Main goal of this project is to penetrate the provided case study to provide the ethical hacking report. This project generally divided into five flags. The flags are used for following aspects such as examine the web server contents, learn web shell, crack the password by using the password cracking tool, determine the user wrongly enter password by using the port scan techniques and learn the basic Linux privilege escalation. These flags are will be proceed and discussed in detail. In crack the password flag, we are using the web shell password cracking by deobfuscate a web shell and show how the affirmation can be evaded when you have the source code yet not the secret word. In port scanning technique, we are using the Nmap port scanning tool to scanning the TCP port on the system. These processes are will be demonstrated and discussed in detail.
User requires to do flag by follows the below steps.
First, user requires to install and configure the provided the case study on virtual machine. This process is demonstrated as below.
The web server needs records of the site to store all the HTML reports alongside proper assets, this could likewise incorporate the accompanying (Makan, 2014):
It is likewise conceivable that all the previously mentioned records could be put away in a PC. It is additionally a covered practice to store the records on a submitted web server. Since, it benefits with the accompanying advantages such as web server is constantly connected to Internet, Web server always contains same IP address, Web server is effectively running, Web server can be shielded from the outside providers and Web server is tried and true (“Privilege Escalation on Linux with Live examples”, 2018).
A web-shell is a malicious substance used by an attacker with the reason to uplift and keep up consistent access on a starting at now negotiated web application. Web-shells can’t strike or experience a remote defencelessness, so it is constantly the second step of a surprise attack. An attacker can abuse general vulnerabilities, for instance, SQL, RFI, FTP, or even use XSS as a part of a social outlining surprise attack with a particular true objective to exchange the malicious substance (Prodromou, 2018). The typical convenience consolidates anyway isn’t confined to shell arrange execution, code execution, and database check and record organization. Web shells are an ignored part of cybercrime and don’t draw in the level of consideration of either phishing or malware. At the point when web shells originally showed up, the cut-off of their utility was to exchange documents and execute flexible shell directions. Be that as it may, the best built web shells currently give top score, modern toolboxes for differing crimes, with offices for phishing, spamming and DDoS, not exclusively accessible through an online User interface yet in addition tolerating directions as a major aspect of a botnet. The initial step with a web shell is transferring it to a server, from which the aggressor would then be able to get to it. This establishment can occur in a few different ways, however the most well-known methods include exploiting a weakness in the server’s product, getting access to a manager entrance, or Taking preferred standpoint of an inappropriately designed host (“Web Shell Archive | PHP & ASP & ASPX Web Root Backdoors”, 2018).
Zombie
Another use of web-shells is to make servers part of a botnet. A botnet is an arrangement of exchanged off structures that an attacker would control, either to use themselves, or to lease to various criminals. The web-shell or indirect access is related with a Client and communication server from which it can take headings on what rules to execute. This setup is normally used in DDoS attack, which require clearing proportions of transmission limit. For this circumstance, the attacker does not have any energy for harming, or taking anything off-of the system whereupon the web shell was passed on. Or maybe, they will fundamentally use its benefits for at whatever point is required.
Escalation of Privilege
But on the off chance that a server is misconfigured, the web shell will hold running under the web server’s customer approvals, which are confined. Using a web-shell, an attacker can attempt to perform advantage speeding up strikes by mishandling neighbourhood vulnerabilities on the system to acknowledge root benefits, which, in Linux and other UNIX-based working structures is the super-customer. With access to the root account, the attacker can essentially do anything on the system including presenting programming, developing assents, including and ousting customers, taking passwords, examining messages and anything is possible from that point (“Web Shells 101: Detection and Prevention”, 2018).
Steady Remote Access
A web-shell generally contains an unusual access which empowers an attacker to remotely get to and possibly, control a server at whatever point. This would save the attacker the trouble of mishandling a weakness each time access to the exchanged off server is required. An assailant may in like manner settle the shortcoming themselves, remembering the ultimate objective to ensure that no one else will push that weakness. Consequently the attacker can remain under the locating system and avoid any coordinated effort with a director, while up till now securing a comparable result. It is furthermore worth determining that few surely understood web shells use unknown key approval and distinctive procedures to ensure that simply the attacker exchanging the web-shell approaches it. Such techniques join securing the substance to a specific custom HTTP header, specific treat regards, specific IP addresses, or a mix of these frameworks. Most web shells in like manner contain code to perceive and square web lists from posting the shell and, therefore, boycotting the zone or server the web application is encouraged on in a manner of speaking, stealth is essential (“Web Shells – Threat Awareness and Guidance”, 2018).
