Burp's Invisible Proxy

by Vince
in Blog
Hits: 1066

As I like to do in my spare time, I work on vulnerable machines for my continuing education.  The vuln box W1R3S: 1.0.1 crossed my path and I uncovered a previously seen entry point with a new twist.  Aside from this new twist, if you've come in through this door, you know how to get through, you just have to work it a little more than the previous times you've seen it.  I'm going to leave it at that because this isn't a walk-through and I'm probably spoiling too much already.  

While enumerating the box, I saw what I believe to be an intentional rabbit hole and it seemed like a great way to play around with Burp's Invisible Proxy.  

Starting from the beginning, we kick off with an Nmap scan:

We see an open web port and we also see the hostname.  Let's just stuff this into /etc/hosts in order to get the full picture from both IP and by hostname:

With our hosts file setup, let's take a look at the web port through the browser:

Now we scan it with GoBuster:

Ignoring everything else, we're headed for WordPress:

Take note of what happens when we use the Fully Qualified Domain Name (FQDN):

All of the sudden, the hostname changes to localhost which won't work because now we're looking for /wordpress on our own machine.

Something is wrong with the WordPress installation and the culprit is likely to be erroneous data in the database.  When we query the database for this WordPress installation (yes, I've already rooted the box), we see:

Therein lies the problem.  We shouldn't see "localhost", we should see the Fully Qualified Domain Name (FQDN).

If one were simply attempting to root this box, we've already ventured too far and the path of least resistance would be the logical choice.  However, we are able to move forward on this path, we just need to configure Burp to handle this problem for us.

In Burp, we head to Proxy, Options, and we're going to Add:

We're going to add for Loopback only and we're going to bind it to the port -- in this case, port 80:

Switching to the Request handling tab, we're going to redirect to the accessible host address and port and we're going to check Support invisible proxying:

Under Project options, we're going to Add Hostname Resolution:

We're going to point it to our FQDN and its IP address:

Heading back to our browser, we're going to repeat our steps:

And this time, the server switches to localhost but we're now able to get to that WordPress site:

So where do we go from here?  Burp has a WordPress Scanner which you can download from the BApp Store:

We load up the extension and we start browsing the site:

Unfortunately, there's not much gained from the WordPress Scanner since it's just a stock install.  That said, if you look around, you can guess your way into the Admin console:

Now that we're in, we want to upload a shell.  We're going to modify the footer and insert a reverse shell right into the site:

Replacing the footer contents with Pentest Monkey's PHP Reverse Shell:

We save and with our listener setup:

We catch our shell.  This was NOT the easy way in but Burp is such a cool product, it was totally worth the trip down this road.