#5 Preignition - Starting Point - Hack The Box || Complete detailed Walkthrough

Table of Contents

• Introduction
• Enumeration
• Installing Gobuster  
• Using Gobuster
• Foothold
• Task Solutions

Introduction

In most environments, web servers play a big part in the infrastructure, and in the daily processes of many departments. Web servers can sometimes be used strictly internally by employees, but most of the time can be found to be public-facing, which means anyone from the Internet can access them to retrieve information, and files from their hosted web pages.

For the most part, the web pages hosted on the web servers are managed through their administrative panels, locked behind a log-in page.

Learn more about WordPress:  

Let us think of an example: You have decided to start your own blog and use WordPress to achieve this. If you are not familiar with WordPress, then you can read more about it from my blog, link is in my description box.

 

WordPress is essentially a popular web application that allows you to easily manage the content you want to post for the rest of the world to read. Once installed, your WordPress website will have a public-facing side and a private-facing one, the latter being your administrative panel hosted on the wp-admin page. This page is locked behind a log-in screen.

Once you, as an administrator of the WordPress site, log into its' admin panel, you will have access to a myriad of controls, ranging from content uploading mechanisms to theme selection, custom script editing for specific pages, and more. The more you learn about WordPress, the more you will see how this is a vital part of a successful pentest, as some of these mechanisms could be outdated and come with critical flaws that would allow an attacker to gain a foothold and subsequently pivot through the network with ease.



Thus, we conclude that Web enumeration, specifically directory busting, is one of the most essential skills any Penetration Tester must possess. While manually navigating websites and clicking all the available links may reveal some data, most of the links and pages may not be published to the public and, hence, are less secure. Suppose we did not know the wp-admin page is the administrative section of the WordPress site we exemplified above. How else would we have found it out if not for web enumeration and directory busting?

Enumeration

Firstly click on spawn Machine to find out our target IP address.

Immediately after, we can follow up with a preliminary scan of the target. Using Nmap and the appropriate service version detection switch, we scan the IP address for any open ports and services. 

• -sV: switch to Probe open ports to determine service/version info.

┌──(mrdev㉿mrdev)-[~]

└─$ sudo nmap -sV 10.129.56.242

Starting Nmap 7.92 ( https://nmap.org ) at 2021-12-24 10:59 IST

Nmap scan report for 10.129.56.242

Host is up (0.53s latency).

Not shown: 999 closed tcp ports (reset)

PORT   STATE SERVICE VERSION

80/tcp open  http    nginx 1.14.2

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 17.41 seconds

┌──(mrdev㉿mrdev)-[~]

└─$

From the scan result, a single entry is shown and catches our attention. It is an http service running on port 80, signaling that this target might be hosting some explorable web content.

Let me take a look at the contents, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window. This will automatically address the target's port 80 for the client-server communication and load the web page's contents.

At the top of the page, we observe the mention of the Nginx service. After researching basic information about Ngnix, and its purpose, we conclude that our target is a web server. Web servers are hosts on the target network that have the sole purpose of serving web content to internal or external users, such as web pages, images, videos, audio files, and other types. Typically, a web server is accessible from the Internet to allow for the stored content to be explored by the online public for many reasons: shopping, providing and requesting services, banking, reading the news, and more.

What we are looking at on our browser screen is the default post-installation page for the Ngnix service, meaning that there is the possibility that this web application might not be adequately configured yet, or that default credentials are used to facilitate faster configuration up to the point of live deployment. This, however, also means that there are no buttons or links on the web page to assist us with navigation between web directories or other content. 

When browsing a regular web page, we use these elements to move around on the website. However, these elements are only links to other directories containing other web pages, which get loaded in our browser as if we manually navigated to them using the URL search bar at the top of the browser screen. Knowing this, could we attempt to find any "hidden" content hosted on this webserver? The short answer is yes, but to avoid guessing URLs manually through the browser's search bar, we can find a better solution. This method is called dir busting, short for directory busting. For this purpose, we will be using the tool called go-buster, which is written in Go. If you do not have a buster installed on your machine yet, you can follow my instructions to install it successfully otherwise skip what you have already.

Installing Gobuster  

First, you need to make sure you have Go installed on your Linux distribution, which is the programming language used to write the gobuster tool. Once all the dependencies are satisfied for Go, you can proceed to download and install gobuster. 

