ResourceSpace Web Application Hacking Part 2 – Build

In this post, we will use the plans we discussed in part 1, to build an environment in order to audit the ResourceSpace Digital Asset Management web application.

Build Environment

For this specific engagement, my host machine will be running Arch Linux as its operating system and I will be using VMWare Workstation to create a new Ubuntu 18.04 Virtual Machine (VM) where we will set up all the services needed to run ResourceSpace.  Everything we do in this part of the series will take place on the Ubuntu VM.

If for some reason you don’t know how to use VMWare Workstation to create a VM, please refer to this link.

VMWare Workstation Ubuntu VM
VMWare Workstation Ubuntu VM

After we get our Ubuntu 18.04 Virtual Machine up and running, we can get started on setting up services for the ResourceSpace web application.  The first thing we need to do is make sure Ubuntu is updated to the latest packages available, this can be done by opening a terminal on Ubuntu and running:

sudo apt update && sudo apt upgrade -y

Now that Ubuntu is up-to-date and ready to go, we can start with setting up the database.  For this audit, I will be using MariaDB as the database server and client, so let’s do that now…

⭢ Database Setup

MariaDB is a drop-in replacement for MySQL, so they are interchangeable when it comes to compatibility, and we can set up the server by running:

sudo apt install mariadb-server mariadb-client -y

After the packages have been installed, we should run the mysql_secure_installation command.

mysql_secure_installation is a shell script available on Unix systems, and enables you to improve the security of your MariaDB installation in the following ways:

  • You can set a password for root accounts.
  • You can remove root accounts that are accessible from outside the localhost.
  • You can remove anonymous-user accounts.
  • You can remove the test database, which by default can be accessed by anonymous users.

sudo mysql_secure_installation

After running mysql_secure_installation, you will be asked a number of questions pertaining to the database set up.  The following is an example of how to answer those questions.

Enter current password for root (enter for none): <-- press enter
Set root password? [Y/n] <-- y
New password: <-- Enter the new MariaDB root password here
Re-enter new password: <-- Repeat the password
Remove anonymous users? [Y/n] <-- y
Disallow root login remotely? [Y/n] <-- y
Reload privilege tables now? [Y/n] <-- y

I prefer to use MariaDB’s mysql_native_password authentication plugin, over the auth_socket.  You can change this using the following steps:

sudo mysql
mysql> ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'password';

The last step for the database setup would be to go ahead and create a database for the ResourceSpace Digital Asset Manager (DAM).

mysql -u root -p
mysql> CREATE DATABASE resourcespace;

⭢ Web Server Setup

Next, we need to set up a web server to host the ResourceSpace web application, for this, I will be using Apache2.  You can use the following command to install Apache2 on the Ubuntu VM.

sudo apt install apache2 -y

Once the package installation has completed, we will need to modify a few files associated with the Apache2 configuration.

We need to make sure the index.php option is listed within the DirectoryIndex directive within the file /etc/apache2/mods-available/dir.conf

<IfModule mod_dir.c>
    DirectoryIndex index.php index.html
</IfModule>

Make sure you add the ServerName directive that points to an internal domain within the file /etc/apache2/sites-available/000-default.conf. I used the domain resourcespace.local in my example.

...

ServerName resourcespace.local
ServerAdmin [email protected]
DocumentRoot /var/www/html

...

Once the above changes are complete, let’s unzip the ResourceSpace ZIP file into the /var/www/html directory and then change ownership of the extracted files to the www-data user.

sudo unzip ResourceSpace_8_6.zip -d /var/www/html
sudo chown www-data:www-data /var/www/html -R

After the step above is complete, we can restart the Apache2 service to make sure all of our changes have been registered.

sudo systemctl restart apache2

⭢ PHP-FPM Setup

Now that we have Apache2 running, we can set up the PHP packages we will need in order to parse the ResourceSpace Server-Side code.  We can install the PHP packages we want with the following command.

sudo apt install php-fpm -y

Once the package installation has completed, we will need to modify a few files to make sure PHP is configured properly.

We need to add in a FilesMatch directive to the file /etc/apache2/sites-available/000-default.conf in order to tell PHP where to send the code to be interpreted when Apache2 gets a PHP file request.

...

<FilesMatch \.php$>
        SetHandler "proxy:unix:/var/run/php/php7.2-fpm.sock|fcgi://localhost/"
</FilesMatch>

...

To get a verbose output of our current PHP environment, we are going to set up an info.php file that will sit in the /var/www/html directory, and we will load the file when we want to check the PHP environment variables, and module information.

