Objective
Learn how to exploit Server Misconfigurations related to default credentials and exposed administrative interfaces to gain unauthorized access. Understand how to secure server configurations by changing default credentials, disabling unused services, and implementing multi-factor authentication.
Scenario
You are assessing a web server hosting an administrative interface that uses default credentials (e.g., admin:admin). Due to improper configuration, the admin panel is exposed to the public, allowing attackers to gain unauthorized access.
Lab Setup
Prerequisites:
- Basic knowledge of server management and web applications.
- XAMPP/LAMP/WAMP stack installed (or any web server with PHP support).
- Tools like Burp Suite or browser developer tools for testing.
Step 1: Create the Vulnerable Application
- Admin Login Interface (Vulnerable)
- Create a file
admin_login.php:<?php session_start(); $default_username = 'admin'; $default_password = 'admin'; if (isset($_POST['login'])) { $username = $_POST['username']; $password = $_POST['password']; if ($username === $default_username && $password === $default_password) { $_SESSION['admin'] = true; header("Location: admin_panel.php"); } else { echo "<h3>Invalid Credentials!</h3>"; } } ?> <h2>Admin Login</h2> <form method="POST" action=""> Username: <input type="text" name="username" required><br> Password: <input type="password" name="password" required><br> <button type="submit" name="login">Login</button> </form>
- Create a file
- Admin Panel Interface
- Create a file
admin_panel.php:<?php session_start(); if (!isset($_SESSION['admin'])) { header("Location: admin_login.php"); exit(); } echo "<h2>Welcome to the Admin Panel!</h2>"; ?>
- Create a file
- Running the Application
- Start the Apache server.
- Place
admin_login.phpandadmin_panel.phpin the web server’s root directory (htdocsfor XAMPP). - Open
http://localhost/admin_login.phpin your browser.
Exploitation Steps
Step 1: Accessing the Admin Panel with Default Credentials
- Navigate to
http://localhost/admin_login.php. - Enter the following credentials:
- Username:
admin - Password:
admin
- Username:
- Click Login.
Expected Result:
- The attacker successfully gains access to the admin panel without any resistance.
Step 2: Discovering Exposed Admin Interfaces
- Use search engines with queries like:
inurl:/admin_login.php intitle:"Admin Login" - Expected Result:
- Publicly exposed admin interfaces are indexed and discoverable.
Solution and Prevention
Problem Analysis
- The admin interface uses weak default credentials and is publicly accessible.
Fixing the Vulnerability
- Change Default Credentials
- Enforce strong, unique passwords for all accounts:
$hashed_password = password_hash("StrongPassword123!", PASSWORD_BCRYPT);
- Enforce strong, unique passwords for all accounts:
- Restrict Access to Admin Interfaces
- Restrict access to trusted IPs only:
<Directory "/path/to/admin"> Require ip 192.168.1.100 </Directory>
- Restrict access to trusted IPs only:
- Implement Multi-Factor Authentication (MFA)
- Require an additional layer of verification beyond a password.
- Disable Unused Services and Interfaces
- Remove or disable unnecessary admin interfaces and services.
- Use Security Headers
- Prevent directory browsing:
Options -Indexes
- Prevent directory browsing:
- Regularly Update and Patch Systems
- Keep all software and services updated.
Testing After Fix
- Attempt to log in using
admin:admin. - Expected Result:
- The server rejects the default credentials.
- Try accessing the admin page from an unauthorized IP.
- Expected Result:
- Access is denied due to IP restrictions.
Conclusion
In this lab, you exploited Server Misconfiguration by using default credentials to gain unauthorized access. You also learned how to mitigate this vulnerability by changing default credentials, restricting access, enabling MFA, and disabling unused services.
0 Comments