Propelling and Pivoting Attacks
A web-shell can be used for turning inside or outside a framework. The aggressor should need to screen the framework development on the structure, check the inner framework to discover live has, and list firewalls and switches inside the framework. This methodology can take days, even months, commonly in light of the way that an attacker ordinarily attempts to remain under the detector, and draw negligible proportion of thought possible. Once an assailant has decided access, they can peacefully make their moves. The exchanged off structure can in like manner be used to attack or breadth centres around that abide outside the framework. This incorporates an additional layer of lack of clarity to the attacker since they are using an untouchable structure to dispatch an attack. Well beyond is turn through various systems to make it generally hard to pursue an attack back to its source (“Web Shells: The Criminal’s Control Panel | Netcraft”, 2018).
Right when a website is hacked, the attacker consistently leaves an auxiliary section or web shell to have the ability to viably get to the webpage later on. These are routinely confused to avoid distinguishing proof, and need check so simply the attacker can get to the site. In this task, I am going to deobfuscate a web shell and show how the affirmation can be evaded when you have the source code yet not the unknown word (“What are web shells – Tutorial”, 2018).
Web shell Deobfuscating
The preg_replace has three disputes, the regex, the substitution and the subject. Since the regex has the e modifier, it will evaluate anything in the substitution as PHP code. This is along these lines like the going with code:
Directly we understand that the second parameter is evaluated, anyway regardless of all that it doesn’t look like PHP code. That is because of it is hex encoded. A string in twofold proclamations can contain some break courses of action that are interpreted by PHP, and one of them is x to put a character in the string using hexadecimal documentation. For example, x65 would be an e since it says so in the ASCII table. Physically changing over this string would be a pinch of work, so we let PHP do it:
Sidestepping check
The $auth_pass in the main code starting at now suggested there would be approval on the web shell. The plan of $auth_pass, 32 hexadecimal characters, recommend that it is a MD5 of the plaintext unknown word. Since we have the wellspring of the web shell, we can assert that:
It finishes a MD5 over the posted pass parameter, and watches that against $auth_pass. Plain MD5s are commonly not an incredibly secure way to deal with store passwords. In particular, MD5 is speedy and you can join billions of hashes for each second to endeavour to gentle power the unknown expression. Also, the MD5 total for a few, weak passwords is starting at now on the web and can be found by a active Google look. In any case, our developer has picked a very OK unknown key, and I was not capable part it. Regardless, there is another way to deal with access the web shell now that we have the source code. As ought to be clear in the code it sets a specific treat when you get the unknown word right. It checks the treat and if you have it wrong it considers wsoLogin to show to you a login page and leave the substance. Else it continues with the web shell code. The treat expected have the MD5 of the hostname as key, and the $auth_pass substance as substance. Luckily, we know both these characteristics and can make our very own treat to get to the web shell.
Update
Finally, below passwords are cracked.
Port filtering is a strategy used to perceive if a port on the target have is open or close; a port can be open if there is an organization that uses that specific port to talk with various systems. This is the inspiration driving why if a port is open it is possible to over the long haul perceive what kind of organization uses it by sending phenomenally made packages to the goal. When we know the target IP address we can dispatch the port checking attack. Obviously, if no decision is picked, Nmap runs a TCP SYN Scan generally called Stealth Scan (“Advanced Port Scanner – free and quick port scanner”, 2018). The majority of the sweep composes are just accessible to advantaged clients. This is on account of they send and get raw parcels, which requires root access on UNIX frameworks. Utilizing an executive record on Windows is suggested, however Nmap in some cases works for unprivileged clients on that stage when Nmap has just been stacked into the OS (“Nmap Cheat Sheet and Pro Tips | HackerTarget.com”, 2018). Requiring root benefits was a genuine constraint when Nmap was discharged in 1997, the same number of clients just approached shared shell accounts. Presently, the world is extraordinary. PCs are less expensive, undeniably individuals have dependably on direct Internet access, and work area UNIX frameworks (counting Linux and Mac OS X) are pervasive. A Windows adaptation of Nmap is currently accessible, enabling it to keep running on much more work areas. For every one of these reasons, clients have less need to run Nmap from constrained shared shell accounts. This is blessed, as the favoured choices make Nmap unquestionably ground-breaking and adaptable. To appreciate this kind of breadth it has a tendency to be useful to restore the TCP 3-way handshake theory which addresses the way in which a TCP affiliation starts.
