Finally, let's go through the results of the Windows Nessus scan. This has more interesting scan results, since we used an EOL OS that receives no updates, as well as an older version of the web application server.
Exploiting a vulnerable Windows VM
Understanding the Nessus scan for Windows
The Nessus scan for Windows throws up a massive number of issues thanks to the end-of-life OS being used, as well as the outdated server. Let's focus on the most critical findings first:
There are a number of issues dealing with outdated OpenSSL and PHP installations, as well as a couple of findings pointing out that Windows Server 2003 is an unsupported OS. However, the most important issue here is the detection of multiple vulnerabilities in SMBv1. The details of this vulnerability point out the Common Vulnerabilities and Exposures (CVEs) for the associated SMB vulnerabilities and the patches for these:
In addition to vulnerable and outdated services, the scan did pick up a number of web application issues as well:
Since we exploited a network service on the Linux host, we shall focus on exploiting one of the vulnerabilities on the web application to gain access to a shell.
Exploitation on Windows
The vulnerable web application has an SQL injection vulnerability. SQL injection allows an attacker to inject arbitrary SQL queries and execute them on the backend DBMS. This vulnerability is present on the following URL:
http://<ip>/books1.php?title=&author=t
An SQL injection on a web application that is potentially running with admin privileges means that there is a possibility of a complete takeover of the web application. For this purpose, we shall use sqlmap. To attack the URL with sqlmap, the syntax is as follows:
sqlmap --url="http://<IP>/books1.php?title=&author=t"
A sqlmap confirms that the injection vulnerability is present, as seen here:
The next step is to use sqlmap to gain shell access on the remote server. sqlmap comes with a very handy feature, that uploads a stager for uploading further files into the webroot. Then it follows it up by uploading a web shell that executes commands and returns the output of the command, all with a single command. In order to trigger this, execute the following:
sqlmap --url="http://<IP>/books1.php?title=&author=t" --os-shell --tmp-path=C:\\xampp\\htdocs
The --os-shell asks sqlmap to spawn a shell using the method described previously and the --tmp-path value specifies where to upload the PHP files for the purpose of spawning a shell. Once the command is executed, user input would be prompted twice. The first instance is to select the technology, which is PHP in this case. The second instance is to trigger full path disclosures, which can be enabled. If everything goes well, we should be presented with an interactive shell:
As with the Linux exploitation, any commands can be executed through this interactive shell.
