Basic Pentesting 1 Writeup | Vulnhub

Hello my name is Van and this is my writeup for Basic Pen-testing 1 created by Josiah Pierce. This VM is recommended for beginners (like me) who wanted to give it a try on how to do basic pen-testing.

The main objective of this pentest is to have root access in the ubuntu terminal.

First things first, we will need to do an active recon.

I tried looking around in the login screen of the target terminal and noticed that you can do a guest login without a password.

Guest login with no password requirement

I logged in as a guest and gone to the terminal to do an ifconfig command to find the IP address of the target then log out.

ifconfig command in the guest login

After finding the target’s IP, I wrote it down and started doing the scan using NMAP on my Kali Terminal.

NMAP scan command then saved to a text file for later usage

NMAP scan results

Take note of this open ports for later usage.

• 21/tcp open ftp ProFTPD 1.3.3c
• 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
• 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

Tried googling for ProFTPD 1.3.3c vulnerabilities and stumbled upon this.

https://www.rapid7.com/db/modules/exploit/unix/ftp/proftpd_133c_backdoor/

Apparently, you can use metasploit for making a backdoor for ProFTPD 1.3.3c

Opened my terminal to enter metasploit via msfconsole.

Metasploit main page.

Use proftpd_133c_backdoor

Parameters needed for the exploit

Set rhosts to the target IP while lhost as your Kali terminal. also set payload to 4.

And you are in.

do whoami command for checking the user

Is it finished? nope.

We still have a lot of optional objectives to do.

1. Have access to marlinspike’s account.
2. Change the http website hosting in the ubuntu terminal.
3. Add a new user.

In objective 1, There are two ways to do this, you can either change the password of marlinspikes into a different using passwd via the backdoor made by the ProFTPD 1.3.3c vulnerability.

The second one is to brute-force. I actually stumbled upon marlinspike’s password by simply using the username as the password.

In objective 2, changing the website hosted by the terminal. You can use the backdoor access made by the ProFPTD again.

This is the hosted file

do a ls command for listing the folders then do a cd /var/www/html

/var/www/html contains the files that are hosted in the ubuntu terminal.

do an ls command again and you should see the file index.html

index.html is the file that was hosted by the ubuntu terminal. to change the content of the file you can simply do a echo command. In this case, we will be using my placeholder html file.

Echo command

This command pretty much overrides the file content using the echo command.

Upon checking it via a web browser, this is the output.

Before

After

In objective 3, we will be adding a new user. Once again, we will be using the ProFTPD root backdoor. In this situation, we will be doing adduser command.

adduser command

Upon checking the login screen, my newly created account is made.

At this point, we pretty much did the main objective and some optional objectives on the side. Let me know if you have any questions about my approach.

PERSONAL NOTES:

• As my mentors from TrendMicro once said, Google is Your Friend (GIYF).
• Also, please check TCM Security’s Practical Ethical Hacking (PEH) Course. I use the guide for any particular techniques and tools in Pentesting.