Wednesday, December 7, 2011

Attacking Metasploitable - Tikiwiki on port 80

For this post, I will be beating up on the Tikiwiki web application that is running on port 80 of the Metasploitable vulnerable VM.

First, we need to scan our VM with a very good web application scanner called Nikto. Here is the description of nikto from

Nikto is an Open Source (GPL) web server scanner which performs comprehensive tests against web servers for multiple items, including over 6400 potentially dangerous files/CGIs, checks for outdated versions of over 1200 servers, and version specific problems on over 270 servers. It also checks for server configuration items such as the presence of multiple index files, HTTP server options, and will attempt to identify installed web servers and software. Scan items and plugins are frequently updated and can be automatically updated.

Perfect for finding out what is sitting on our target web server. Once we have run the scan, we see that there is a /tikiwiki directory located on the webserver. Lets browse there and have a look around.

Now that we know there is a version of tikiwiki running on this web server, lets have a look in metasploit and see if it includes any modules we can use on tikiwiki.

search tikiwiki

Perfect! There are a few of them we can try out. Lets go ahead and try the information disclosure module for tikiwiki to see if this webapp leaks valuable info to us. This is kinda self explanatory so I will not go into how to configure and run this module.

Well. Looks like we got the database version (mysql) the username (root) and the password (root). Lets try to log in remotely using the information provided using our built in mysql client on Backtrack. This may not work if remote logins are disabled, but it is worth a try.

mysql -h --user=root --password=root

Awesome! Now we have access to the database as the root user! Lets list the databases.

show databases;

Given this list, and since we are wanting to get root privileges on the web application, we will try the tikiwiki database first.

use tikiwiki;
show tables;

After having a look at the tables in this database, the ones that look most useful are tiki_users and users_users. Lets try querying the tiki_users table first.

Select * from tiki_users;

Hmm. It seems that this table is empty. Lets try out the users_users. Hopefully that one will not be empty too!

Select * from users_users;

Bingo! This one is definitely not empty. After looking at the field names, lets try and clean up our query results with info that will be most useful to us.

Select userID, login, password from users_users;

Awesome! We have found the admin user in the users_users table. Lets try and use these credentials to log into the tikiwiki web application.

Once we enter the credentials we are presented with a change password page, how convenient ;)

Once we change the admin password we are presented with the admin dashboard for this web application. Success!

From here, we could try and gain access to the underlying operating system as the web application user, or we could simply change the content of the web application pages. I will stop here for now because I am tired and not very greedy tonite ;)


No comments:

Post a Comment