Test Lab is an online penetration testing lab which has total 12 system/servers/network devices. Those are purposely mis configured. Upon hacking each single node, you will get token, which needs to be submitted on the website for the verification that will tell whether you have hacked that server successfully or not. Lets dive into.
Let us understand the network diagram.
According to the diagram, two gateways(192.168.101.6 & 192.168.101.7) are accessible through the VPN. Each gateway can access only 3 systems. In this first part, we are going to hack 1st node(192.168.101.6) in order to site(172.16.0.1). In later part of this series we are going to root other nodes in order to hack all 12 nodes.
let us connect to VPN. Once you register on https://lab.pentestit.ru/ website, they will provide you VPN credentials or you can download their vuln VM through the link. Here I have VPN credentials so I am trying to connect through it. VPN configuration file will be provided by them only. Below screenshot shows the public key to connect VPN.
Use below command to connect through your VPN it will require ID and Password which will be given by the website upon register.
Command: openvpn --config lab.pentestit.ru.conf
In order to check if the connectivity has been established successfully, give ipconfig command. You will see one new interface tap0 or tun0 along with your traditional interfaces such as eth0, wlan0, l0.
Cross check the connectivity by checking icmp echo reply to our target 192.168.101.6 and 101.7 IPs. Both are reachable in my case as mentioned below.
Since I am not aware, what kind of services are installed and running on this node, let us quickly do Nmap scan. Below is the command.
Command:nmap -sS -p- -sV -v 192.168.101.6 -oX nmap_101_6 -T4
Through the NMAP result, it can be identified that web application must be running with server nginx 1.8.0 in the background. Let is quickly open in browser.
Crawling through application, I landed on the page asking username and password. I gave couple of authentication based SQL injection payload such as '+OR+'1'='1 and admin'+OR+'1'='1. Nothing worked. I ran nikto tool. Found nothing.
Then i ran dirb tool. Unfortunately it was giving me error mentioned in below screenshot.
Command: dirb http://192.168.101.6/
It seems like whatever input it gets from dirb tool, server gives same response back all the time. I decided to give manually crafted directories/files through the browser as mentioned below.
It gives the same regardless of your input. Through my past experience of secure code review, I knew that couple of developers play with user agent string in order to restrict hackers from running automated tools. I though what could be possible if I change the user agent string from traditional to something else.
Dirb has a very good switch -a in order to pass custom user agent.
Command: dirb https://192.168.101.6/ -a chintangurar
Bingo! It worked! That means server might have hardcoded strings for all type of vulnerability scanners who may try to crawl the application. Now scan has started and I am getting the valid results.
I checked the result and hit all words resulted in dirb. None of them took my interest except .git/HEAD. I gave that to browser and I am able to download the file.
Git is a revision control tool that helps keep track of changes in files and folders and is used extensively in the web development community. This blog isn't going to be a tutorial on Git, so a basic understanding of how Git and revision control tools work will be helpful. I do want to point out though for people who are not familiar with Git is that every time Git is initialized in a directory, a local repository is created. Repositories contain all the commit information for every file. In this blog, I will walking through ways in which a person can obtain information from a web server that has a publicly available .git directory. For people who know how to use Git, this blog may seen like a no brainier. None of the information here is new or groundbreaking. Everything I will be showing is basic Git functionality. The reason I am writing this blog is to educate people on why having Git on your web server can be dangerous if the server is configured incorrectly.
There are many articles that claims that it is possible to dump Git data from the misconfigured web servers. So I decided to mirror data from our target website through Git however it gave me 403 Forbidden. Then I thought it may be the use agent problem that I might be facing so gave custom user agent with wget which also resulted into 403 Forbidden error.
Command: wget --mirror --include-directories=/.git http://192.168.101.6/.git
Command: wget --user-agent="chintan" --mirror --include-directories=/.git http://192.168.101.6/.git
Serching upon the Google, I found one tool named dvcs-ripper.Rip web accessible (distributed) version control systems: SVN, GIT, Mercurial/hg, bzr, It can rip repositories even when directory browsing is turned off. Make sure to position yourself in empty directory where you want repositories to be downloaded/cloned.
Let's quickly clone it as mentioned below.
Command: git clone https://github.com/kost/dvcs-ripper.git
As you can see, it has successfully downloaded and our interest of perl file is rip-git.pl. I am leaving it upon you to learn how to use this tool.
Hint: Tool Help
Command: perl rip-git.pl -u http://192.168.101.6/.git
Task has been done. Checking upon the folder there are newly added files and folders in it which are highlighted.
Since I have few PHP file and may be other sensitive files within the directory, I have to perform whitebox code review task in order to find the jucy information out of it.
Rather than visiting each files and folder into it, I am simply using below command.
Command: cat `find -name"*"` | grep "password"
Find command will list all files and folders which are inside the current directory. Giving * in the "" clarifies that we want to list all of files, folders from the sub folders on the terminal.
Cat command displays the content of the file. In our case we are listing all files through find commands, hence it will display all contents together of all files on the same terminal.
Grep command will specifically show only those lines in which our keyword(password) matches. It may possible that there might be lacs and millions of lines that may display on your terminal through cat.Out of those, we only want such lines which has 'password' text in it.
Result shows that we have got one admin's credentials and other user's credentials. Lets note down and try to login into the application.
I was successfully able to login into the application and got my flag cum Token.