VulnHub-Basic Pentesting 1 Write-Up

BP1

Reconnaissance

I first needed to figure out what IP the box was. I could’ve used netdiscover but I opted to just open a guest session on the box and run ifconfig. (cheap, I know)

ifconfig

Now that I got the IP, I went ahead and ran a nmap scan to find out what ports/services were showing as up.

nmap

The nmap scan showed me that ftp, ssh, and http were all running. I decided to go with http and do some enumeration from there.

Enumeration

website

Now to use dirbuster to see what sort of directories I can brute force.

dirbuster

So the /secret directory gave a 200 response. When I went to it, I kept seeing several references to a vtcsec domain that I clearly did not have access to. I decided to add it to my /etc/hosts file to get access.

vtcsec

Here we have a basic Wordpress site. I decided to try to get to the wp-admin page and try to get in with default admin creds. (admin/admin) Which worked. This gave me the data I needed in order to try to attempt to exploit the creds to get access to the box. Doing basic OSINT on the page, I discovered it’s using Wordpress 4.9 plugin. I did a quick google search to find exploits and found a wp-admin-shell-upload exploit via Metasploit so I fired up msfconsole.

wordpress

Exploitation

Exploit Exploit

Post-Exploitation

The exploit worked and I was able to get a shell and find out some info about the system. Using this info I decided to get to the /etc/passwd file and see if I can do some privilege escalation.

Post-Exploit

The file permissions are set to 664 so I should be able to download the /etc/passwd file, change the root user password to something I know and write it back.

Post-Exploit

I changed the password to “gotcha” and attempted to write it back.

Post-Exploit

I should have write access to the file but it wasn’t working and after a few days of rumbling and fumbling through google about the error, I decided that to check the marlinspike user to see if he had superuser privileges.

I opened a shell and checked if he was a sudo user and he was!

Post-Exploit

Post-Exploit

I spawned a terminal and got root. Whew. Such a n00b. But it’s complete.

*Sidenote: I could’ve used the ProFTPd exploit but I wanted something more challenging. This took me a few days due to running into some walls. But I’ll get better with practice.

Result Analysis

In a nutshell, I used the WordPress default creds to exploit the box.

Written on January 20, 2020