Task Description The challenge is to analyze, ethically exploit, and mitigate vulnerabilities in PHP scripts running on a Linux virtual machine. The sequence of steps is the following: Download the...

1 answer below »


Task Description


The challenge is to analyze, ethically exploit, and mitigate vulnerabilities in PHP scripts running on a Linux virtual machine.




The sequence of steps is the following:





  1. Download the virtual machine image.

  2. Run the virtual machine on VirtualBox, and logon as root.

  3. Configure the networking between your physical machine and the virtual machine. The virtual machine is your target, while your physical machine will be used to ethically launch your exploit.

  4. Find PHP scripts on the virtual machine, and figure out the URLs to call them over the network.

  5. Analyze the code of any of those PHP scripts, and discover a vulnerability. It is your decision on what PHP script to analyze specifically. The vulnerable scripts reside in “/var/ctf/music-copyright/html/cgi-bin/
    .

  6. Hack the website through the browser. DO NOT use shell access for your hack since a hacker is not assume to have shell access. In other words, you will have to achieve your hack by POST and GET requests on the HTTP server.

  7. The
    final deliverable
    is a working exploit that successfully prints the contents of
    /etc/passwd. IMPORTANT: do not call /etc/password directly from python, the exploit has to access the /etc/password file through the HTTP server.

  8. Once successful, write an exploit of the vulnerability that you found. Write the exploit in Python3. For simulating POST and GET requests via python use the requests module (https://pypi.org/project/requests/Links to an external site.) or for post requests using requests (https://www.w3schools.com/python/ref_requests_post.aspLinks to an external site.). If you are familiar with urllib2 instead you can use that instead.

  9. Your exploitation script should be named
    php_exploit.py
    and be written in
    Python3
    and placed in the root of your repository. The script should print the results of the exploitation. When pushing the version on your repository have it access the http address on 127.0.0.1 (http://127.0.0.1/...).

  10. The exploit should be accompanied by a text description of a possible mitigation that you deem could protect the virtual machine from your exploit. The file for the description should be name
    exploit.txt.





Virtual Machine


The virtual machine is available for download from the following link:



vuln_ictf2014_64_1.ova


Download vuln_ictf2014_64_1.ova








Boot the machine, and then enter the username "root", and password "csci461".


The "ctf" user's password is "0TVwezHD6c".




You can use VirtualBox to run the virtual machine. VirtualBox is free to use. Get it from here:


https://www.virtualbox.org/wiki/Downloads







Network Configuration


Here are the steps to start the virtual machine, and configure the virtual network between your virtual machine, i.e., the target machine, and the physical machine, i.e., the attack machine:





  1. Run VirtualBox

  2. Click on File, and then Import Appliance

  3. Browse to the directory that contains the virtual machine files

  4. Select the file “vuln_ictf_2014_64.ova” to import

  5. Click Open and hence Continue

  6. Click Import

  7. Give VirtualBox 2 minutes to complete the import

  8. Click ”File", then "Host-Network Manager". Create a new network adapter and make a note of the IP and subnet (usually 192.168.56.0/24 on linux)

  9. Enable it (there is a checkbox to the right)

  10. Select your virtual machine entry on the left panel, and then click on Network

  11. Click on Adapter 1, and select “Host-only Adapter”, and pair it with the new adapter (usually called “vboxnet0” or a similar variant)

  12. Click on System, and decrease the amount of main memory to 2048 MB

  13. Now click “OK”

  14. Click on “Start”

  15. Give the virtual machine a few minutes to boot the operating system

  16. Enter username and password

  17. Type ifconfig, eth0 is the host-only adapter and the machine should have acquired an IP within the new subnet that you've created (probably 192.168.56.2).

  18. Make sure you can ping this from your host machine. Also, if you can ping it, then you can also ssh to it.




Extra steps (in case the network interfaces do not come up, you shouldn't typically need this):


Replace the IP numbers based on the subnet that you have created.




Enter the following commands on the virtual machine:


ifconfig eth0inetup 192.168.56.2 netmask 255.255.255.0


route add defaultgw192.168.56.1 eth0





  1. On the physical machine, configure the IP address of the network interface “vboxnet0” to be 192.168.56.1

  2. On Linux and Mac, open up a terminal and enter the following command:


sudoifconfig vboxnet0inetup 192.168.56.1 netmask 255.255.255.0




Conclusion:The virtual machine has the IP address 192.168.56.2, while the physical machine has the IP address 192.168.56.1




You should at this point be able to reach the services of the virtual machine from your physical machine over the virtual network that you just configured.





Locating Target Scripts


This is meant to add context on finding web files through the shell.


There are a lot of PHP scripts on the virtual machine for you to ethically attack. Search them with the following Linux command "find / -name *.php”




Here are instructions on how to reach a target script on the virtual machine over the network from the attack machine. So, here I am on the virtual machine, running the command "find / -name *.php". I get in return a listing of PHP scripts like the one below:




