Explore the Basic Pentesting series with a walkthrough of the Basic Pentesting: 2 Vulnhub Machine created by Josiah Pierce. This machine features several remote vulnerabilities and numerous privilege escalation vectors.
LET’S GET STARTED!!!
nmap -A -sV -P -T4 192.168.1.9
Press enter or click to view image in full size
The scan revealed the following ports and associated services:
- Port 22/tcp — SSH — (OpenSSH 7.2p2 Ubuntu)
- Port 80/tcp — HTTP — (Apache httpd 2.4.18)
- Port 445/tcp — Netbios-ssn — (Samba smbd 4.3.11-Ubuntu)
Let’s check http service.
Press enter or click to view image in full size
The page lacks interesting details, so I will explore the target’s subdirectories using the DirBuster tool, which comes pre-installed on Kali Linux.
dirb http://192.168.1.9/
Press enter or click to view image in full size
After conducting a scan, we discovered a directory named ‘development’. Accessing the URL https://192.168.1.9/development/ in our browser reveals two text files: ‘dev.txt’ and ‘j.txt’.
Press enter or click to view image in full size
Press enter or click to view image in full size
It has been discovered that the password hash for ‘J’ is weak and can be easily cracked. Although we know that ‘J’ has a weak password, we lack details about the usernames. Therefore, alternative methods must be considered. As identified by the nmap scan, the SMB service is active using the Netbios protocol. Consequently, we will enumerate the SMB port using a tool named “enum4linux,” which comes pre-installed on Kali Linux.
Enum4linux is a tool designed for enumeration that can detect and extract information from Windows and Linux systems, including Samba (SMB) hosts within a network.
enum4linux 192.168.1.9
Press enter or click to view image in full size
Press enter or click to view image in full size
Got two usernames kay and jan from the scan.
hydra -l jan -P /usr/share/wordlists/rockyou.txt 192.168.1.9 ssh
Press enter or click to view image in full size
And we got the password : armando
Get Anshika’s stories in your inbox
Join Medium for free to get updates from this writer.
Now, let’s attempt to log in to the target SSH service. Using password : armando
ssh jan@192.168.1.9
Press enter or click to view image in full size
id
pwd
cd ..
ls
cd kay/
ls -lah
Press enter or click to view image in full size
Now we have successfully entered the target,but as you can see here the user jan is not the root user on the target machine.
find / -perm -4000 2>/dev/null
Press enter or click to view image in full size
/ usr/bin/vim.basic has SUID set. It means if we run the vim editor as a non-privileged user, we’ll be able to read and write all sorts of sensitive and critical files.
using vim to read pass.bak file
vim pass.bak
Press enter or click to view image in full size
su kay
password : heresareallystrongpasswordthatfollowsthepasswordpolicy$$
ls
cat pass.bak
sudo su
cd /root/
ls
cat flag.txt
Press enter or click to view image in full size
Press enter or click to view image in full size
Yayyy!! We got the flag.