Scribd
Upload
73 views

Ethical Hacking Project Document

Project file on ethical hacking

Uploaded by

ankitpatel2666
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
73 views

Ethical Hacking Project Document

Project file on ethical hacking

Uploaded by

ankitpatel2666
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 12

BADSTORE: 1.2.

3 PENTESTING

we’ll be exploring the BadStore vulnhub machine. This machine is dedicated to


helping you understand how hackers prey on Web application vulnerabilities, and
to showing you how to reduce your exposure. Badstore.net demonstration
software is designed to show you common hacking techniques.

Let’s Dive in!!!


Once we have downloaded the ISO file of the Badstore: 1.2.3 ~ VulnHub. Since, its
a vulnerable web application. It is recommended to be on the Host-only network,
in order to have an isolated testing environment.
We’ll be using Kali Linux as our attacker machine to find vulnerabilities in the
badstore.net website.

Pinging badstore.net (optional)


if you are having trouble opening the website, follow along and others can skip to
the next part
we simply have to get the IP address if the badstore machine and add the domain
name to “/etc/hosts” file.

BADSTORE: 1.2.3 PENTESTING 1


To get the IP address of badstore, we can simply execute the “ifconfig” command.
In my case it is 192.168.75.131. Let’s add it to /etc/hosts using a text editor


┌──(kali kali)-[~]
└─$ nano /etc/hosts
---/etc/hosts---
GNU nano 7.2
/etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
192.168.75.131 www.badstore.net

Now, we will be able to access the badstore website

BADSTORE: 1.2.3 PENTESTING 2


1- Information Gathering
we perform the following Nmap scan for SYN scan with script scan and version
detection


┌──(kali kali)-[~]
└─$ sudo nmap -sSVC -Pn 192.168.75.131
[sudo] password for kali:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-02-21 09:5
1 EST

BADSTORE: 1.2.3 PENTESTING 3


Nmap scan report for www.badstore.net (192.168.75.131)
Host is up (0.0042s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 1.3.28 ((Unix) mod_ssl/
2.8.15 OpenSSL/0.9.7c)
| http-robots.txt: 5 disallowed entries
|_/cgi-bin /scanbot /backup /supplier /upload
|_http-server-header: Apache/1.3.28 (Unix) mod_ssl/2.8.15 Ope
nSSL/0.9.7c
|_http-title: Welcome to BadStore.net v1.2.3s
| http-methods:
|_ Potentially risky methods: TRACE
443/tcp open ssl/http Apache httpd 1.3.28 ((Unix) mod_ssl/
2.8.15 OpenSSL/0.9.7c)
| sslv2:
| SSLv2 supported
| ciphers:
| SSL2_RC4_128_EXPORT40_WITH_MD5
| SSL2_RC4_64_WITH_MD5
| SSL2_DES_192_EDE3_CBC_WITH_MD5
| SSL2_RC2_128_CBC_WITH_MD5
| SSL2_IDEA_128_CBC_WITH_MD5
| SSL2_DES_64_CBC_WITH_MD5
| SSL2_RC4_128_WITH_MD5
|_ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5
| ssl-cert: Subject: commonName=www.badstore.net/organization
Name=BadStore.net/stateOrProvinceName=Illinois/countryName=US
| Subject Alternative Name: email:[email protected]
| Not valid before: 2006-05-10T12:52:53
|_Not valid after: 2009-02-02T12:52:53
|_http-server-header: Apache/1.3.28 (Unix) mod_ssl/2.8.15 Ope
nSSL/0.9.7c
|_ssl-date: 2024-02-20T12:53:57+00:00; -1d01h58m15s from scan
ner time.
|_http-title: Welcome to BadStore.net v1.2.3s

BADSTORE: 1.2.3 PENTESTING 4


| http-robots.txt: 5 disallowed entries
|_/cgi-bin /scanbot /backup /supplier /upload
| http-methods:
|_ Potentially risky methods: TRACE
3306/tcp open mysql MySQL 4.1.7-standard
| mysql-info:
| Protocol: 10
| Version: 4.1.7-standard
| Thread ID: 20
| Capabilities flags: 33324
| Some Capabilities: Speaks41ProtocolNew, Support41Auth, Su
pportsCompression, LongColumnFlag, ConnectWithDatabase
| Status: Autocommit
|_ Salt: Mv-w4;k,8rV8Sx'RK]tQ
MAC Address: 00:0C:29:19:4A:9A (VMware)

Host script results:


|_clock-skew: -1d01h58m15s

Service detection performed. Please report any incorrect resu


lts at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 45.58 seconds

we found the following

Robots.txt Disallowed Entries: /cgi-bin, /scanbot, /backup, /supplier, /upload

Subject Alternative Name: email: [email protected]

we found user accounts in “/supplier” Sub-Directory

BADSTORE: 1.2.3 PENTESTING 5


1001:am9ldXNlci9wYXNzd29yZC9wbGF0bnVtLzE5Mi4xNjguMTAwLjU2DQo=
1002:a3JvZW1lci9zM0NyM3QvZ29sZC8xMC4xMDAuMTAwLjE=
1003:amFuZXVzZXIvd2FpdGluZzRGcmlkYXkvMTcyLjIyLjEyLjE5
1004:a2Jvb2tvdXQvc2VuZG1lYXBvLzEwLjEwMC4xMDAuMjA=

-----base64 decoded using cyberchef.org-----


joeuser/password/platnum/192.168.100.56
kroemer/s3Cr3t/gold/10.100.100.1
janeuser/waiting4Friday/172.22.12.19
kbookout/sendmeapo/10.100.100.20

This would come under the MITRE ATT&CK technique of Unsecured


Credentials (T1552), which is a sub-technique of Credential Access (TA0006)

we also found MySQL service open, Let’s try to access the database
using root user.

BADSTORE: 1.2.3 PENTESTING 6


we are able to access the database without a password!!!

we found “badstoredb” database, let's look for tables in this database.

From this exposed Database we are able to obtain:

social security number are Exposed!!!

BADSTORE: 1.2.3 PENTESTING 7


user:passwd for website
the Master System Administrator user looks interesting, the passwd looks like
md5 hash. look for any md5 decoder on google.

5EBE2294ECD0E0F08EAB7690D2A6EE69 -> secret

Let’s explore the website, we might be able to use these usernames somewhere.
we have Sign Our Guestbook page, let’s try XSS here:

BADSTORE: 1.2.3 PENTESTING 8


and here we get a successful XSS.

The XSS (Cross-Site Scripting) injection you discovered on the guestbook page
of the vulnerable online store falls under the MITRE ATT&CK technique T1055:
Process Injection

Found A login page

BADSTORE: 1.2.3 PENTESTING 9


we might be able to use the Master System Administrator user account with
email:admin & password:secret

now, that we have logged in as an administrator account, we should map out the
website to look what pages we can access as a privileged account holder. We can
notice that whatever webpage we access the website is using the “?action=”
query string to load other subpages of the badstore website. So, lets enumerate
this variable itself

dirb http://www.badstore.net/cgi-bin/badstore.cgi?action=

BADSTORE: 1.2.3 PENTESTING 10


hmm! we have an admin page. let's see what it is!

BADSTORE: 1.2.3 PENTESTING 11


with this Secret Administration Menu we can perfrom multiple things including
viewing Sales Reports, Adding and Deleting users, listing users, etc.

You can also play around with the supplier account. Since, we have the credential
for the suppliers.
All-in-all this machine is good for practicing your web application security
fundamentals

BADSTORE: 1.2.3 PENTESTING 12

You might also like