We covered the solution to H.A.S.T.E Vulnhub machine and we demonstrated Server Side Includes Injection that led to gaining access to the target machine.
Method 1: Netcat with Python Listener
First, I watched as the presenter scanned the website for vulnerabilities using nikto. This scan quickly revealed that the web server allowed extensive directory viewing and identified both index.php and index.html files.
Upon accessing index.html, I noticed output that strongly indicated Server-Side Includes (SSI) injection was possible. I recalled looking into OWASP resources for SSI injection commands, which would be helpful here. The feedback form on the website was indeed vulnerable to SSI injection. As an example, a command was executed to list files in the current directory, which would look like this:
After confirming the SSI vulnerability, the presenter set up a Python listener. They used a command to download a Python server/listener from their attacking machine and drop it onto the vulnerable machine. Following that, another command was executed to start the listener on the vulnerable machine. Once the listener was active, the attacker connected back to it from their machine, successfully gaining shell access. From there, they could freely list files and navigate directories.
Method 2: Metasploit
For the second method, the presenter showed how to use Metasploit. I saw them create a Linux payload using Metasploit (likely msfvenom). The generated shell payload was then downloaded and placed onto the vulnerable machine. Commands were executed to ensure the shell payload would run on the vulnerable machine. After these steps, a connection was received back on the attacker’s machine via a Metasploit listener, providing a Meterpreter shell. From this shell, commands like sysinfo could be executed to gather system information.
