Hey guys! Today, we're diving deep into a super interesting penetration test scenario focusing on a vulnerable web application. Our target? www.wildfilmsindia.com. This box is an absolute gem for anyone prepping for their OSCP (Offensive Security Certified Professional) exam or just looking to sharpen their web application hacking skills. We'll walk through each step, from initial reconnaissance to gaining that sweet, sweet root access. So, buckle up, and let's get started!

Initial Reconnaissance: Laying the Groundwork

First things first, reconnaissance is king. Before you even think about launching attacks, you need to understand your target. We start with the basics: Nmap scans. Nmap is your best friend in the initial stages. We're looking for open ports, running services, and any hints about the operating system. A simple TCP scan can reveal a lot.

nmap -sV -sC -p- wildfilmsindia.com

What are we looking for?

• Open Ports: Common ports like 80 (HTTP), 443 (HTTPS), 22 (SSH), and 21 (FTP) are always interesting. Less common ports might indicate custom applications or services.
• Service Versions: Knowing the version of a service can help you find known vulnerabilities. For example, an outdated Apache web server might have readily available exploits.
• Scripts: Nmap's scripting engine (NSE) can automate many reconnaissance tasks, such as banner grabbing, vulnerability scanning, and more.

Once we've gathered some initial data, we move on to more targeted scanning. If port 80 or 443 is open, it's time to investigate the web application. Tools like Nikto and dirb can help us discover hidden directories and files.

nikto -h wildfilmsindia.com
dirb http://wildfilmsindia.com /usr/share/wordlists/dirb/common.txt

Why use these tools?

• Nikto: This web server scanner checks for potentially dangerous files, outdated software, and other vulnerabilities.
• Dirb: A web content scanner that looks for hidden directories and files by brute-forcing common names. Custom wordlists can significantly improve its effectiveness.

Don't forget manual exploration! Browsing the website, examining the source code, and playing with the functionalities can reveal valuable information that automated tools might miss. Look for comments, hidden forms, or interesting file paths.

Identifying Vulnerabilities: Digging Deeper

With the reconnaissance data in hand, it's time to start identifying vulnerabilities. This is where the real fun begins! One of the most common web application vulnerabilities is SQL Injection (SQLi). SQLi occurs when user input is not properly sanitized, allowing attackers to inject malicious SQL code into database queries. Start by looking for forms or URL parameters that might be vulnerable.

To test for SQLi, you can use tools like sqlmap. Sqlmap automates the process of detecting and exploiting SQL injection vulnerabilities. It supports a wide range of database management systems and injection techniques.

sqlmap -u "http://wildfilmsindia.com/page.php?id=1" --dbs

What are we looking for with SQLmap?

• Vulnerable Parameters: Identifying URL parameters or form fields that are susceptible to SQL injection.
• Database Structure: Enumerating databases, tables, and columns to understand the data structure.
• Data Extraction: Extracting sensitive data such as usernames, passwords, and other confidential information.

Another common vulnerability is Cross-Site Scripting (XSS). XSS allows attackers to inject malicious scripts into web pages viewed by other users. There are two main types of XSS: reflected and stored. Reflected XSS occurs when the injected script is reflected off the web server, while stored XSS occurs when the injected script is stored on the server and executed when other users view the page.

To test for XSS, try injecting simple JavaScript payloads into forms or URL parameters.

<script>alert('XSS')</script>

How do we identify XSS?

• Input Fields: Testing various input fields for script injection vulnerabilities.
• Error Messages: Analyzing error messages for clues about input validation and sanitization.
• Cookies and Sessions: Examining cookies and session management for potential vulnerabilities.

Exploitation: Gaining Access

Once you've identified a vulnerability, it's time to exploit it and gain access to the system. If you've found an SQL injection vulnerability, you can use sqlmap to read sensitive data from the database, such as usernames and passwords. If the passwords are not properly hashed, you might be able to crack them using tools like John the Ripper or Hashcat.

sqlmap -u "http://wildfilmsindia.com/page.php?id=1" --users --passwords

What can we do with cracked credentials?

• SSH Access: Trying the cracked credentials to log in via SSH.
• Web Application Access: Using the credentials to log in to the web application and gain access to administrative functionalities.
• Privilege Escalation: Attempting to escalate privileges to gain root access.

If you've found an XSS vulnerability, you can use it to steal cookies, redirect users to malicious websites, or deface the website. Stored XSS can be particularly dangerous because it can affect all users who visit the vulnerable page.

One particularly nasty exploit involves combining vulnerabilities. For instance, you might find a Local File Inclusion (LFI) vulnerability that allows you to read arbitrary files from the server. By reading configuration files, you might find database credentials or API keys.

What can we do with LFI?

• Configuration Files: Reading configuration files to obtain sensitive information.
• Log Files: Analyzing log files for clues about system activity and vulnerabilities.
• Source Code: Examining source code to identify potential vulnerabilities.

Privilege Escalation: From User to Root

Okay, so you've got a foothold on the system. Great! But we're not stopping there. The ultimate goal is to gain root access. Privilege escalation is the process of escalating your privileges from a low-privileged user to the root user. There are many different techniques for privilege escalation, but some common ones include:

• Exploiting SUID/SGID binaries: SUID (Set User ID) and SGID (Set Group ID) binaries run with the privileges of the owner or group, respectively. If a SUID/SGID binary has a vulnerability, it can be exploited to gain elevated privileges.

• Kernel Exploits: Kernel exploits target vulnerabilities in the operating system kernel. These exploits can be very powerful, but they can also be risky because they can crash the system.

• Misconfigured Services: Misconfigured services can sometimes be exploited to gain elevated privileges. For example, a misconfigured SSH server might allow you to log in as root without a password.

To find potential privilege escalation vectors, you can use tools like LinEnum.sh or linuxprivchecker.py. These scripts automate the process of identifying common misconfigurations and vulnerabilities that can be used to escalate privileges.

What are we looking for in these scripts?

• SUID/SGID Binaries: Identifying SUID/SGID binaries that might be vulnerable.
• Writable Files: Detecting world-writable files and directories that could be exploited.
• Kernel Information: Gathering information about the kernel version and architecture.

Let's say you find a SUID binary that's vulnerable to command injection. You can exploit this vulnerability to execute arbitrary commands as the root user.

./vulnerable_binary