A Beginners Guide to Vulnhub: part 2

Who should read this and why

This is a guide for anyone who has an interested in penetration testing but no experience with it. To control scope, I’m going to assume that you have some development experience and are familiar (if not comfortable) using a command line interface. But as much as possible I’ll try to tell you exactly what command to enter or button to press as well as what each command and button is doing.

I’m hoping that this will expose more developers to the world of ethical hacking. And even if your journey stops after this tutorial, hopefully you will leave with a better understanding of some of the tools and techniques that hackers might use to attack your projects.

If you haven’t already, you should start with part 1 of this series.

The attack

At this point you should have your pen testing lab set up, have started your victim machine and be logged into your attack machine. I used a combination of the guides below to walk through this machine. I’m going to summarize and clarify their steps here with language more directed at a beginner but If you want, feel free to read the guides yourself:

• https://www.unlogic.co.uk/2015/08/25/nullbyte-1-solution/
• https://trickster0.wordpress.com/2015/11/01/nullbyte-0-walkthrough/
• https://blog.techorganic.com/2015/08/06/nullbyte-0x01-hacking-challenge/
• http://wg135.github.io/blog/2016/08/30/nullbyte-1/
• https://code610.blogspot.co.uk/2016/09/nullbyte-1-ctf.html
• https://mrh4sh.github.io/nullbyte-solution

First, we need to figure out the IP address of our victim. Type

ifconfig 

and you should see something like this:

This tells us that the IP address of our attack machine is 10.10.10.3. Since our DHCP server assigns IP addresses in order, this means my victim machine’s IP address is 10.10.10.2 (note: if your attack machine is 10.10.10.2, then your victim will be 10.10.10.3). To double check this I’ll try pinging it:

ping -c 2 10.10.10.2

The -c flag lets us cap how many packets to send, here i limited them to 2. And I see that my victim is reachable:

Now that I know it’s IP address I want to start by finding up what ports are open and what type of protocol they use. For this we’ll use the nmap tool that is already included in our attack machine:

nmap -sV 10.10.10.2

The -sV flag asks nmap to also print out the service type. Here we see that there are three open ports. The two interesting ones are the the HTTP server on port 80 and the SSH service on port 777.

Next we want to map the directory of the HTTP server. To do this we’ll use dirbuster, a brute force tool that tries out a ton of common directory names to see if any of them are valid (wfuzz is another tool that can do this). The command looks like this:

dirb http://10.10.10.2

This reveals a few base directories. The /phpmyadmin/ directory at least tells us they are almost surely using php somewhere. But exploring these won’t yield too much so next we load up the actual website using firefox (again, included in our attack machine).

This next part is pretty unrealistic, but oh well. Right click and save the image of the eye (‘main.gif’). Now at go to the Kali linux nav bar and select “places” and then “downloads”. Right click ‘main.gif’ and select ‘open with other application.’ Click ‘view all applications’ and then select ‘ImageMagick.’ Click the image, on the command panel the pops up select “miscellany” and then “Image Info”. At the very bottom of this list you will notice a property called ‘comment’ that includes some suspicious characters followed by “kzMb5VYJw.”

You might think this is a user name or a password, but it turns out to be a hidden directory path. So go back to firefox and navigate to

10.10.10.2/kzMb5nVYJw

where we find a lone form field. And if we open Firefox’s html inspector we see a hint that the form is not connected to mysql (so we don’t need to bother testing for mysql vulnerabilities).

Alright, back to (somewhat) more realistic hacking. We now have a password field on a web server and we don’t know the password. We’ll eventually brute force this, but first we need some information. We want to see exactly what gets sent to the server when we submit this form and then we want to see what comes back when we enter the wrong password.

You can use Burp Suite for this (and a lot of the other guides do) but we can also get the same information by opening the “network” tab of Firefox’s developer console and then entering some test password into the key form. If we do that we’ll see that as we might expect, the form sends a POST request to http://10.10.10.2/kzMb5nVYJw/index.php with a single parameter ‘key’ with a value of ‘test’ (or whatever test password you submitted). We’ll also see that the response HTML contains the string “invalid key” this is useful because we can assume that if the response does not contain this string then we have a valid password.

This gives us enough information to use Hydra (another Kali tool) to brute force the password. You can learn more about using Hydra and Burp Suite together here. First we need a list of words for Hydra to try as potential passwords. We can search for included dictionaries in Kali with the command:

locate wordlist

This will print out the paths to any file with the string ‘wordlist’ in the pathname. There are a lot to choose from, but since we’ve been tipped off that it’s a common word we can use the dirbuster ‘big.txt’ list to start. This is a list of about 20000 common words and directory names, but it might (wink wink) also work for our password.

All we need to do here is note that the path to our target wordlist is ‘/usr/share/dirb/wordlists/big.txt’. Now we are ready to form our Hydra attack. The full command looks like this:

hydra -l “” -P /usr/share/dirb/wordlists/big.txt 10.10.10.2 http-post-form “/kzMb5nVYJw/index.php:key=^PASS^&Login=Login:invalid key” -f -V

This command tells hydra that for every word in the file /usr/share/wordlists/big.txt it should set that word to a variable called PASS and then send an HTTP POST request to 10.10.10.2/kzMb5nVYJw/index.php with a single parameter ‘key’ that should have the value of the current value of PASS. It also says that it will know if the request failed if it finds the string ‘invalid key’ in the response. And the -f flag at the end tells it to stop as soon as it has found a word that succeeded (i.e. gets a response back that does not include ‘invalid key’) and the -V flag tells it to log every attempt (since it might take a while).

And a few minutes later hydra should tell us that the password is ‘elite’.

So now we can go back to the firefox site and enter it to find a new form that invites us to search for usernames.

That’s probably enough for now. We’ll finish going to the bottom of the rabbit hope in part 3. Hope this was clear, informative, and fun! Let me know if you spot any typos, misinformation, or parts that seem confusing. Until next time!