Linux Red Team Exploitation Techniques | Exploiting WordPress & MySQL

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] you can register for part two of this series by clicking on the link in the description this will take you to a sign up page where you can register for part two all you need to provide is your first name last name email and company details uh once you provide the details all you need to do is hit on register and you'll be able to watch uh you know the rest of the videos within this particular series so we cover windows red team defense evasion techniques uh windows red team privilege escalation techniques uh you know for both windows and linux and then persistence techniques for linux and linux defensive agent l as well as windows red team lateral movement techniques so once you hit register you will be redirected to the course page or the series page where you'll be able to access the videos immediately on demand so there we are we can see that it's actually opened up and we can go ahead and play the video like so and you can access uh you know all of the videos right over here within the table of contents so if i wanted to watch linux red team persistence techniques i can do that uh you can also again create a new linux account and get a hundred dollars in credit using this offer here and you can download the course or series slides by clicking on this link here so that's going to be it let's get started with today's video hello everyone welcome back to the red team training series in this video we're going to be taking a look at how to gain initial access to a linux target now we've already explored the process of gaining access to a windows target and now that we have that out of the way let's take a look at essentially how to exploit and gain access to a linux target that has been set up by our target company and essentially hosts a web server or a website right so uh in regards to what we will be covering in this video we'll we'll get started by taking a look at how to exploit the public-facing web application that's being hosted on this linux server and then secondly we'll take a look at how to gain access to the mysql database server that's running on the target server right so our job here is to firstly obtain initial access and then secondly take over uh some of the services that are running on the target system so again when it comes down to the miter attack framework initial access techniques the one we're focusing on now is going to be the process of exploiting public-facing applications so in the windows video we explored the process of essentially performing uh you know exploiting remote services uh phishing etc etc so we're going to be taking a look at how to exploit a public-facing application now um so in this particular scenario we're going to be using a target virtual machine as our target server and uh you can download this virtual machine from vonhub and uh the name of this virtual machine is raven1 so again you can go ahead and download the ova file and import it into virtualbox or into vmware if you want to follow along with the techniques highlighted in this video the objective of this video is to take you through the methodological process you know from performing an nmap scan on the target identifying the services running exploiting the web application gaining initial access and then uh gaining access to the mysql database server so again these procedures can be replicable uh but in this case we're going to be using this as our target just so that i can explain a few things as we move along as you can see this is our infrastructure it's fairly simple uh the scenario is that we have identified the website or the web server that hosts the website for our target company uh the target server is hosting a wordpress site it's utilizing mysql because wordpress is a content management system that requires a database and in this case the database of choice is mysql and it's also running openssh and has the ssh port open to allow for authentication to the linux server that being said that's pretty much all that we need to get out of the way in regards to the practical or sorry to the theoretical section of this video let's move on to my cali vm so that we can get started with the practical section of this video alright so i'm on my kali virtual machine and i have already identified the ip address of the target server you you should have been able to do this uh during the reconnaissance video where we highlighted all of the techniques that you can utilize to find out the ip address of a server or that again hosts either web application or any other application that is you being utilized by the company the first thing we're going to need to do is perform an nmap scan on the target so the nmap scan we're going to be performing in this particular case is uh is a fairly simple one and i'll explain what's going on but before we do that my current working directory is on my desktop under the red team folder and under linux so i just want to make that clear before we get started because we'll be referencing our files within this directory you can create your own directory that you want to work in so i'll say sudo nmap and i'll perform a syn scan or a stealth scan and then i'll also perform an aggressive scan which is a combination of service version detection operating system detection and you you also have the the ability or this particular scan flag allows you to perform or run all nmap scripts against all the ports that are currently open on the target we will scan all ports all tcp ports on the target so that when we say hyphen p hyphen that refers to the entire tcp port range which is about 65 535 ports to speed up the scan we'll use the timing template t4 and then i'm going to paste in the ip address of the target which in this case i've just done and we're going to output the results into a normal readable format so we'll use the on option there and we'll i'll simply call the file