root@ctf-vuln-64:/etc/apache2/sites-enabled# find / -name *.php


/usr/ctf/acquire/html/cgi-bin/links.php


/usr/ctf/acquire/html/cgi-bin/paid_service.php


/usr/ctf/acquire/html/cgi-bin/contact.php


/usr/ctf/acquire/html/cgi-bin/secured/delete.php


/usr/ctf/acquire/html/cgi-bin/howto.php


/usr/ctf/acquire/html/cgi-bin/search.php


/usr/ctf/acquire/html/cgi-bin/set.php


/usr/ctf/acquire/html/cgi-bin/index.php


/usr/ctf/acquire/html/cgi-bin/howto_bak.php


/usr/ctf/acquire/html/cgi-bin/register.php


/usr/ctf/acquire/html/cgi-bin/get.php


/usr/ctf/acquire/html/cgi-bin/links_bak.php


/usr/ctf/mulemanager/html/main.php


/usr/ctf/mulemanager/html/images/logo_large.php


/usr/ctf/mulemanager/html/login.php


/usr/ctf/mulemanager/html/contact.php


/usr/ctf/mulemanager/html/index.php


/usr/ctf/mulemanager/html/register.php


/usr/ctf/mulemanager/html/library.php


/var/ctf/music-copyright/html/cgi-bin/account.php


/var/ctf/music-copyright/html/cgi-bin/myvars.php


/var/ctf/music-copyright/html/cgi-bin/upload.php


/var/ctf/music-copyright/html/cgi-bin/login.php


/var/ctf/music-copyright/html/cgi-bin/star.php


/var/ctf/music-copyright/html/cgi-bin/myfuncs.php




Let's say that I want to attack the PHP script /var/ctf/music-copyright/html/cgi-bin/login.php, but I don't know how to invoke it over the network. Ok, so now I look at the listing of all services that are listening on a server socket on the virtual machine. I do so by running the command "netstat -lnp".







I know that PHP scripts are commonly deployed as part of web applications. Furthermore, I can tell from the netstat output that the Apache webserver is listening for connections. However, entries like those below indicate that the Apache webserver is accepting TCP connections over IPv6. Would that mean that I won't be able to interact with the Apache webserver, given that I am communicating with the virtual machine over an IPv4 network?




tcp6       0     0 :::8183                 :::*                    LISTEN      1436/apache2


tcp6       0     0 :::8184                 :::*                    LISTEN      1436/apache2


tcp6       0     0 :::8185                 :::*                    LISTEN      1436/apache2


tcp6       0     0 :::8123                 :::*                    LISTEN      1436/apache2


tcp6       0     0 :::7899                 :::*                    LISTEN      1436/apache2


tcp6       0     0 :::8001                 :::*                    LISTEN      1436/apache2


tcp6       0     0 :::6789                 :::*                    LISTEN      1436/apache2


tcp6       0     0 :::8015                 :::*                    LISTEN      1436/apache2


tcp6       0     0 :::8112                 :::*                    LISTEN      1436/apache2


tcp6       0     0 :::80                   :::*                    LISTEN      1436/apache2


tcp6       0     0 :::8017                 :::*                    LISTEN      1436/apache2


tcp6       0     0 :::8018                 :::*                    LISTEN      1436/apache2




If the system administrator did not specify an address for the Apache webserver to listen on, it will listen on all address families using a single socket. Furthermore, sometimes port forwarding is enabled, so that to forward IPv4 traffic for a specific port to an IPv6 host, and that host could be the destination machine itself. I now run a browser, and try to reach a port, say 80. Hm, it works.




Good,now I know that all ports indicated by netstat as being reachable over IPv6 are reachable over IPv4. So, which port should I connect to so that to reach the script "/var/ctf/music-copyright/html/cgi-bin/login.php"? Well, from netstat I have a list of possible ports:




8183, 8184, 8185, 8123, 7899, 8001, 6789, 8015, 8112, 80, 8017, and 8018




Since I see multiple appearances of apache2 in the netstat output, it could be the case that there are virtual host configurations on the Apache server, you know, to run different sites on different ports.




Now I look at the main Apache configuration file. I find it by running the command "find / -name apache2.conf".




I view the apache2.conf configuration file, and I see that it includes virtual host configurations. See file vhost.




I now go to the directory of those virtual host configurations. See folder sites-enabled.




This is now getting interesting. The file "music-copyright.conf"gets my attention, since I am after /var/ctf/music-copyright/html/cgi-bin/login.php




So, I now view the file music-copyright.conf.


I see that the port is 8015, and the directory that contains the files for that site is /var/ctf/music-copyright/html. Wait a minute, this is the site that runs my target script, namely /var/ctf/music-copyright/html/cgi-bin/login.php




I now run a browser, and try to reach the port 8015. I now can call my target scriptlogin.php.




There is two avenues for exploiting this:
account.php
and
upload.php
(this requires a registration - login step but it is easier after you figure that part out). The whole premise of this hack lies on the fact that you should never allow users to create a file on your system that is callable and then allow them to call that file. You have access to read how this files work and look at their directories. You should do that as a first step to visualize how a potential hack will work. As a sidenote, a hacker won't have access to this, they will just use the browser and imagine how the scripts work in the background. You can practice your exploit through your browser but once you are confident and to figure out the write and read process that allows you to print /etc/passwd (which doesn't contain any passwords anyway), then, you can compile the exploit into python (i.e., ditch the browser and program all the steps so that you can automate the exploit). If you were a black hat (you shouldn't be), you would then sell your packaged exploit in the dark web.


Windows 10


1. Make sure that the hosts network adapter is set to a private not public
2. In the inbound rules section of the Windows firewall make sure that "Core Networking Diagnostics -ICMP Echo Request (ICMPv4-In)" is enabled.

Answered 2 days AfterMay 14, 2022

Answer To: Task Description The challenge is to analyze, ethically exploit, and mitigate vulnerabilities in PHP...

Jahir Abbas answered on May 16 2022
90 Votes
Countermeasures
Place web server in a secure zone (behind firewall, IDS, IPS, DMZ)
Detect potentia
l changes (hashing, script to detect change)
Auditing ports
Disable insecure and unnecessary ports
Using port 443 (HTTPS) over port 80 (HTTP)
Encrypted traffic
Server certificate
Code Access...
SOLUTION.PDF

Answer To This Question Is Available To Download

Related Questions & Answers

More Questions »

Submit New Assignment

Copy and Paste Your Assignment Here