Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 159 views

    Lab10 - Dirbuster

    Uploaded by

    Saw Gyi
    We first need to find hosts on the internal network, then find a web server. Scanning finds an Apache server with a web app that lacks login. Dirbuster finds files with credentials to access the database containing the admin credentials, allowing login to the restricted area of the web app.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd

    Lab10 - Dirbuster

    Uploaded by

    Saw Gyi
    159 views15 pages
    We first need to find hosts on the internal network, then find a web server. Scanning finds an Apache server with a web app that lacks login. Dirbuster finds files with credentials to access the database containing the admin credentials, allowing login to the restricted area of the web app.

    Original Description:

    Lab10 - Dirbuster

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    We first need to find hosts on the internal network, then find a web server. Scanning finds an Apache server with a web app that lacks login. Dirbuster finds files with credentials to access the database containing the admin credentials, allowing login to the restricted area of the web app.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    159 views15 pages

    Lab10 - Dirbuster

    Uploaded by

    Saw Gyi
    We first need to find hosts on the internal network, then find a web server. Scanning finds an Apache server with a web app that lacks login. Dirbuster finds files with credentials to access the database containing the admin credentials, allowing login to the restricted area of the web app.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Download as pdf or txt
    You are on page 1of 15

    © 2019 Caendra Inc.

    | Hera for PTSv4 | Dirbuster 1


    You are a Penetration Tester hired by the company AwdMgmt to perform security tests on
    their internal Web Application and machines. You are asked to perform the penetration
    test on the client premises. During this engagement you are not given a well-defined scope.
    You are sitting in the client corporate building, directly attached to the client network.

    The goal of this lab is to first find the web servers in the network you are directly attached.
    Then to test the Web Application running on it in order to check if you can access restricted
    areas (such as the login page)!

    The best tools for this lab are:

    • Dirbuster
    • mysql
    • Web browser

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 2


    Since we do not have any information about the network and related hosts, the first step is
    to find all alive hosts in the network.

    Now that we know there is a host on the target network, let us scan it and gather as much
    information as we can about it. We are interested in web servers.

    Once we have found a web server explore the Web Application from a web browser and
    analyze it.

    Remember that the goal of our tests is to access the restricted web area.

    Now that you have an idea of how the Web Application works, run dirbuster and check if
    there is any file that may be useful to access the login page!

    You should have found two interesting files. Use the information stored in these two file to
    access the DMBS.

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 3


    Now that you have access to the database, dump the administrator credentials and try to
    log into the Web Application.

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 4


    Please go ahead ONLY if you have COMPLETED the lab or you are stuck! Checking the
    solutions before actually trying the concepts and techniques you studied in the course, will
    dramatically reduce the benefits of a hands-on lab!

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 5


    [This page intentionally left blank]

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 6


    We first need to find the address of the corporate network we are connected to. We can do
    so by running ifconfig and check the IP address of our tap0 interface.

    As we can see the target network is 10.104.11.0/24. Let's run nmap -sn in order to
    discover all the available hosts on the network:

    The previous screenshot shows that there are two hosts alive in the network: 10.104.11.96
    and 10.104.11.198.

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 7


    Let us run nmap in order to gather information about the services listening on our targets.
    To do this we will run a -sV scan as follow:

    From the results, we can see that the machine with IP address 10.104.11.96 is running
    Apache on port 80, meaning that it is probably hosting the internal web application, while
    the other machine (10.104.11.198) is running MySQL.

    Since the scope of the engagement is to check if an attacker can access restricted areas of
    the web application, let’s focus our tests on the machine 10.104.11.96.

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 8


    In order to inspect the web application we just need to type the IP address of the target
    machine into our browser.

    If we inspect the web application, we can see that the "Sign up" page is not available,
    meaning that we cannot create a new user in order to access the restricted area.

    Moreover, we do not have any valid credential to use and the form seems not vulnerable to
    any SQL injection attack.

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 9


    Since we do not want to bruteforce the login form, we can try to run discovery tools such as
    dirbuster in order to find hidden files that may help us with our goal.

    Let us start dirbuster and run a scan using the directory-list-2.3.-small.txt file. After a
    minute or two, we should start getting some interesting results:

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 10


    Here we can see that in the include folder there is a file named config.old. Let us inspect it
    and see if there is anything interesting in it:

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 11


    As we can see, the file contains some database credentials! If you recall, in the previous
    steps we had found a machine running MySQL. Let us try a DB connection to this machine
    with the credentials just found:

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 12


    Unfortunately, it seems that the credentials are not working. Let us keep investigating the
    files found with dirbuster. If we check the previous screenshot, we can see that there is a
    page named signup.php that we were not able to access from the links in the web
    application:

    This is even better of the previous file found.

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 13


    Let us try the credentials found in the signup.php file and see if we are able to access the
    DB!

    As we can see, this time we are successfully logged into the database! Let us inspect it!

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 14


    Let us use some simple mysql commands to navigate the database and check if there is
    anything interesting in it. First, we will have to select the database to use and then inspect
    its tables and data:

    With the information just obtained, let us try to log into the web application:

    We are logged in!!

    © 2019 Caendra Inc. | Hera for PTSv4 | Dirbuster 15

    You might also like