nmap all.txt right and i'll hit enter now this scan is going to take a few seconds to a few minutes based on your target in my case the target server is running on my local network so it shouldn't take too much time at all i'm going to let this scan complete and then we can move on to the next step all right so the nmap scan is completed and you can see that we have two ports or rather three ports that are currently open one of them is running ssh on the default ssh port which is 22 the service version is open ssh 6.7 p1 the web server which is running on port 80 is running apache httpd and we can get the operating system banner which gives us an idea of what operating system the target is running in this case we can see that the server is most likely running debian right so we pretty much have that we were able to identify that we also have an rpc port here which is on the default port number as well as another rpc port that's running on port 55995 so this is one of the reasons why you should perform a comprehensive scan on all tcp ports because some ports may be configured or some services may be configured on ports that are out of the typical range associated with you know standard services so that's a tactic or a strategy that is typically employed by administrators or security analysts in order to avoid uh first of all detection by uh you know uh by individuals without much experience in regards to scanning for services so if they run a service like uh like the web server on a port that is not standard like five five nine nine five it'll be quite difficult to detect it unless you scan all tcp ports that being said we can try and access the web server here so i'm just gonna copy the ip and we can access the web server so i'm just gonna paste it in my browser and you can see that this is their website here this is the target website and it simply looks like a security website here where they outline some of their services that they provide and yeah so now now that we have that opened up we can now try and perform some analysis on the web application initially from my first look at this it appears that this particular site as you can see if i click on a interactive button here you can see that it essentially does not redirect to that particular web page which gives me an idea of what might be running here and taking a look at this source it's clear that this particular website is a is a landing page template that really doesn't have any content management uh functionality here in that everything is programmed statically via html and css and there's very very little uh javascript so the first thing we want to do is just copy the ip address here and we are going to run a directory brute force with go buster you might remember that i mentioned this during the reconnaissance video but i'll be taking you through it practically now so go buster again can be installed on kali linux by typing in sudo apt get install go buster i already have it installed so we can actually move on to the next step so again directory brute forcing is the process of identifying hidden files and directories that are currently on a web server right so we're going to try and do that so for example if i try and access the robots.txt page you can see that it tells me that that's not found so again if we go through this process manually of trying to identify files it's going to take a while instead we can use a tool like go buster to perform a directory brute force so i'll provide the um i'll provide the command dir or directory to essentially you know specify that this is a directory brute force and then i specify the url of the target and then i can specify the word list that i want to use in this case i will use the word list under user share set lists checklist is a very very useful word list collection for penetration testers and red team specialists so for example if i just search for it here on on google it should come up it's a open source github repository that contains a series of extremely useful word lists that can be used for directory brute forcing fuzzing uh pattern matching etc etc so you can clone it into your user share directory or any directory that you're comfortable with and you can use it that way so in order to invoke a particular word list i'm going to say uh we're performing uh web content uh sorry we're performing a discovery uh we're performing discovery by directory brute forcing and then we'll say web content and then i'm going to use the big word list which is a very comprehensive word list that contains a list of commonly used directories and file names that again that are actually used by websites content management systems by apache nginx etc and then i'm going to specify the threads so i can increase my brute force rate by typing in threads and specify uh maybe 20 threads the default thread rate is 10 but you can speed it up or reduce it based on whether or not your target has a rate limiting set up right so i'll just hit enter it's going to begin the directory brute force as you can see it's going to give you a list of results that it was able to identify with their status codes now these are http status codes in this case you can see that for the ones from css on the all the way to wordpress these are all redirects right which means we need to test them manually so it was able to detect css fonts img js and these look like directories that belong to the um to the the standard uh landing page template here and where with again i'm guessing that this is just set up for the um for the public to actually get information about a company however we also detect that we have a wordpress directory which is where i'm guessing they have their wordpress installation or the wordpress site that they're currently working on and we can access it again by typing in wordpress we hit enter give that a few seconds and it looks like this is their wordpress site it looks like again they're still working on it because there isn't any