In today's exercise I am going to attack a vulnerable web application to try and discover any hidden directories and files, who knows we may even find a password file !!
Ok so lab is as follows:
Azure lab with Windows 10 VM. Using Hyper V I have two nested VM's, a Kali Linux install and Metaspolitable 2. Both the Kali and Metasploitable machine are on the same network.
The vulnerable web app is 192.168.0.2/mutillidae
If I browse each of the pages i can see a pattern in the URL:
192.168.0.2/mutillidae/index.php?page=
As I browse each page on the site the only thing that changes in the URL is the individual page name, such as:
192.168.0.2/mutillidae/index.php?page=home.php
or
192.168.0.2/mutillidae/index.php?page=dir.php
So let's attack this URL pattern and see what we can uncover.
First I will need to create a custom word list using cewl. Let's open Kali's terminal and execute the following command:
cewl -w broken.txt -o 192.168.0.2
This will spider the web app and create a custom word list we can use. The results will be written to a new file called broken.txt and saved in the root directory.
It only takes a few seconds to create a custom word list containing 6118 words.
Now let's attack the web app and use that word list to try and discover hidden directories and files!
dirb http://192.168.0.2/mutillidae/index.php?page=/ broken.txt -f
It takes 10 minutes or so to return the following results:
We found 10 hidden directories. A couple are interesting, mainly the hidden directory named 'usr'. I assume this may be a user directory containing some interesting information.
Let's attack that specific directory and see what we can find:
dirb http://192.168.1.2/mutillidae/index.php?page=/usr/
OK so after that scan I have discovered a bunch of new directories. But I could be here all day doing manual search of every directory and it's a Sunday! I need to rest :) Alright so lets switch to using ZAP which is a GUI application already installed on Kali.
I scanned the URL with ZAP:
And in the ALERTS tab I can see can see some results under Traversal Attack (which is essentially what we are doing here):
Now we are cooking. I can see in the bin directory some information that looks like possibly a password file. Its names passwd. So in the browser I navigate to:
192.168.0.2/mutillidae/index.php?page=passwd.php and we gain access to some information that displays a popup with a '1' as the password !
OK let's switch back to dirb to triple check I have not missed anything, jumping back to the terminal and let's enumerate that etc directory
dirb http://192.168.0.2/mutillidae/index.php?page/etc/ broken.txt -f
Dirb confirms the directory listing of etc/passwd
So there we go, we had a vulnerble web app with a hidden folder that contained a password, a nice easy password = 1
This demonstration shows the importance of protecting web sites and apps against traversal attacks list this.