TCP Scan
A TCP SYN Scan works thusly: framework A, which speaks to our assaulting machine, sends to the objective framework B the SYN and sits tight for the SYN-ACK. In the event that B reacts, which implies the port is open, A does not send the last ACK. On the off chance that A does not get the SYN-ACK the port can be either shut or separated (this can show the nearness of a Firewall). Along these lines we have played out a TCP port sweep without setting up a full association with the objective.
Regardless of whether this kind of output is the default one, we can set it up with the “- sS” parameter pursued by the IP address of the objective (“TCP Port Scan with Nmap | Pentest-Tools.com”, 2018):
Nmap, if not decided in a surprising way, sets the yield to test the most broadly perceived more than 950 ports and encounters them irregularly. As ought to be evident from the results, we have analysed more than 950 ports in 0.30 seconds and 937 of them are represented as closed and opened ones. Nmap gives us information about the organization that is running on them (“Tcp Port Scanner (Free)”, 2018).
For every one of these reasons, clients have less need to run Nmap from constrained shared shell accounts. This is blessed, as the special alternatives make Nmap unquestionably ground breaking and adaptable. While Nmap endeavours to create precise outcomes, remember that the majority of its bits of knowledge depend on packets returned by the objective machines. Such has might be corrupt and send reactions proposed to confound or misdirect Nmap. Substantially more typical are non RFC consistent hosts that don’t react as they ought to Nmap tests. FIN, NULL, and Xmas checks are especially helpless to this issue. Such issues are particular to certain output composes as are talked about in the individual sweep compose passages.
TCP SYN check
SYN check is the default and most famous sweep alternative for valid justifications. It tends to be performed rapidly, checking a large number of ports every second on a quick system not vulnerable by prohibitive firewalls. It is likewise generally unaffected and stealthy since it never finishes TCP associations. SYN check deactivates any consistent TCP stack instead of relying upon behaviours of particular stages as Nmap’s FIN, NULL and Xmas and sit without moving outputs do. It likewise permits clear, dependable separation between the open, shut, and sifted states. This system is frequently mentioned to as half open checking, in light of the fact that you don’t open a full TCP association. You send a SYN packet, as though you will open a genuine association and after that sit tight for a reaction. A SYN/ACK demonstrates the port is tuning in, while a RST is characteristic of a non-audience. On the off chance that no reaction is gotten after a few retransmissions, the port is set apart as separated. The port is likewise stamped separated if an ICMP unreachable mistake is gotten. The port is likewise viewed as open if a SYN packet is gotten accordingly. This can be because of a greatly uncommon TCP highlight known as a synchronous open or split handshake association.
TCP associate sweep
TCP associate sweep is the default TCP examine type when SYN filter isn’t an alternative. This is the situation when a client does not have raw packet benefits. Rather than composing raw packets as most other output composes do, Nmap asks the basic working framework to set up an association with the objective machine and port by issuing the interface framework call. This is a similar abnormal state framework call that internet browsers, P2P customers, and most other system empowered applications use to set up an association. It is a piece of a programming interface known as the Berkeley Sockets API. Instead of read raw packet reactions off the wire, Nmap utilizes this API to acquire status data on every association endeavour.