theme that's set up we only have the content here and it looks like we have a few posts so if i click on the hello world post it's going to tell me that we are having trouble finding that site and this is primarily because this virtual machine um essentially has a domain name that we need to add to our hosts file in order to access uh now typically this will not be the case uh but um again when working with the website uh you want to be accessing it from the domain name as opposed to the server ip right unless you're interacting with the server directly either through ssh or mysql etc so i'm just going to add this um this domain name to my hosts file right so i'm going to say etsy hosts and i'll just insert i'll paste in the name of the uh the domain there so i'll get rid of the http option here and then i'll just get the the ip address which is again if i can identify it here let me just take a step back uh the ip address here so that's 192.168.2.157 so i'll say 192 168.2.157 and what we're essentially doing here is we are saying that whenever we look up the following ip it should redirect to raven.local which is the domain name right and it works vice versa so when i type in raven.local it'll access this ip address so it's uh it works very similar to if you're working with a website a legend a target website uh with the domain name so with that done i can now click on the hello world post and you can see that loads up correctly and it looks like their posts page is working just fine now when it comes down to wordpress and performing enumeration on a wordpress site there are multiple tools that we can use but a manual checks also reveal quite a bit number one the reason why i clicked on the posts page is because the posts page will typically reveal an author that actually wrote and posted that particular blog post and in this case we can see that we have the user michael here so we've been able to identify that there is a user called michael and again that gives that gives us an idea of uh again what direction we should take so we can either you know try and brute force the wordpress login page alternatively we could also try and uh brute force the ssh the ssh service with the user that we've just identified in the hopes that we'll be able to identify this user's password so it's entirely up to you now what i'm going to do is i am going to perform a wordpress scan uh using the wordpress scan utility on this particular website uh on the wordpress website not the the default apache or the default landing page the html landing page in order to do this i'm just going to type in wordpress scan and wordpress scan comes pre-packaged with kali linux so you don't have to install it i'm going to say url and the url is http 192.168.2.1 57 and then i'm going to say wordpress because that's where wordpress has been installed and then i'm going to say under the wordpress content directory um i want to enumerate all users and all plug-ins so i'll say at and eu so that's going to enumerate all users uh on this particular wordpress installation based on uh mostly passive techniques although you can actually brute force uh you know you can actually brute force with wordpress scan in order to identify users in this case i'm just going to hit enter we're going to give that a few seconds it's going to say would i like to update my wordpress scan database i'm going to hit no because i don't need to do that right now so it's going to perform a scan and it's done and i'll just go through the results with you and explain what's happened here so it'll go through and display the headers for the website it's also going to tell you whether xml rpc is enabled or disabled xml rpc again is a great vector for performing brute force attacks on a wordpress website and we also have as you can see the wordpress version and then it enumerates users via passive and aggressive methods in this case it brute forced the author ids and it told it actually tells us that we have two users we have stephen and michael right now based on what we were able to identify on the target website on the wordpress website uh in within their blog posts uh we can see that a post has been made by michael so we can again deduce or make deductions as to what roles or permissions the user michael has in this case it looks like the user michael is the administrator the wordpress administrator the reason i'm saying that is because whenever you install a new wordpress site um the hello world post is automatically added by wordpress and it's added as the administrator user remember because this is the first this is the first blog post that again is added automatically without being added by any other user and it's typically added by the administrator of the wordpress site so from this we can pretty much tell that michael is the administrator right and that's very very important here so now that we've identified two users we can actually work with the user michael here and as i said there are two ways we can go about doing this the first way we can actually seek to obtain initial access is to perform some brute force attacks uh on the ssh port in order to try and identify the um the the password for either one of these users now remember we don't know for certain that these users are actually uh are actually user accounts on the system uh we're simply making an assumption uh based on the fact that that again we were able to identify them and again the second assumption is that the user michael is an administrator so we'll use the user michael uh for our test here so in order to perform a ssh brute force uh we will be using the hydra utility all right so if i type in what is hydra you can see that hydra is a very fast network logon cracker which supports many different services so uh we are going to use it to perform a brute force so i'm going to say hydra i specify the username that we want to perform the brute force the password brute force 4. in this case the user is michael i then