Basic Pentesting 1 Walkthrough

Updated On: 01/18/2019

This is another VulnHub walkthrough and you can download it here. This box was specifically created for anyone who wants to get into pentesting and practice some simple exploits. Typically, the process begins with reconnaissance and (hopefully) ends with a root shell.

Powering up the VM

bpt1 desktop view

Honestly, every time I start up one of these, I take a look at the desktop and try to login from there. I know this may be unconventional, but if a real hacker had access to your laptop, wouldn't they do the same thing? Either way, I like to try the typical bad passwords, such as "password", "123456", "admin", "root", and varieties of those. I also try the username as a password. Surprisingly enough, "marlinspike" worked as the password.

bpt1 logged in view

Well, that was easy. I guess we're done right? (I'm joking) This should be a good note though, that trying the basic stuff is always a good way to start. Let's move on to actually attacking the box from my Kali VM.

Initial Scan

nmap results

To clarify the nmap command above, the -sV parameter will show us the versions of the services running on each port and the -p parameter specifies what ports need to be scanned because by default, nmap will only scan the 1000 most popular ports, versus all of them. As you can see from the results, this box has 3 ports open: 21 for FTP, 22 for SSH, and an HTTP server on port 80.

Port 21 - FTP

My first step is to always research what vulnerabilities or exploits are available for a particular service version. In this case, there was an existing Metasploit module that runs a backdoor RCE (remote code execution).

ftp exploit

The set up for this exploit is pretty simple, you just power on Metasploit and enter the targets IP address for RHOST.

ftp shell

Nice, we got our first root shell. The python command allows you to break out of the simple shell to a more interactive one. For reference, I often use this link if I ever need to break out of a dummy shell.

It looks like our initial foothold was pretty easy to obtain, let's move on to another vector.

Port 22 - SSH

This box is running OpenSSH 7.2. Unfortunately, the only exploits available for this version are a username enumeration script (which can be useful, but Metasploit already has a generic auxiliary scanner for that) and a remote DoS (Denial of Service) which isn't applicable here since we're working in a sandboxed environment. I was curious to see what SSH usernames were on the box, so I opted to try the generic Metasploit auxiliary scanner.

ssh scanner

I thought I took a screenshot showing how I configured it, but I guess not. I just set the RHOST as the target IP address, increased the THREADS to 3 so the scanner would run faster, and used the unix_users.txt file for USER_FILE, which was located where all of the other default wordlists files are on Kali. Unfortunately, the scanner only showed system accounts, which are typically locked (I'll spare you from searching, they were locked in this particular case as well) and henceforth, we are unable to log in that way. However, if you remember from earlier, we found "marlinspike" as a user, so we can log in as this user and attempt to escalate to root this way.

ssh login

Once I logged in, the first thing I check is to see if I can view the /etc/passwd, /etc/group, and /etc/shadow files.

etc group

It appears that "marlinspike" is part of an admin group, let's try /etc/shadow next.

etc shadow

This is promising, I can see all of the sensitive files. On a whim, I attempted to change the root users password by using the sudo command.

sudo root

So l337, much w0w (I'm being sarcastic). This goes to show that when creating a system, you need to be careful with your file and user permissions.

This leaves us with one vector left and it was certainly the most interesting one to me.

Port 80 - HTTP Server

The nmap scan revealed that there is an Apache server on port 80, so I pulled up the server on my browser.

default page

There isn't much going on the base page of this site, so I decided to use dirb to see if I could find any directories worth looking at.

dirb

Well, well, we have a directory called /secret/, I wonder what it could be...

secret

I'm not going to lie, for a secret blog, this looks pretty terrible. I did notice, however, after clicking around (I was trying to access the login page), that the site was being redirected to "vtcsec". This is an easy fix; all you have to do is go into your /etc/hosts file on your Kali box and add the host on there so the page would stop redirecting.

etc hosts

Note: you'll see a different IP address here than in my initial nmap scan. I was having some issues with my internal network so I made a new one, hence the IP address being different.

After editing your /etc/hosts file, make sure to run the "service networking restart" command to restart your network for the changes to take effect.

fixed web page

Now the website renders correctly and we can see that we have a Wordpress blog (awesome, Wordpress is notorious for having multiple vulnerabilities).

wp login

Remember what I said earlier about trying the easy stuff first? Well, guess what username/password combination worked to get on to the back end of the Wordpress blog? It was "admin/admin". There are ways to test for this with a Wordpress username enumeration script, but I just wanted to try something simple first and got lucky.

admin dashboard

I poked around the dashboard for a bit, it seems that they are using Wordpress version 4.9, so I researched some exploits for it. I found the Metasploit module that uploads a shell if you know the admin credentials, but as I mentioned earlier, I was having network issues so the exploit wasn't working for me. (I did get it to work later though, and you can scroll down to the end to see that).

wpscan

With this in mind, I took a slightly different route with this vector. First, I powered up wpscan to see what specific vulnerabilities existed on this site. One that sparked my interest, was a PHP object injection, similar to the Metasploit module that already existed.

php vuln

I could type out all of the commands I used to do this, but it's better for you to just reference this website, which is exactly what I used to run this exploit. I did want to note that I downloaded the shell by using the FTP exploit from before, which you can see in the screenshot below.

shell upload

Once the shell is uploaded, our Metasploit listener will spawn the meterpreter shell.

meterpreter shell

This shell also gives us root access to the machine, so now we have two different root shells running.

I wanted to quickly loopback to the wp_admin_shell_upload Metasploit module that wasn't working for me earlier.

wp module

This was the configuration that I used to run the module.

wp run module

So this one actually spawns a "www-data" shell, so I would have to escalate this. First, I want to break out of the meterpreter shell by using that same Python command as before.

break out

Since I did this at the very end, I had already changed the root password so it was just a matter of logging in as root to escalate this shell.

final root

I did want to note, if you didn't have access to root already, you could escalate this a different way. Since the permissions are pretty loose on the /etc/passwd file, you could:

Here's a good reference link on how to do option b.

Those were just some ideas off of the top of my head, I'm sure if you explore further, you may find another way to do it. Overall, I did find this as a good intro box to work with, although I'm pretty sure that my php exploit was over the top for a "basic" exploit, but at least I learned something new.