In order to install "Go" language, you need to input the following command in your terminal window:

┌──(mrdev㉿mrdev)-[~] 

└─$  sudo apt install golang-go

Once that installation is complete, you can proceed with installing the go-buster. If you have a Go environment ready to go, it is as easy as typing in the following command in your terminal:

┌──(mrdev㉿mrdev)-[~] 

└─$  sudo apt install gobuster

Using Gobuster

In order to start our dir busting, we will need to discover what capabilities gobuster has, and which ones can assist us. By looking at the tool's help page, by typing in the gobuster -h command in our terminal, we receive a list of all possible switches for the tool and their description.

Usage:

  gobuster [command]

Available Commands:

  dir         Uses directory/file enumeration mode

  dns         Uses DNS subdomain enumeration mode

  fuzz        Uses fuzzing mode

  help        Help about any command

  s3          Uses aws bucket enumeration mode

  version     shows the current version

  vhost       Uses VHOST enumeration mode

Flags:

      --delay duration    Time each thread waits between requests (e.g. 1500ms)   

  -h, --help              help for gobuster

      --no-error          Don't display errors

  -z, --no-progress       Don't display progress

  -o, --output string     Output file to write results to (defaults to stdout)

  -p, --pattern string    File containing replacement patterns

  -q, --quiet             Don't print the banner and other noise

  -t, --threads int       Number of concurrent threads (default 10)

  -v, --verbose           Verbose output (errors)

  -w, --wordlist string   Path to the wordlist

Use "gobuster [command] --help" for more information about a command.

In our case, we will only need to use the following:

• dir: specify we are using the directory busting mode of the tool 
• -w: specify a wordlist, a collection of common directory names that are typically used for sites 
• -u: specify the target's IP address

If you have no wordlist on your system Click here.

┌──(mrdev㉿mrdev)-[~]

└─$ sudo gobuster dir -w /usr/share/wordlists/dirb/common.txt -u 10.129.56.242

[sudo] password for mrdev:

===============================================================

Gobuster v3.1.0

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://10.129.56.242

[+] Method:                  GET

[+] Threads:                 10

[+] Wordlist:                /usr/share/wordlists/dirb/common.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.1.0

[+] Timeout:                 10s

===============================================================

2021/12/24 11:55:42 Starting gobuster in directory enumeration mode

===============================================================

/admin.php            (Status: 200) [Size: 999]

===============================================================

2021/12/24 11:57:51 Finished

===============================================================

Now you can see “admin.php” existed and was returned to us in the output, signaling that the webpage exists and we can navigate to it manually to check out its contents.

Foothold

Navigating to the newly found link manually through our web browser can be done by inputting the following address in our URL search bar. Once we proceed with this, we are met with an administrative panel for the website. It asks us for a username and password to get past the security check, which could prove problematic in normal circumstances.

Usually, in situations such as this one, we would need to fire up some brute-forcing tools to attempt logging in with multiple credentials sets for an extended period of time until we hit a valid log-in since we do not have any underlying context about usernames and passwords that might have been registered on this web site as valid administrative accounts. But first, we can try our luck with some default credentials since this is a fresh Nginx installation. We are betting that it might have been left unconfigured at the time of our assessment. Let us try logging in with the following credentials:

admin:admin

We seem to be successful! The log-in worked, and we were presented with our flag. 

Task Solutions

TASK 1: What is considered to be one of the most essential skills to possess as a Penetration Tester?

Ans. dir busting

TASK 2: What switch do we use for Nmap's scan to specify that we want to perform version detection?

Ans. -sV

TASK 3: What service type is identified as running on port 80/tcp in our nmap scan?

Ans. http

TASK 4: What service name and version of service is running on port 80/tcp in our nmap scan?

Ans. nginx 1.14.2

TASK 5: What is a popular directory-busting tool we can use to explore hidden web directories and resources?

Ans. gobuster

TASK 6: What switch do we use to specify to gobuster we want to perform dir busting specifically?

Ans. dir

TASK 7: What page is found during our dir busting activities?

Ans. admin.php

TASK 8: What is the status code reported by gobuster upon finding a successful page?

Ans. 200