need to provide the password list or the list that contains a series of passwords that you want to perform a a wordless brute force with so again in this case you can create a your own word list based on what you think the the user's password may be alternatively you could use the roku word list that comes pre-packaged with kali linux and is a it has a good amount of commonly used passwords that again will give you the highest chance of success although performing brute forcing or brute force attacks does not guarantee any success at all however in this case we'll say the directory of the password list is under user share word lists and the name is rocky.txt all right and then what i need to provide is the protocol we're brute forcing and that is ssh and then i specify the target ip which in this case is 192.168.2.157 and i hit enter it's going to begin the brute force so i'm going to give that a few seconds all right so the brute force is complete and it took a few seconds as you can see it was able to identify that the the user michael has a password of michael which is not good security practice by the user michael but again this virtual machine will set up to teach you these techniques and show you that indeed you can identify legitimate ssh credentials by performing a brute force attack now one way to counter this and this is on the blue team side of things is to actually disable password-based authentication for ssh and utilize a key-based authentication right in this case however the user michael has simply set his own username as the password so we can now try and log in to the ssh port or to we can we can try and log into the server via ssh this can be done by typing in ssh michael as the user and typing in the ip address here of the target server and i'm just going to hit enter it's going to ask me for the password for the user michael in this case the password is just michael and we have obtained initial access to the target system via ssh all right so we're currently the user michael on the system the first thing we want to do is enumerate the distribution and kernel version so again we'll say cat etsy release we can see the target is running debian 8. if we want to enumerate the kernel version we'll say you name a and that tells you that it's running kernel kernel version 3.16.06 which again appears to be outdated because it was again it's released in 2018 so we may have some we we actually may target the kernel during the privilege escalation video uh but we'll get to that when we when we actually reach there so again to enumerate the users on the target system we're going to say cat etsy password and we can see we have the user stephen here which again we can log into but we don't have his cr his credentials we have the user michael uh we have of the other uh service accounts here like mysql we also have the www data service account as well as the root account here which is where we want to get to eventually however we as you've probably as you probably can tell we have obtained initial access however we need to um we need to take a look at some of the services that are running on the target system so i'll just take a look at i'll just type in the net stat command and see what ports are currently running or what ports are currently open or what services are currently listening on the target as you can see from the nmap scan we weren't able to identify the mysql server as open and that is because it has been configured to run locally and is not exposed on the internet which is a good sick is a good security practice that you should be doing so you never want to enable remote authentication uh to mysql and one way of doing that as i've already uh highlighted in my previous series is to disable um to to actually disable remote authentication now we can see that it's running on port 3306 um so how do we get access to the mysql database well if you realized or you noted earlier on the the web server is running wordpress right now wordpress by default will require the mysql credentials or will require mysql credentials to create initially to create the a wordpress database uh the tables and add data etc etc and secondly it will require the mysql credentials to interact with the database saw to add new users to add new data so on and so forth now if we navigate to the var www.html directory this is where the uh the front end or the landing page was actually stored you can see that the it looks like we also have the zip file uh that was uh which i believe is actually uh you being utilized uh or was used to set up the landing page you also have a few other directories here but we as you can see here we have a wordpress directory right so let's navigate to the wordpress directory where the wordpress installation is stored if we list out the contents here you can see that we have the wordpress the wordpressconfig.ph file now the wordpressconfig.php file is where the database the mysql database credentials are typically stored and this file is again typically again kept secure as secure as possible in that you cannot access this via the web browser which again prevents anyone from reading it so now that we have access we can actually uh again open it up with vim but do we have them installed on the target no we don't so we'll use nano and we'll say wordpress config.php sorry i did not type in the php there i'll hit enter and you can see this is the base configuration for wordpress this file contains the following configurations mysql settings secret keys database table prefix and the absolute path as you can see here we have the database name which is wordpress that's standard the database user is root and the database password is raven security all right so again in this particular case the administrator was again not really uh is not really helping helping himself here because instead of creating an unprivileged database user uh they have essentially utilized the mysql root credentials which means we can now log