Tips for an Information Security Analyst/Pentester career - Episode 13: File Upload (DVWA)

Over the previous episode, we talked about SQL injection with DVWA.

DVWA contains a file upload vulnerable page as well.

In fact, if the security level is setup to low, that page allows to upload any sort of file, without input validation whatsoever.

Prep

I took advantage of this vulnerability to upload a php reverse shell, available here.

Afterward, I navigated to the URL of the reverse shell, highlighted in red, to launch it.

Getting a shell

At the same time, by launching netcat on port 1234, I was able to get a shell.

We can use a Python one-liner to spawn an interactive shell.

Privilege escalation

The only problem left is how to become root on DVWA.

I tried both with sudo (I'm not in /etc/sudoers) and su -, to no avail.

However, I'm successful by launching su and using the default root password on a Kali VM (toor).

At that point, I could access /etc/shadow and /etc/passwd to recover all username and passwords in the database.

Wrap-up

Once again, DVWA does a very good job demonstrating how severe the impact from security vulnerabilities can be and how they can get contained and prevented.

In fact, setting the security level to impossible, I wasn't able to upload a php shell. I was requested to upload an image.

That's not a big deal, as there are ways to insert a php shell inside an image, but it implies more hassles for a potential attacker.

This is a very important concept. 

The whole point, other than preventing attacks, is to make it harder for an attacker to get an easy target. It's a psychological deterrence technique.

The more you harden a server or an application, the longer the time needed to crack it, the more likely is for attackers to choose easier preys.

Episode 14

Episode 12