Gary Jones
Gary Jones
Remote Code ExecutionLaudanumniktoBurp SuitePHP VulnerabilitiesCybersecurity

Remote Code Execution Exploitation on Brian’s Web Application

Remote Code Execution Exploitation on Brian’s Web Application
0 views
3 min read
#Remote Code Execution#Laudanum#nikto#Burp Suite#PHP Vulnerabilities#Cybersecurity
Table Of Content

Remote Code Execution Exploitation on Brian’s Web Application

Situation:

This exercise aimed to uncover and exploit remote code execution (RCE) vulnerabilities in Brian Oppenheimer’s first PHP web project, hosted at http://www.artstailor.com/brian. The investigation involved analyzing the web application for misconfigurations and weaknesses, gaining administrative access, and extracting sensitive data.

Obstacles:

  1. Password Decryption:
    • Extracting and decrypting the hashed password stored in the .htpasswd file.
  2. Shell Exploitation:
    • Modifying the Laudanum PHP shell to bypass restrictions and gain full system access.
  3. File Upload Restrictions:
    • Circumventing a .png file upload requirement to deploy a PHP shell.

Actions Taken:

  1. Initial Reconnaissance:
    • Used nikto to identify the /brian/private/ directory as potentially interesting.
    • Inspected the HTML source code of the web page, injecting raw=true& into the URL to list directory contents.
  2. Extracting .htpasswd:
    • Modified the URL to target the .htpasswd file.
    • Identified the password hash type (MD5) via a Google search.
    • Saved the hash to a text file and decrypted it using john to reveal the credentials: brian:swordfish.
  3. Gaining Administrative Access:
    • Logged into the administrative page using the extracted credentials.
    • Uploaded a modified Laudanum PHP shell (shell.php), ensuring compatibility by:
      • Adding the IP address 172.24.0.10 to the allowed list.
      • Commenting out deprecated lines (119–120).
      • Setting a custom password for the shell.
  4. File Upload Exploit:
    • Renamed the shell file to shell.png and uploaded it.
    • Used Burp Suite to intercept the HTTP request, modifying the filename from .png to .php before forwarding.
  5. System Access:
    • Accessed the shell at http://www.artstailor.com/brian/imgfiles/shell.php.
    • Navigated through directories to locate and exfiltrate the following files:
      • IntermediateCA.txt
      • RootCA.txt
      • Server.txt
      • ThisIsTheFileYouAreLookingFor

Results:

  1. Access Achieved:
    • Gained administrative privileges and deployed a PHP shell for full control over the application server.
  2. Sensitive Data Extracted:
    • Certification files and a sensitive target file were retrieved from the /brian/private/ and /certs/ directories.
  3. Critical Vulnerabilities Identified:
    • Misconfigured file permissions and weak password hashing enabled exploitation.

Tool Purpose Overview:

nikto:

  • Scanned the web application for vulnerabilities, identifying misconfigured directories.

john:

  • Decrypted the MD5 hash stored in .htpasswd to reveal the administrator password.

Laudanum:

  • Provided a PHP shell for executing commands on the remote server.

Burp Suite:

  • Modified HTTP requests to bypass upload restrictions.

Recommendations:

  1. Enforce HTTPS:
    • Use HTTPS to encrypt data in transit and prevent eavesdropping.
  2. Secure File Permissions:
    • Restrict access to sensitive files, such as .htpasswd, and enforce proper access control.
  3. Strengthen Password Storage:
    • Store passwords using strong hashing algorithms (e.g., bcrypt or Argon2).
  4. Validate File Uploads:
    • Implement strict content validation for uploaded files to prevent unauthorized script execution.
  5. Routine Vulnerability Scans:
    • Schedule regular scans to identify and remediate weaknesses in web applications.

View PDF Document