into the mysql database server and make changes to the wordpress installation for example we can change the password of the user and much much more so we can actually just copy the password here and i'll exit out of nano and we can log into the mysql database server because again we authenticated and it's running locally so we can actually authenticate to it so to do this we will say mysql and then we specify the user we want to log in as in this case it's the root user and then we specify the password so we'll paste in the password there hit enter and voila we are logged in to the mysql database server so the first thing i want to do is again i can say show databases we can see that we have the default databases related to mysql and then we have the wordpress database so we will use the wordpress database and then we can say show tables and you can see within within the wordpress database these are the tables available uh the wordpress users table is where user credentials are stored uh now in most cases uh or rather in all cases now wordpress will encrypt the passwords using a an algorithm like md5 right so for example if i say select uh from wordpress users which will display the all that the data within the wordpress users table you can see that it will display the two users that uh again it will display the two users on the on on the wordpress site that have access to the wordpress site another key thing to note as i said and it's actually been confirmed here is the user id now by default the the wordpress user id 1 is allotted to the administrator because the administrator user is the user that's added first to the wordpress installation as opposed to second or third so we can tell that michael is the wordpress administrator and again we were able to deduce that earlier we also get his email when the user was registered and the password hash in this case here the password has been encrypted in md5 uh however again we don't need to crack it in order to identify uh that password and log in to wordpress we can instead change the uh we can change michael's password because we have access to the mysql database this can be done by saying update wordpress users and we want to set the user pass the user pass option which again we're getting from here so the user pass option uh again it looks uh because i've zoomed into my terminal here increase the font size the ascii output here is not being displayed correctly and the columns are slightly mixed up but it'll still work just as fine here but so we'll say set the user password to we then want to encrypt it with md5 and then we are going to specify within the brackets our new password so we can change it to something like password one two three of course i don't recommend doing this during a red team engagement uh primarily because uh you want to you want to ensure that your presence is not detected and you again want to avoid any detection and detection could could come in the form of the administrator or the user michael realizing that his password has been changed so again that's not a good thing but in this case we're just taking a look at an example alternatively i would recommend creating another user but in this case we want administrate access um so i'm going to say password123 and we will then say where the user id is one so we're changing the password of the user with the user id of one which in this case is michael i'm going to hit enter it's going to say query okay one row affected so on and so forth right so now that that is done we can try and log into the wordpress site so i'm going to do that right now i'm just going to go to the wordpress login.php page this is how you log into wordpress as you can see it works out fine just there the user uh the username is michael we can also log in using their email we can actually try that so can we yeah we can actually use the username or the email and the password is password one two three with login and voila we have logged into the wordpress administrator uh to the wordpress administrator user and you can see that we are on the dashboard and we can pretty much do anything we want to the site we can update it we can check out the media check out other users or you know start taking a look at user data so on and so forth and yeah we pretty much have owned or taken ownership of the mysql database and consequently the wordpress installation we've also been able to gain access to the target system via ssh by performing a brute force attack and now the next step of course is to establish a form of persistence and then we'll be taking a look at how to elevate our privileges to the root user or again to the to the user with root privileges in this case we know that the user root is pretty much the only user with root privileges so that is going to be it for this video as i said you can follow along with the techniques and the examples demonstrated in this video by downloading the target vm provided in the documentation and the slides of this video and you can again follow along and yeah that's going to be it for this video and i'll be seeing you in the next video a huge thank you to all of our patreons your support is greatly appreciated and this is a formal thank you so thank you shamir douglas ryan carr sandor michael busby sids up doozy defean barry dustin empress and michael hubbard your support is greatly appreciated and you keep us making even more high quality content for you guys so thank you [Music]

Info

Channel: HackerSploit

Views: 22,987

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, hacking, kali linux, red team, red teaming, what is a red team, red team exploitation, red team initial access, red team linux, linux red team, linux exploit, linux exploits, kali linux exploitation tools, cybersecurity, linux red teaming, hacker, ethical hacking, cyber security, cyber, penetration testing, linux hacking

Id: _1QnyKTqQ6w

Channel Id: undefined

Length: 33min 8sec (1988 seconds)

Published: Wed Nov 03 2021