This flag is used to provide the gain knowledge about basic Linux privilege escalation. These are listed in below (“Basic Linux Privilege Escalation”, 2018),
This project is successfully penetrated the provided case study to provide the ethical hacking report. This project generally divided into five flags. The flags are used for following aspects such as examine the web server contents, learn web shell, crack the password by using the password cracking tool, determine the user wrongly enter password by using the port scan techniques and learn the basic Linux privilege escalation. These flags are successfully demonstrated and discussed in detail. In crack the password flag, we are used web shell password cracking by deobfuscate a web shell and show how the affirmation can be evaded when you have the source code yet not the secret word. In port scanning technique, we are used the Nmap port scanning tool to successfully scanned the TCP port on the system. These processes are demonstrated and discussed in detail.
Source code for tools used
NMAP – TCP port Scanner
To scan the TCP port on Nmap by using the under command or source code (“Port Scanning Techniques | Nmap Network Scanning”, 2018).
nmap ip address
nmap 192.168.1.1
It deliver the below results.
Source code is attached here.
Run the PHP code on Kali Linux (Valentino, 2018). It is provide the hidden password.
References
Advanced Port Scanner – free and fast port scanner. (2018). Retrieved from https://www.advanced-port-scanner.com/
Basic Linux Privilege Escalation. (2018). Retrieved from https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/
Makan, K. (2014). Penetration Testing with the Bash shell. Packt Publishing.
Nmap Cheat Sheet and Pro Tips | HackerTarget.com. (2018). Retrieved from https://hackertarget.com/nmap-cheatsheet-a-quick-reference-guide/
Port Scanning Techniques | Nmap Network Scanning. (2018). Retrieved from https://nmap.org/book/man-port-scanning-techniques.html
Privilege Escalation on Linux with Live examples. (2018). Retrieved from https://resources.infosecinstitute.com/privilege-escalation-linux-live-examples/
Prodromou, A. (2018). An Introduction to Web-shells – Part 1 | Acunetix. Retrieved from https://www.acunetix.com/blog/articles/introduction-web-shells-part-1/
TCP Port Scan with Nmap | Pentest-Tools.com. (2018). Retrieved from https://pentest-tools.com/network-vulnerability-scanning/tcp-port-scanner-online-nmap
Tcp Port Scanner (Free). (2018). Retrieved from https://www.mylanviewer.com/port-scanner.html
Valentino, V. (2018). PHP Web Shell and Stealth Backdoor : Weevely 2. Retrieved from https://www.hacking-tutorial.com/hacking-tutorial/php-web-shell-and-stealth-backdoor-weevely/
Web Shell Archive | PHP & ASP & ASPX Web Root Backdoors. (2018). Retrieved from https://webshell.co/
Web Shells 101: Detection and Prevention. (2018). Retrieved from https://blog.rapid7.com/2016/12/14/webshells-101/
Web Shells – Threat Awareness and Guidance. (2018). Retrieved from https://www.us-cert.gov/ncas/alerts/TA15-314A
Web Shells: The Criminal’s Control Panel | Netcraft. (2018). Retrieved from https://news.netcraft.com/archives/2017/05/18/web-shells-the-criminals-control-panel.html
What are web shells – Tutorial. (2018). Retrieved from https://www.binarytides.com/web-shells-tutorial/
Essay Writing Service Features
Our Experience
No matter how complex your assignment is, we can find the right professional for your specific task. Contact Essay is an essay writing company that hires only the smartest minds to help you with your projects. Our expertise allows us to provide students with high-quality academic writing, editing & proofreading services.
Free Features
Free revision policy
$10Free bibliography & reference
$8Free title page
$8Free formatting
$8How Our Essay Writing Service Works
First, you will need to complete an order form. It's not difficult but, in case there is anything you find not to be clear, you may always call us so that we can guide you through it. On the order form, you will need to include some basic information concerning your order: subject, topic, number of pages, etc. We also encourage our clients to upload any relevant information or sources that will help.
Complete the order form
Once we have all the information and instructions that we need, we select the most suitable writer for your assignment. While everything seems to be clear, the writer, who has complete knowledge of the subject, may need clarification from you. It is at that point that you would receive a call or email from us.
Writer’s assignment
As soon as the writer has finished, it will be delivered both to the website and to your email address so that you will not miss it. If your deadline is close at hand, we will place a call to you to make sure that you receive the paper on time.
Completing the order and download