, namely

Planning
Scanning
Gaining Access
Persistent Access
Reporting

In this post, however, I want to focus mainly on phase 2 and 3 since that's where the exciting stuff happens.

2. Scanning

When we scan a target, we are looking for information about which operating system and software might be running on the computer. Scanning for open ports tells us how the target can be interacted with, which often lets us infer a lot of information about the target. This is typically done with a tool called nmap.

A scan could look like the following:

Here we see two open ports, namely port 22 (ssh) and port 80 (http). This indicates that the target is probably hosting one or more websites and has SSH access enabled for remote configuration. We can see it is running OpenSSH 7.4 and the website is Apache httpd 2.4.25. From this information alone, we may start looking for well-known vulnerabilities, also known as CVEs. Mitre has a CVE database (https://cve.mitre.org/) we can look in. A website such as https://www.exploit-db.com/ even goes as far as to provide working code exploits for a lot of known CVEs.

On a different scan we might find a Domain Controller in an Active Directory which would be indicated by ports 53 (dns), 88 (kerberos), 135 (msrpc), 139 (netbios-ssn), 389 (ldap), 445 (file replication service), 464 (kerberos password change), 3268 and 3269 (ldap) being open.

Remember: Scanning the target and enumerating the attack vectors that come to mind is an iterative process and should be done continuously throughout the pentest.

After our initial port scan, we might do more scans depending on what we find. In order to be as effective as possible, and to gather as much information as possible, pentesters are often running multiple scans simultaneously on a target. There are hundreds of tools out there for every service imaginable. Some of the tools worth mentioning are wpscan (https://wpscan.com/wordpress-security-scanner) for Wordpress sites or sqlmap (https://sqlmap.org/) for automatic SQL injection. For a more extensive list of tools check out https://0xcybery.github.io/ehtk/ or https://github.com/enaqx/awesome-pentest

3. Gaining access

This step will vary a lot based on the results of the second phase, but let’s assume a very common case: we see a website on port 80/443.
First, we want to identify which technologies are being used. For this, there are several tools, but we can also poke at it manually.

We could try to..

Read the source code
See if we get a hit on a well-known endpoint such as /wp-content/ for Wordpress, /user/login/ for Drupal, or /manager/html for Tomcat.
Inspect the server responses and look for technologies used. This will sometimes also yield version numbers which makes it easy to look for existing exploits.

If we’re lazy we can use tools such as Nikto, WhatWeb, BuiltWith or Wappalyzer that will analyze which technologies are being used by the website for us.

We can also use tools such as Gobuster to scan websites for subpages.
Gobuster has a ton of features, but we will be using the url parameter and provide it with a wordlist of words to search for. Operating systems such as Kali Linux or ParrotOS come pre-installed with wordlists, but there are plenty of useful wordlists on Github we can use - check out https://github.com/danielmiessler/SecLists. An example of this could be:
Gobuster -u https://site-we-want-to-scan/ -w /path/to/wordlist -t threads -o gobuster_scan_from_website_root

An output could look something like this:

If our wordlist is well-chosen, we now have a good overview of the site, and we can continue our attack based on what we find. As mentioned earlier, enumeration is a continuous process.

With this new information, we could try a gobuster scan on https://site-we-want-to-scan/images, https://site-we-want-to-scan/uploads or https://site-we-want-to-scan/assets to gain more information about which artifacts exist on the site.

Well, this wraps up my first post on penetration testing!
Thank you for reading!
In the next post, I will get more hands-on as I walk you through how I hacked a target from the famous website HackTheBox.