Fork me on GitHub

Basic Pentesting 1 Walkthrough

WARNING: There will be spoilers to Basic Pentesting 1 VM from Vulnhub. This is your warning! If you wish to penetration test this machine, do not scroll down much further.

 The Basic Pentesting 1 VM download from Vulnhub can be found here: https://www.vulnhub.com/entry/basic-pentesting-1,216/

Here's the basic description:

This is a small boot2root VM I created for my university’s cyber security group. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. I did all of my testing for this VM on VirtualBox, so that’s the recommended platform. I have been informed that it also works with VMware, but I haven’t tested this personally.

This VM is specifically intended for newcomers to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right.

Your goal is to remotely attack the VM and gain root privileges. Once you’ve finished, try to find other vectors you might have missed! If you enjoyed the VM or have questions, feel free to contact me at: josiah@vt.edu

If you finished the VM, please also consider posting a writeup! Writeups help you internalize what you worked on and help anyone else who might be struggling or wants to see someone else’s process. I look forward to reading them!

1. Service Enumeration

Using the following nmap command nmap -O -A -sT -sV -p- -T5 192.168.1.25 -vvv

We get the following interesting output:

PORT   STATE SERVICE REASON  VERSION
21/tcp open  ftp     syn-ack ProFTPD 1.3.3c
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVPefz9pE0ykT66eeP8gZ1P/Op3xChGFJa8il0KwqpmaMSJIUdOnPy8n1FSDKvs3MagCwVCKMQGLYlNTJ8kabXwl+8ULz9FPfTHG2U3v/n3NyPgVtmSgU88n4yjfVcwJbf4ZvSoccCnGjCqizpkjQmAlZ/ETRX3h70BwZdm00u7Gtpn/eYljlIjgcgJmHkunJ08M1B87CMwBkqBdvjypx0Vw/Ku2KnZa16MHlMegHOrX4rvopdLQXDtlFgqGtBxJmyWoh5eURKDlblgtpurOy1rPW4Tcsse7WOUoI1xE9KHzh/sH75OJu49d8RfYwULKpLUbcV7rwv82kaaGigBUxx
|   256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO1BUhTxlxa/Wbwk2lRzqdjGVz+B+e9/K6jA1eZLM1cudzOck7TdtPTuup5QteLjG1lytX2Sirn7ZUuULeOsJrM=
|   256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (EdDSA)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPiFdk1m+7FhiWVNHn0M1mSu8cOoPXGjXXpRFQU7c0M
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X

So we know this system has 3 services running: FTP, SSH, and a web service.

2. FTP Enumeration

I did not explore this route. However, this is a valid attack vector given that ProFTPD 1.3.3C has a few exploits and working proof of concepts available on Exploit-DB.

3. Web Enumeration

Using Nikto we found a /secret directory:

nikto

Which has a WordPress installation

I typically give credentials like admin:admin or admin:password a shot just for the heck of it. Turns out this WordPress installation used admin for the username and password.

However, if you were to run a Hydra scan with the following command:

hydra -l admin -P /root/Desktop/rockyou.txt 192.168.1.25 -V http-post-form '/secret/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 25

We would find out the password is in fact admin as well:

password

The password was found on line #19819 of the rock you dictionary file if you were wondering!

4. Establish a Foothold

Using the metasploit framework and console, we select an exploit that will automatically upload a payload for us and give us meterpreter shell. Here is the exploit selected and the options / parameters given to it:

metasploit

We retrieve our meterpreter shell

meterpreter

We get a very basic shell when typing in shell at the meterpreter prompt. In order to make it a bit more interactive use the following command

python -c 'import pty; pty.spawn("/bin/bash")'

5. Privilege Escalation

There's a number of built in applications and tools in Kali. One of those tools is called unix-privesc-check which checks a number of different things like world write able files, files with setuid, setgid, etc.

I took the harder route to get this onto the target system. I could've just used the meterpreter upload command. That being said I copied the tool into Apache service I setup on my Kali box to serve the payload. This payload was then downloaded using wget:

unix-privesc

When using this tool, it says to grep for WARNING. Doing just that we find out the /etc/passwd file is world writeable:

etc passwd

Here are those permissions for verification:

world write

Using the meterpreter shell I proceed to download the /etc/passwd file:

passwd download

I then use openssl to generate a password using:

openssl passwd -1

That is the number one, not a lowercase L.

password

Grabbing that hash, I then edit the X out of the root line entry and replace it with the hash:

replace password

Using the meterpreter shell I now upload the /etc/passwd back to the target machine:

passwd upload

Using the shell command in meterpreter and then upgrading to an interactive shell with python, we are able to su to root using the password password:

root