Step 1: Nmap Scanning for Services
If you see the output of the nmap scan, you can see that there is no Telnet running on the system. So, it would not make sense to try Telnet. It is not a provided service. The system runs SSH instead. If you are able to get any login details, by any means, you can connect using SSH, but that is not a vulnerability, because the users are supposed to do that anyway. The vulnerability is somewhere else.
The vulnerability is in the way that you may find login details. Logging in was normal. However, did you get any user login details? All your work starts from there, and the other vulnerabilities can be found and exploited one by one from there.
2.0 Searching for any interesting information, like user login details
As explained in the tutorial document, based on the nmap scan, start with HTTP service by browsing some pages.
Redirection is normal, so you can run many websites on the same server. Unskilled people don’t know what to do there, and they can be very dismissive of error messages. You are computer science professionals, and are not allowed to ignore any error messages.
What happens after manipulating the above? Something will happen that you will be able to discover something you were not supposed to. The cause of this is a vulnerability – What is the name of this vulnerability, which allows the user to se everything in a directory? Are users supposed to be able to see that? Or is it supposed to be disabled? This is the start of the exploitation. From here you will be able to discover all the vulnerabilities.
In the tutorial/lecture ‘Last lecture’, we told you that “the secret lies with Dark Raver, and his scanner called DirB”. Why?
Because you have just discovered that there is a vulnerability in the web browser and, reading about the vulnerability, results in discovering that you can use a scanner for it. This is obvious because it will be impossible to do all that manually. You need to find out what it allows you to see, apart from the manual thing you just did. DirB does that.
Now it is time to to what computing professionals do – look at an output of an action and try to interpret it, in order to establish the next course of action.
After running DirB, what is the next thing you need to do? There is a lot of output from the scan, and the job is a bit tedious, but that is what hackers do, don’t they?
Step 2: Directory Bruteforcing
4.0 Did you find any login details?
If you were able to find some user login details, what do you think they are used for? To login, yes? How can users login onto this system? Is there any service that allows them to log in.
Time to go back to the drawing board – nmap scan – and find out how you can log in, by using the login details that you have found.
Do you see any service there that is used for login? Of course, you do. It is there, in front of you, in the nmap scan output. It still comes down to interpreting the output that you yourself have produced, and find out what to do next.
Using that service – find out about the commands that are used to log in, use the found login details to log in, and voila – you are in.
However, once you are inside the system, as one of the normal users, what can you do, that you are not supposed to? You will see that the system allows you to do more than you should be able to, so there is another vulnerability there. You just have to understand what a vulnerability is, and to come up with a name or definition for the one you find. Don’t get it wrong. It is not about defining the word vulnerability, because we are past that, but to define the vulnerabilities that you find.
Now, go back to the previous one. How were you able to find the login details? Can you define and describe that vulnerability? That shows that you have scope there to do more scanning, with the one that I have already suggested – DirB.
It is obvious that writing the report goers hand to hand with the practical work. You can’t rely on remembering everything in the end, and trying to write the report from memory.
The scanning with DirB will help you find lots of directories, so you can browse them to see where they take you. One of them presents you with a login page, which is an excellent opportunity to try and find if there is any vulnerability that you can exploit there.
You have already discovered that this system does not seem to be well protected with good passwords. So, try another scan and exploit from Metasploit Framework, in the same fashion as in the tutorial:
-Identify the application or service you are trying to see if it has exploitable vulnerabilities
-Open Metasploit and run a search
-Use the relevant module
-Configure the module with the right parameters
-Run the module
-Did it get you somewhere? No? Then try again.
You will get lucky if you try. Try and try, and see if you can log in. Log in and then see if you have found the vulnerability there, and describe the vulnerability like a professional in the report.
Once inside the service, or application (which app?), you can find another vulnerability related to the storage of the admin password, which is hashed. You copy and paste it, and then crack it using a simple word list and John the Ripper.
Also, there is another vulnerability related to the blog page, which is created using WordPress. If you browse around and check some posts, especially horizontally, you will find another vulnerability there, related to a Web Exploitation Package.