Lab 3 Report

Team Members (Hackers Team 147):

1- Mahmoud Khaled Abdelrahim 46-1029

2- Laila Hegazy 49-0546

3- Rawan Mostafa 49-5776

Commands used:

Ifconfig: When you run ifconfig without any arguments, it displays

information about all network interfaces currently active on the system.

Nmap -sn: The nmap -sn command is used to perform a "Ping Scan" in
Nmap. Specifically, it sends ICMP Echo Request (ping) packets to discover
live hosts on the network without scanning ports.

Nmap -O: The nmap -O command is used to perform operating system

detection using Nmap. This command instructs Nmap to attempt to
determine the operating system running on the target hosts based on
various characteristics observed during the scanning process.

Nmap -A: The nmap -A command is a comprehensive option in Nmap that

enables aggressive scanning. It combines several other options to perform
a thorough scan of target hosts, including OS detection, version detection,
script scanning, and traceroute.

Dirb: Dirb is a popular command-line tool used for web application

directory enumeration and brute-forcing. It is designed to discover hidden
directories and files on web servers by recursively querying the target
server and analyzing the HTTP responses for valid directories or files.

Nc -nvlp: The nc -nvlp command is used to create a TCP or UDP listener

on a specified port for incoming connections.

Whoami: Is used to display the username of the currently logged-in user.

When you run the whoami command in the terminal, it will output the
username associated with the current session.

Cat /etc/passwd: The cat /etc/passwd command in Linux is used to

display the contents of the /etc/passwd file. This file is a text-based
database that stores essential information about user accounts on the
system. Each line in the /etc/passwd file represents a user account and
contains several fields separated by colons (:). Here's a breakdown of the
fields:

1. Username: This is the username of the user account.

2. Password: Historically, this field used to contain an encrypted
password, but on modern systems, it typically contains an 'x'
character, indicating that the password is stored in the /etc/shadow
file.
3. UID (User ID): This is the numerical user ID assigned to the user.
4. GID (Group ID): This is the numerical group ID of the user's primary
group.
5. User Info: This field typically contains additional information about
the user, such as the user's full name or a description.
6. Home Directory: This is the path to the user's home directory.
7. Shell: This is the path to the user's default shell.

Find / -type f -name flag.txt: The command find / -type f -name flag.txt
is used in Linux to search for files named "flag.txt" within the entire
filesystem starting from the root directory (/). Here's a breakdown of the
command and its components:

● find: This is the command used to search for files and directories
within a specified directory hierarchy.
● /: This specifies the starting point of the search, which is the root
directory of the filesystem. All directories and subdirectories under the
root directory will be recursively searched.
● -type f: This option specifies that only regular files should be
considered in the search. It filters out directories, symbolic links,
device files, sockets, and other types of special files, focusing only on
regular files.
● -name flag.txt: This option specifies the name of the file to search
for. In this case, it looks for files with the exact name "flag.txt". The
search is case-sensitive, so only files named "flag.txt" (not "Flag.txt"
or "FLAG.TXT", for example) will be matched.
When you run this command, find will traverse the entire filesystem starting
from the root directory (/). It will recursively search through all directories
and subdirectories, looking for files named "flag.txt". Once it finds matching
files, it will print out the full paths to those files.

cat <file directory>: The cat command in Linux is used to display the
contents of a file on the terminal. When used with the <file directory>
argument, it will display the contents of the specified file.
Here's a breakdown of how to use the cat command and its components:

● cat: This is the command-line utility for concatenating and displaying

files. Despite its name ("cat" stands for "concatenate"), it is commonly
used to simply display the contents of a single file.
● <file directory>: This specifies the path to the file whose contents you
want to display. You can provide either the absolute path (starting
from the root directory /) or the relative path (relative to the current
directory).
Part 1

1. Using the most appropriate tool, perform an aggressive scan to

determine all open ports and the services they host.

First ifconfig command is used to identify the ip address of the kali

linux machine as seen in the image below.

Then the nmap tool is used to discover all devices on the network as
shown in the image below.
OS scan is performed using nmap for the other 3 ip addresses to
determine which is the ip address of the target Vm.

IP address of my laptop

IP address of the router

IP address of the target Vm

Aggressive scan is performed on the target Vm using nmap

2. According to the scan, how many ports host a web page?

In this case 3 ports host a web page which are ports (80,443,631)
according to the nmap aggressive scan which was performed on the target
Vm.

3.According to the scan, which port hosts a database service? What

is the type of the database?

In this case 1 port only hosts a database which is port 3306 and the
database type is mysql according to the nmap aggressive scan which was
performed on the target Vm.
Part 2

1. What is the application layer vulnerability that is present in the

login page?

SQL Injection as the login page interacts with a database to authenticate users, it
may be vulnerable to SQL injection attacks. Attackers can manipulate input fields
to inject SQL queries, potentially bypassing authentication or accessing sensitive
information.

2. Provide and explain three techniques that you can use to conduct
the exploit. Your explanation should include the theoretical aspect of
the exploit.

