Friday 2 March 2012

WebApp Haxploitation with Weevely, Introducing InterSect.

Ok. This is a fairly pointless demo I made to demonstrate how a web-application bug (in this case LFI + Command Injection) can be leveraged to gain complete root access over a server. I simply took a bunch of screencaps during the demo I made to show a friend "Why web app bugs are dangerous".

So. Here goes!

The web app we used here was THIS: Mutillidae - IronGeek

Part One: The Buggy Page.
This shows the buggy applications vulnerable page. It is a simple "Do a DNS lookup" page that just by looking at we can discern certainly has a Local File Inclusion vulnerability, and more than likely a Command Injection vulnerability.












Part Two: Lets Look for LFI
So. I knew there was LFI, and decided I would let fimap check for me, to see could I pull off any LFI-RCE stuff.




























So. Now we know Fimap no canhaz RCE on the site, however there IS LFI. I want RCE, so I move swiftly along to the second vulnerability - Command injection.

Part Three: Command Injection
I decided to inject a Weevely Webshell into the app, so I put it up on my webserver and used wget to "inject" it.
Here is a screencap...












Ok. Shell seems injected, so we move on and try connect to it using the Weevely Client.

Part Four: There are Weevils In Your WWWROOT
Connecting to Weevely's PHP backdoor with the client. This is too easy...















So, lets see what it looks like in there...
















SO! Got remote code execution and a "shell" like session. Let's see does Weevely's reverse shell work for us and try become uid=0 :D

Part Five: Netcat Sais Meow
First off, we start Weevely's reverse shell plugin and tell it to phone home to us... We will be listening for it...















Ok. Now for the listener end of things...
















w00t! We haz a shell :D
... Moving Swiftly along...

We decide to check kernel version and randomly see what commands work. I decided to lsusb for some arbitrary reason. Don't ask.
















Ok. So we move on to escalating/exploring!

Part Six: Enter InterSect.
So I decide to test out InterSect, a wonderful post-exploitation tool developed by ohdae of BindShell Labs.

Here is a screencap of wgetting Intersect to the target box...















Aaaaand now to RUN Intersect ......













Ok. Intersect does not want to run as NON root, so it tells me how to get root on the box... Seeing as I like root... lets go get some!

Part Seven: We Are uid=0, + Harvest Some Infodox
So. I simply run a hypothetical root-exploit I had left in /tmp and getr00t! (It was actually a SUID shell I dropped earlier, as my kernel doesnt like localroots and panics!)












So. Got root. What next? Lets try see does InterSect want to run this time...













It Works! Sadly my battery promptly /quit a moment later but I think you get the idea of what you can do!

LINKS:
BindShell Labs
Intersect 2 - GitHub
Weevely - GoogleCode
Fimap - GoogleCode
And Finally
Insecurety Research
Posted by at 05:04
Labels: , , , , , , , , , , , , , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)