The Basic Pentesting 1 VM download from Vulnhub can be found here: https://www.vulnhub.com/entry/basic-pentesting-1,216/
Here's the basic description:
This is a small boot2root VM I created for my university’s cyber security group. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. I did all of my testing for this VM on VirtualBox, so that’s the recommended platform. I have been informed that it also works with VMware, but I haven’t tested this personally.
This VM is specifically intended for newcomers to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right.
Your goal is to remotely attack the VM and gain root privileges. Once you’ve finished, try to find other vectors you might have missed! If you enjoyed the VM or have questions, feel free to contact me at: email@example.com
If you finished the VM, please also consider posting a writeup! Writeups help you internalize what you worked on and help anyone else who might be struggling or wants to see someone else’s process. I look forward to reading them!
Using the following nmap command nmap -O -A -sT -sV -p- -T5 192.168.1.25 -vvv
We get the following interesting output:
PORT STATE SERVICE REASON VERSION 21/tcp open ftp syn-ack ProFTPD 1.3.3c 22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVPefz9pE0ykT66eeP8gZ1P/Op3xChGFJa8il0KwqpmaMSJIUdOnPy8n1FSDKvs3MagCwVCKMQGLYlNTJ8kabXwl+8ULz9FPfTHG2U3v/n3NyPgVtmSgU88n4yjfVcwJbf4ZvSoccCnGjCqizpkjQmAlZ/ETRX3h70BwZdm00u7Gtpn/eYljlIjgcgJmHkunJ08M1B87CMwBkqBdvjypx0Vw/Ku2KnZa16MHlMegHOrX4rvopdLQXDtlFgqGtBxJmyWoh5eURKDlblgtpurOy1rPW4Tcsse7WOUoI1xE9KHzh/sH75OJu49d8RfYwULKpLUbcV7rwv82kaaGigBUxx | 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBO1BUhTxlxa/Wbwk2lRzqdjGVz+B+e9/K6jA1eZLM1cudzOck7TdtPTuup5QteLjG1lytX2Sirn7ZUuULeOsJrM= | 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (EdDSA) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJPiFdk1m+7FhiWVNHn0M1mSu8cOoPXGjXXpRFQU7c0M 80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Linux 3.X|4.X
So we know this system has 3 services running: FTP, SSH, and a web service.
I did not explore this route. However, this is a valid attack vector given that ProFTPD 1.3.3C has a few exploits and working proof of concepts available on Exploit-DB.
Using Nikto we found a /secret directory:
Which has a WordPress installation
I typically give credentials like admin:admin or admin:password a shot just for the heck of it. Turns out this WordPress installation used admin for the username and password.
However, if you were to run a Hydra scan with the following command:
hydra -l admin -P /root/Desktop/rockyou.txt 192.168.1.25 -V http-post-form '/secret/wp-login.php:log=^USER^&pwd=^PASS^&wp-submit=Log In&testcookie=1:S=Location' -t 25
We would find out the password is in fact admin as well:
The password was found on line #19819 of the rock you dictionary file if you were wondering!
Using the metasploit framework and console, we select an exploit that will automatically upload a payload for us and give us meterpreter shell. Here is the exploit selected and the options / parameters given to it:
We retrieve our meterpreter shell
We get a very basic shell when typing in shell at the meterpreter prompt. In order to make it a bit more interactive use the following command
python -c 'import pty; pty.spawn("/bin/bash")'
There's a number of built in applications and tools in Kali. One of those tools is called unix-privesc-check which checks a number of different things like world write able files, files with setuid, setgid, etc.
I took the harder route to get this onto the target system. I could've just used the meterpreter upload command. That being said I copied the tool into Apache service I setup on my Kali box to serve the payload. This payload was then downloaded using wget:
When using this tool, it says to grep for WARNING. Doing just that we find out the /etc/passwd file is world writeable:
Here are those permissions for verification:
Using the meterpreter shell I proceed to download the /etc/passwd file:
I then use openssl to generate a password using:
openssl passwd -1
That is the number one, not a lowercase L.
Grabbing that hash, I then edit the X out of the root line entry and replace it with the hash:
Using the meterpreter shell I now upload the /etc/passwd back to the target machine:
Using the shell command in meterpreter and then upgrading to an interactive shell with python, we are able to su to root using the password password: