Basic Pentesting: 1 Walkthrough — Vulnhub

This time I’m focusing on another little-widdle challenge aimed at 3̶1̶3̶3̶7̶ ̶H̶4̶x̶0̶r̶z ̶ beginners:

So, let’s hit the gas with an nmap scan. We are using the following command:

nmap -p- -sS -Pn -n -vvv -oA nmap-host-ports

Now, what do all those options mean?

-p-    Scan all ports (Actually 1 to 65535, port 0 is not scanned)
-sS Perform SYN scan (A sort-of stealth scan)
-Pn All the hosts will be scanned without exception
-n Skip DNS resolution
-vvv Be super verbose and show ports and hosts as you find them
-oA Save the output to all the available formats (just in case)

And here is what we got:

So we have 3 services running on this machine. Now let’s gather more in-depth info about the OS and the services:

This time the command includes just the ports we know are running services and the following options:

-O    OS detection
-sV Service version scan

After having read the results from the scan I go for the http service first. On the browser I see this:

That’s the default page for the server. This site is not being maintained for sure!

As I don’t see anything interesting on that page I now use ZAP to do a dictionary attack trying to find valid URLs within After a couple of minutes I find :

This “secret” page looks pretty messy!!

I start looking for clues here and, eventually, I find the reason why this looks like that: all the links of the blog refer to a domain called “vtcsec” but it seems to be down. Maybe this machine was meant to be “vtcsec” host. So, in order to see the blog with all it’s content being loaded properly I can add an entry for vtcsec on my hosts file and try again:

Now, let’s give it a shot!

This looks much better now!

So by now I’m running spider on ZAP and trying to guess some valid URLs. Luckily for me this is a Wordpress blog (as you can clearly read on the last image) and the default login URL is available. And… you know what are the credentials for the admin account? admin/admin.

Now that we have admin access on the Wordpress site we can use metaspolit to generate a plugin that will spawn a shell when invoked. The module is called wp_admin_shell_upload (pretty self explanatory). Here’s a screenshot of the exact options I used:

Once inside the box I check the privileges that I have and look for interesting files:

Using unix-privesc-check script we can auto-magically check for privileges miss-configurations :

Sadly, this machine has loose permissions for the passwd file. This allows us to download the passwd file to our machine, modify the root password and upload the modified version of the file replacing the original thus gaining root access:

Hope you enjoyed this one! Until next time

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store