Directory busting

 

Description

You are a Penetration Tester hired by the company AwdMgmt to perform security tests on their internal Web Application and machines. You are asked to perform the penetration test on the client premises. During this engagement you are not given a well-defined scope. You are sitting in the client corporate building, directly attached to the client network.

Goal

The goal of this lab is to first find the web servers in the network you are directly attached. Then to test the Web Application running on it in order to check if you can access restricted areas (such as the login page)!

Tools

The best tools for this lab are:

• Dirbuster

• mysql

• Web browser

Steps

Find all the machines in the network

Since we do not have any information about the network and related hosts, the first step is to find all alive hosts in the network.

Identify the machines role

Now that we know there is a host on the target network, let us scan it and gather as much information as we can about it. We are interested in web servers.

Explore the web application

Once we have found a web server explore the Web Application from a web browser and analyze it.

Remember that the goal of our tests is to access the restricted web area.

Find hidden files

Now that you have an idea of how the Web Application works, run dirbuster and check if there is any file that may be useful to access the login page!

Test the credentials found

You should have found two interesting files. Use the information stored in these two files to access the DMBS.

Retrieve the correct admin password

Now that you have access to the database, dump the administrator credentials and try to log into the Web Application.

SOLUTIONS

Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the solutions before actually trying the concepts and techniques you studied in the course, will dramatically reduce the benefits of a hands-on lab!

Solutions steps

Find all the machines in the network

We first need to find the address of the corporate network we are connected to. We can do so by running ifconfig and checking the IP address of our tap0 interface.

As we can see the target network is 10.104.11.0/24. Let\'s run nmap -sn in order to discover all the available hosts on the network.

The previous screenshot shows that there are two hosts alive in the network: 10.104.11.96 and 10.104.11.198.

Identify the machines role

Let us run nmap in order to gather information about the services listening on our targets. To do this we will run a -sV scan as follows:

From the results, we can see that the machine with IP address 10.104.11.96 is running Apache on port 80, meaning that it is probably hosting the internal web application, while the other machine (10.104.11.198) is running MySQL.

Since the scope of the engagement is to check if an attacker can access restricted areas of the web application, let's focus our tests on the machine 10.104.11.96.

Explore the web application

In order to inspect the web application we just need to type the IP address of the target machine into our browser.

If we inspect the web application, we can see that the \"Sign up\" page is not available, meaning that we cannot create a new user in order to access the restricted area.

Moreover, we do not have any valid credential to use and the form seems not vulnerable to any SQL injection attack.

Find hidden files

Since we do not want to bruteforce the login form, we can try to run discovery tools such as dirbuster in order to find hidden files that may help us with our goal.

Let us start dirbuster and run a scan using the directory-list-2.3.-small.txt file. After a minute or two, we should start getting some interesting results:

Here we can see that in the include folder there is a file named config.old. Let us inspect it and see if there is anything interesting in it:

As we can see, the file contains some database credentials! If you recall, in the previous steps we had found a machine running MySQL. Let us try a DB connection to this machine with the credentials just found:

Unfortunately, it seems that the credentials are not valid. Let us keep investigating the files found with dirbuster. If we check the previous screenshot, we can see that there is a page named signup.php that we were not able to access from the links in the web application:

This is even better than the previous file found!

Test the credentials found

Let us try the credentials found in the signup.php file and see if we are able to access the DB!

As we can see, this time we are successfully logged into the database! Let us inspect it!

Retrieve the correct admin password

Let us use some simple mysql commands to navigate the database and check if there is anything interesting in it. First, we will have to select the database to use and then inspect its tables and data, as follows:

With the information just obtained, let us try to log into the web application:

We are logged in!!

STATUS

Lab Not Running

info_outlineLAB NOT RUNNING

Start the lab and you’ll be able to download a VPN File and connect.

Google Hacking - Study Guide

Cross Site Scripting - Study