<?php 
  phpinfo();

In this step, we need to run a few commands to enable the PHP + Apache2 + MariaDB functionality and to install a few PHP modules required by ResourceSpace.

sudo a2enmod proxy_fcgi setenvif
sudo apt install php-mysql php-curl php-gd php-mbstring -y

After the steps above are complete, we can restart the PHP-FPM service to make sure all of our changes have been registered.

sudo systemctl restart php7.2-fpm

At this point, we should have a typical PHP LAMP stack set up on our Ubuntu Virtual Machine, but we have a few more tools to set up, that are specific to PHP auditing.

⭢ RIPS Setup

RIPS is a static source code analyzer that checks for vulnerabilities in PHP scripts.  This should help us in identifying possible vulnerabilities in the code we are running, but it does have some limitations being the open-source version of the tool. We can set up RIPS using the following steps below.

sudo apt install git -y
sudo git clone https://github.com/robocoder/rips-scanner /var/www/html/rips
sudo chown www-data:www-data /var/www/html/rips -R

This will install the RIPS dashboard to your /var/www/html/rips directory, so that you can access the dashboard via the browser.

⭢ Xdebug Setup

Xdebug has a number of debugging tools that will assist us in our audit. The Xdebug web site description of the tool is below.

Xdebug is an extension for PHP to assist with debugging and development. It contains a single step debugger to use with IDEs; it upgrades PHP’s var_dump() function; it adds stack traces for Notices, Warnings, Errors and Exceptions; it features functionality for recording every function call and variable assignment to disk; it contains a profiler; and it provides code coverage functionality for use with PHPUnit.

We can install the PHP extension using the following command:

sudo apt install php-xdebug -y

Next, we need to modify the Xdebug configuration file located at /etc/php/7.2/mods-available/xdebug.ini so we can remotely debug the PHP from our host machine running PHPStorm on Arch Linux.

zend_extension = xdebug.so
xdebug.remote_autostart=1
xdebug.remote_enable=1
xdebug.remote_handler=dbgp
xdebug.remote_port=9001
xdebug.remote_host=192.168.8.210 #IP of Arch Linux host machine

⭢ PHPTrace Setup

PHPTrace is a great tracing tool that I use for single request process tracing.  The author describes his tool as the following.

PHPTrace is a low-overhead tracing tool for PHP. It can trace all PHP executing, function calls, request information during run-time. And provides features like Filter, Statistics, Current Status and so on. It is very useful to locate blocking, heavy-load problems and debug in all environments, especially in production environments.

The author of PHPTrace, Chuan Yun, has written a new tool called Molten that looks very interesting.

We need to install a PHP development package so we can create the PHPTrace module.

sudo apt install php7.2-dev -y

Now we need to clone the PHPTrace Github repo into our /opt/phptrace folder.

cd /opt
sudo git clone https://github.com/Qihoo360/phptrace

After we have the Github repo cloned to the /opt/phptrace directory, we will need to use the phpize command to prepare the environment for the PHP extension.

cd /opt/phptrace/extension
sudo /usr/bin/phpize
./configure --with-php-config=/usr/bin/php-config
sudo make
sudo make install-all

Now that we have the PHP module trace.so built and installed, we need to create a phptrace.ini within the /etc/php/7.2/mods-available directory.

extension=trace.so

Let’s restart the PHP-FPM service to make sure our changes have loaded.

sudo systemctl restart php7.2-fpm -y

Once done, we should now be able to check the info.php file we created earlier to make sure both extensions are showing correctly.

Xdebug PHP_INFO status
phptrace PHP_INFO status

⭢ ResourceSpace Setup

At this point, we should be able to open the resourcespace.local domain we created earlier within a web browser on your host machine and be greeted with the ResourceSpace setup page, but first, we need to make sure the host machine has a /etc/hosts entry that corresponds to the virtual host we created earlier.

...

10.0.0.153	resourcespace.local        #IP of Virtual Machine + Virtual Host Domain

Now with that done, you should be able to see the setup page on the resourcespace.local site.  Here you would enter the information we supplied above to make sure the database is set up correctly.  Once complete, we can move onto logging in for the first time and creating a normal user without any special permission for testing purposes.

ResourceSpace User Creation
ResourceSpace User Creation

Awesome!  We now have our ResourceSpace build environment all set up, and we have also created a normal user for testing out vulnerabilities on the web application.

Conclusion

We have finally completed our ResourceSpace environment build, and we are ready to start moving forward with our audit.  In Part 3, we are going to start attacking our target using the tools we discussed in Part 1, and hopefully find some vulnerabilities we can leverage.

Leave a Reply

Your email address will not be published.