This Walkthrough is on Basic Pentesting: 1 Vulnhub Machine made by Josiah Pierce. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. For more details or for downloading the machine go here.
Scan the entire network with nmap by ping scan to find a live machine in the network.
My target ip address was “192.168.56.105“, I used nmap to find an open port of the target, and here is what we got:
So we have found 3 open ports that running services FTP, SSH, and HTTP on the target.
I will check with HTTP service
nothing is interesting on this page, I will go for subdirectories of that target by using dirbuster tool which is already pre-installed on kali linux.
After a couple of minutes, I got valid URL https://192.168.56.105/secret/
after visiting the URL, I observe that all the links referred to the domain called “vtcsec”. But it seems to be down, I think this machine is meant to be “vtcsec” host, So for seeing this blog with full content, I’ll add “vtcsec” on my host file and try again.
well, add the target IP address and the host name “vtcsec” in the host file which is located at /etc/hosts.
After loaded the page, It looked good now!!!
Then I try to visit my target admin page by using default username and password “admin: admin”.
boom!!! The username and password were correct, Now we have admin access in on the wordpress.
So I used Metasploit to generate a plugin that will spawn the shell which helps to get the remote connection of target. The module we used was wp_admin_shell_upload, Here’s an exact option screenshot I used:
After getting the meterpreter session, I tried for the interactive shell by running python script python -c ‘import pty;pty.spawn(“/bin/bash”)’ before executing this script check our target has been installed python by the command “which python”.
Still, I haven’t reached to root, So I went back to meterpreter session.
I check for file permission of etc/passwd, Here got that the file was read and write permission now I can modify the user for root privileges.
Download passwd file on my machine located to /home/vulnhub directory
to generate encrypted password I used openssl and MD-5 based algorithm(-1) “openssl passwd -1 <password>“.
then I got the encrypted password, After that open the passwd file and replace it with a new password of the root user which was generated by openssl.
after modifying the passwd file, then upload back to the target machine.
It asks for a root password, I gave the password as “hello” which was generated by openssl. Yeah, successfully we get a root privileges access of the target.