A- SQL Injection (SQLi):

● Theoretical Aspect: SQL injection occurs when an attacker

manipulates SQL queries executed by a web application's backend
database. By injecting malicious SQL code into input fields such as
username or password, attackers can modify the intended behavior
of the SQL query, potentially allowing them to extract, modify, or
delete data from the database.
● Exploit Technique: To exploit SQL injection vulnerabilities, attackers
typically craft specially crafted SQL queries as input, often using
techniques such as union-based, boolean-based, or time-based
injection. For example, an attacker might input admin' OR 1=1 -- in a
login form's username field to bypass authentication checks and gain
unauthorized access.

B- Cross-Site Scripting (XSS):

● Theoretical Aspect: Cross-Site Scripting (XSS) vulnerabilities occur

when an attacker injects malicious scripts (usually JavaScript) into
web pages viewed by other users. These scripts can then execute
within the context of the victim's browser, potentially stealing session
 cookies, redirecting users to phishing sites, or performing other
malicious actions.

● Exploit Technique: Attackers exploit XSS vulnerabilities by injecting

malicious scripts into input fields, URLs, or other user-controlled data.
For example, an attacker might inject a script that steals the victim's
session cookie and sends it to a remote server controlled by the
attacker. When the victim visits a page containing the injected script,
their browser executes it, allowing the attacker to hijack their session.

C- Cross-Site Request Forgery (CSRF):

● Theoretical Aspect: Cross-Site Request Forgery (CSRF)

vulnerabilities occur when an attacker tricks a logged-in user into
unknowingly submitting a malicious request to a vulnerable web
application. This can result in actions being performed on behalf of
the victim without their consent, such as changing account settings or
making unauthorized transactions.

● Exploit Technique: Attackers exploit CSRF vulnerabilities by crafting

malicious requests and tricking authenticated users into executing
them. For example, an attacker might embed a malicious link or
image in a phishing email or social media post. When the victim clicks
on the link or views the image, their browser automatically sends the
request, potentially resulting in the execution of unauthorized actions
on the vulnerable web application.

3. Which one of those three did you practically use? Your explanation
should include any assumptions you have made, in addition to
screenshots to show how you managed to successfully execute it.
I used sql injection to bypass the login page by typing( ‘or 1=1 -- - ) in the
username and password fields. This string resembles a SQL injection
payload commonly used to bypass authentication mechanisms in web
applications.

or 1=1: This is a boolean expression that always evaluates to true (1=1 is

always true). By injecting or 1=1, the attacker is attempting to bypass the
authentication logic in a WHERE clause, effectively logging in without
providing valid credentials.

First using 1st hint which I found in the tags stating that I should perform
enumeration I used the dirb command to get the 2nd hint which was a
webpage written beside it hack me I opened the url then found the 2nd hint
2nd hint
After searching I decided to use sql injection as explained and mentioned
above to bypass the login page.

Part 3
1. By the end of this part, you should obtain a shell on your Kali Linux
machine that can execute commands remotely as you have seen in
the tutorial.

As shown in the image below this is the command that I have used in the
mystery page to obtain a shell on my kali linux that can execute commands
remotely but, before it I typed in the kali linux command prompt this
command to let kali linux listen on a certain port (nc -nvlp 12345).

2. What is the intended usage of the page?

The mystery page is used to ping the ip address that you type
3. What is the application layer vulnerability that is present in the
mystery page?

Command line injection, also known as command injection, is a security

vulnerability that occurs when an attacker is able to inject malicious
commands into a command-line interface (CLI) or shell script executed by
a vulnerable application. This vulnerability can lead to unauthorized
execution of arbitrary commands on the underlying operating system.

4. Explain how you could exploit this vulnerability? Your explanation

should include the theoretical aspect of your exploit and any
assumptions you have made, with the aid of screenshots to show
how you managed to execute it.

1. Theoretical Aspect:
● Command line injection exploits vulnerabilities in applications
that execute shell commands using user-controlled input. By
injecting malicious commands into input fields or parameters
that are subsequently passed to the underlying operating
system's shell for execution. The injected commands can
 include shell commands, system commands, or even chained
commands.

2. Exploit Technique:
● We exploited command line injection vulnerabilities by injecting
specially crafted commands into the input field accepted by the
vulnerable mystery page which made us gain access and
execute commands remotely as shown in the images below
Part 4

1. What is the name of the current effective user?

Apache (using command whoami)

2. Apart from that user, Who are the other users available on the
system?

Cat /etc/passwd command is used to show all other users with their
privileges as shown in the image below.
3. Which of these users have the lowest privileges and which is the
highest?

In the /etc/passwd file, each line represents a user account and contains
several fields separated by colons (:). The third field typically represents
the numeric user ID (UID), which can be used to determine the relative
privilege level. Generally, lower UID values indicate higher privilege levels,
with 0 reserved for the root user (superuser).

Highest privilege is root UID: 0

Lowest privilege is nfsnobody UID: 65534
4. What are the contents of the file ’flag.txt’?

Contents are highlighted in the image below

5. You have to mention the command that you used to reach the flag
file and if you searched for it manually you have to support your
answer with screenshots.

Find / -type f -name flag.txt

cat <file directory>