Today we are going to take
another CTF challenge known as Basic Penetration. The credit for making this VM
machine goes to “Josiah Pierce” and it is another boot2root challenge where we
have to root the server to complete the challenge. You can download this
VM here.
Security Level: Beginner
Penetrating Methodology:
1. Scanning
·
Netdiscover
·
NMAP
2.
Enumeration
·
Web
Directory search
·
Credential
harvesting
3.
Exploiting
·
Metasploit
shell upload
·
LinEnum.sh
4.
Privilege Escalation
·
Exploit
Sudo rights
Walkthrough:
1. Scanning:
Let’s
start off by scanning the network and identifying host IP address. We can identify
our host IP as 192.168.1.100 by using Netdiscover.
netdiscover
Then we used
Nmap for port enumeration. We find that port 21(ftp),
22(ssh) and 80 are open on the target.
nmap -A 192.168.1.100
2. Enumeration:
As we can see port 80 is
open, so we tried to open the IP address in our browser but we didn’t find
anything on the webpage.
So we used dirb for directory enumeration.
After brute forcing with dirb we found a directory named /secret
Now we tried to open it in
our browser. We came to know that the website is a wordpress site.
We tried to open the admin
page 192.168.1.100/secret/wp-admin but
it wouldn’t open and we got redirected to the url which you can see in the
screenshot
Then we added vtcsec to hosts file.
Now we were able to access
the admin page.
3. Exploiting:
We tried some basic credential
combinations used in wordpress and found admin:admin was working for us.
Then we used Metasploit to
upload admin shell into the target using the above credentials and wait for a
meterpreter session.
use exploit/unix/webapp/wp_admin_shell_upload
set username admin
set password admin
set targeturi /secret/
set rhosts 192.168.1.100
run
We
successfully got a meterpreter session.
We then uploaded LineEnum.sh script to check if password
hashes are stored in /etc/passwd and also attempt to read restricted file
i.e. /etc/shadow.
Here we can see the /etc/shadow has
read only permission.
After opening the /etc/shadow file we
can see there is user with the name marlinspike
We downloaded this shadow file into
our local system and used John the Ripper to crack the password.
We found the password for the user marlinspike is marlinspike
5. Privilege Escalation:
Now we login as marlinspike.
We checked the sudoers list and
found that we have all the access as root, so we did sudo as superuser.
Great! We have successfully completed our
challenge as we able access the target as a root user.
su marlinspike
sudo –l
sudo su
id
Auqib Wani
is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with
more than 5 years of experience in the field of Network & Cyber Security.
Contact Here
0 comments:
Post a Comment