This time I’m focusing on another little-widdle challenge aimed at 3̶1̶3̶3̶7̶ ̶H̶4̶x̶0̶r̶z ̶ beginners:
Basic Pentesting: 1 ~ VulnHub
Basic Pentesting: 1, made by Josiah Pierce. Download & walkthrough links are available.
So, let’s hit the gas with an nmap scan. We are using the following command:
nmap -p- -sS -Pn -n -vvv -oA nmap-host-ports 192.168.1.5
Now, what do all those options mean?
-p- Scan all ports (Actually 1 to 65535, port 0 is not scanned)
-sS Perform SYN scan (A sort-of stealth scan)
-Pn All the hosts will be scanned without exception
-n Skip DNS resolution
-vvv Be super verbose and show ports and hosts as you find them
-oA Save the output to all the available formats (just in case)
And here is what we got:
So we have 3 services running on this machine. Now let’s gather more in-depth info about the OS and the services:
This time the command includes just the ports we know are running services and the following options:
-O OS detection
-sV Service version scan
After having read the results from the scan I go for the http service first. On the browser I see this:
That’s the default page for the server. This site is not being maintained for sure!
As I don’t see anything interesting on that page I now use ZAP to do a dictionary attack trying to find valid URLs within 192.168.1.5:80. After a couple of minutes I find 192.168.1.5:80/secret :
I start looking for clues here and, eventually, I find the reason why this looks like that: all the links of the blog refer to a domain called “vtcsec” but it seems to be down. Maybe this machine was meant to be “vtcsec” host. So, in order to see the blog with all it’s content being loaded properly I can add an entry for vtcsec on my hosts file and try again:
Now, let’s give it a shot!
This looks much better now!
So by now I’m running spider on ZAP and trying to guess some valid URLs. Luckily for me this is a Wordpress blog (as you can clearly read on the last image) and the default login URL is available. And… you know what are the credentials for the admin account? admin/admin.
Now that we have admin access on the Wordpress site we can use metaspolit to generate a plugin that will spawn a shell when invoked. The module is called wp_admin_shell_upload (pretty self explanatory). Here’s a screenshot of the exact options I used:
Once inside the box I check the privileges that I have and look for interesting files:
Using unix-privesc-check script we can auto-magically check for privileges miss-configurations :
Sadly, this machine has loose permissions for the passwd file. This allows us to download the passwd file to our machine, modify the root password and upload the modified version of the file replacing the original thus gaining root access:
Hope you enjoyed this one! Until next time