In Part 1 of this article we covered some examples of Service vulnerabilities, Server backdoors, and Web Application vulnerabilities. Here in Part 2 we are going to continue looking at vulnerabilities in other Web Applications within the intentionally vulnerable Metasploitable Virtual Machine (VM).
Our Pentesting Lab will consist of Kali Linux as the attacker and Metasploitable 2 as the target. Both operating systems will be running as VM’s within VirtualBox. Please check out the Pentesting Lab section within our Part 1 article for further details on the setup.
Damn Vulnerable Web App
DVWA is PHP-based using a MySQL database and is accessible using admin/password as login credentials. Below is the homepage served from the web server on Metasploitable and accessed via Firefox on Kali Linux:
DVWA features
Features of DVWA v1.0.7 accessible from the menu include:
- Instructions – covers Licensing, Installation, Database Setup & Troublshooting.
- Setup – enables the Setup or Reset of the MySQL database.
- Vulnerabilities:
- Brute Force
- Command Execution
- CSRF (Cross-Site Request Forgery)
- File Inclusion
- SQL Injection
- SQL Injection (Blind)
- Upload
- XSS reflected*
- XSS stored*
- DVWA Security:
- Security Level (low, medium or high)
- PHPIDS (PHP-Intrusion Detection System enable/disable)
- PHP Info – Information about the PHP settings.
- About – Links to further information about DVWA and credits.
* Cross-Site Scripting
A ‘More Info’ section is included on each of the vulnerability pages which contains links to additional resources about the vulnerability. Sources referenced include OWASP (Open Web Application Security Project) amongst others. For hints & tips on exploiting the vulnerabilities there are also ‘View Source’ and ‘View Help’ buttons.
Command Execution vulnerability
The purpose of a Command Injection attack is to execute unwanted commands on the target system. The advantage is that these commands are executed with the same privileges as the application.
On Linux multiple commands can be run after each other using ‘;’ as a delimiter:
These results are obtained using the following string in the form field:
127.0.01; ls -la; uname -r > uname.txt; ls -lta; cat uname.txt
The above string breaks down into these commands being executed:
- Perform a ping of IP address 127.0.0.1 three times.
- Long list the files with attributes in the local folder.
- Redirect the results of the ‘uname -r’ command into file ‘uname.txt.
- Relist the files & folders in time descending order showing the newly created file.
- Display the contents of the newly created file.
The above demonstrates that havoc could be raised on the remote server by exploiting the above vulnerability.
Metasploit Framework vs TWiki
In this demonstration we are going to use the Metasploit Framework (MSF) on Kali Linux against the TWiki web app on Metasploitable.
TWiki is a flexible, powerful, secure, yet simple web-based collaboration platform. Use TWiki to run a project development space, a document management system, a knowledge base or any other groupware tool on either on an intranet or on the Internet. You can edit any TWiki page.
twiki.org
Initializing Metasploit
First let’s start MSF so that it can initialize:
By searching the Rapid7 Vulnerability & Exploit Database we managed to locate the following TWiki vulnerability:
- Name: TWiki History TWikiUsers rev Parameter Command Execution
- Disclosed: Sep 14, 2005
- Created: May 30, 2018
- Description: This module exploits a vulnerability in the history component of TWiki. By passing a ‘rev’ parameter containing shell metacharacters to the TWikiUsers script, an attacker can execute arbitrary OS commands.
Alternatively the command ‘search <search string>’ can be used at the MSF Console prompt.
Attempting to exploit TWiki
Under the Module Options section of the above exploit there were the following commands to run:
msf > use exploit/unix/webapp/twiki_history
msf exploit(twiki_history) > show targets
...targets...
msf exploit(twiki_history) > set TARGET < target-id >
msf exploit(twiki_history) > show options
...show and set options...
msf exploit(twiki_history) > exploit
Note: The ‘show targets’ & ‘set TARGET’ steps are not necessary as 0 is the default.
Our first attempt failed to create a session:
The following commands to update Metasploit to v6.0.22-dev were tried to see if they would resolve the issue:
sudo apt update
sudo apt install metasploit-framework
Fixing Metasploit (?)
Unfortunately the same problem occurred after the version upgrade which may have been down to the database needing to be re-initialized. A reinstall of Metasploit was next attempted:
sudo apt remove metasploit-framework
sudo apt install metasploit-framework
Retesting the TWiki Exploit
Following the reinstall the exploit was run against with the same settings:
This seemed to be a partial success … a Command Shell session was generated and able to be invoked via the ‘sessions 1’ command. There was however an error generated though this did not stop the ability to run commands on the server including ‘ls -la’ above and more:
Whilst we can consider this a success, repeating the exploit a few times resulted in the original error returned. In the online forums some people think this issue is due to a problem with Metasploit 6 whilst Metasploit 5 does not have this issue. More investigation would be needed to resolve it.
Have you used Metasploitable to practice Penetration Testing? Do you have any feedback on the above examples or a resolution to our TWiki History problem? If so please share your comments below.