5 Attacking vulnerable web services

 

This chapter covers

  • Part 2: focused penetration
  • Deploying a malicious web application archive file
  • Using Sticky Keys as a backdoor
  • Differences between interactive and non-interactive shells
  • Operating system command execution with Groovy script

The first phase of an internal network penetration test (INPT) was all about gathering as much information as possible about the target environment. You began by discovering live hosts and then enumerated which network services those hosts were offering. Finally, you discovered vulnerable attack vectors in the authentication, configuration, and patching of those network services.

Phase 2 is all about compromising vulnerable hosts. You may recall that in chapter 1, we referred to the initial systems we gain access to as level-one hosts. Level-one hosts are targets that have a direct access vulnerability that we can take advantage of in a way that gives us some form of remote control over the target. This could be a reverse shell, a non-interactive command prompt, or even just logging directly into a typical remote management interface (RMI) service, such as remote desktop (RDP) or secure shell (SSH). Regardless of the method of remote control, the motivation and key focus throughout this entire phase of an INPT is to gain an initial foothold in our target environment and access as many restricted areas of the network as we can.

5.1 Understanding phase 2: Focused penetration

5.1.1 Deploying backdoor web shells

5.1.2 Accessing remote management services

5.1.3 Exploiting missing software patches

5.2 Gaining an initial foothold

5.3 Compromising a vulnerable Tomcat server

5.3.1 Creating a malicious WAR file

5.3.2 Deploying the WAR file

5.3.3 Accessing the web shell from a browser

5.4 Interactive vs. non-interactive shells

5.5 Upgrading to an interactive shell

5.5.1 Backing up sethc.exe