How a small program opened my way to popping shells
Well then, in the last few weeks, I have had a lot of work. New job, a shitload of new responsibilities, learning, learning, learning, you know the feeling.
However, in the meantime, I had a bit of time on my hands. When you finish a task at 2PM and have 3 hours to kill, you need to find your own fun or bite your dick off with boredom. I didn’t want to lose any of that, so I started going through my AttackDefense subscription labs. It was weeks since I last picked it up for real, and I wanted to get shit done. Believe it or not, 100%-ing a lab makes me happy like nothing else. It’s a fun little lab environment and the bonus is that everything runs in the browser. No installing VMs, no downloading labs.Got a web connection? You’re good to go.
I had an internet connection, so I started going at it. However, every time before that, when I wanted to “pop a shell”, I never got deep enough. Either it was too complicated or missed some prerequisite knowledge. I always fingerprinted the service running on it, mostly I ran into something like “SMB 3.x/4.x” or “Apache Tomcat”. I spent hours looking at complicated setup manuals hoping to find something that would give me a way to exploit a vulnerability, but there was nothing. Why would there, it was Apache’s website, of course they won’t publish exploits on the home page!
I explained my confusion on Mastodon. Many people chipped in with their advice, but if I recall correctly, it was Ryen (may Cthulhu have mercy on his soul). He suggested SearchSploit. I have used the tool before, but it usually provided some complex .rb files, .txt proof-of-concept files, shit like that. It was pretty useless to me.
Or so I thought.
I tried my first “Metasploit” Lab. A vulnerable CMS, nothing special for any of you who have popped your fair share. Port 80 was open with Apache running. This always happened. I met my fair share of Apache servers, and I never knew what to do. Enter searchsploit. I entered searchsploit apache and I looked through the result.
Surprise surprise, as it often is, nothing came up that made any sense. The versions were all off by one, everything was wrong, plus there were mostly some .txt files showing a Proof-of-Concept. I was completely lost. After an hour of vainly trying Metasploit modules aimed at apache, I caved and looked into “the manual”, which is the writeup for THAT specific version and THAT specific lab. I quickly skimmed through and identified the steps.
What I never before realized (but now seems absolutely obvious) is the fact that Apache is not the only service accessible on the port. There is a service running on that port on top of Apache! Wordpress runs on Apache, Nextcloud runs on Apache, a lot of things run on top of it!
So, how do we find out what the service is running? Well, you could open a web browser and check, but this is basically SSH connection into a command line-only environment. What do we do in this case?
The answer is similar to “What do Canadians do on ice”: cURL. You cURL the website into the terminal and just read away! This may in fact be more useful than opening a browser, because this information may not be on the website, but the source code, that is more likely to have the name of the framework you’re running.
Well, in this case, it was AppRain. It will not surprise you that once I ran searchsploit, it found 6 exploits and ONE OF THEM was even ported into Metasploit! From there, it was only a matter of running msfconsole, setting up RHOSTS and LHOST and off to the races I was! Done in a matter of minutes.
Since then, I exploited 8 boxes labelled “Linux Exploitation”, all of them in a similar vein. Once I felt comfy in this process, I tried some CTFs. It was not as straightforward, but mostly in the same vein. The first part is always “Find the vulnerable service and get a shell,” but afterwards, there were various other more procedures after that, like copying a flag to my local machine, running commands and other scripts, one time I remember I had to copy an SSH key and go into the machine through a legit connection.
This may be a shorter blogpost (I’ll probably do some of these shorter ones from now on, to get stuff done in less time) and get some more on-point stuff. I doubt anyone’s reading this who is not already familiar, but in my experience, there is no one and nothing that is absolutely obvious to everyone everywhere, ever.
I hope you enjoyed reading this short post.