Basic Pentesting: 1

Difficulty: easy

Type: boot2root

OS: Linux

Lab configuration

  1. Download the box:
    https://www.vulnhub.com/entry/basic-pentesting-1,216/

  2. Download Kali Linux (if you don’t have it already):
    https://www.offensive-security.com/kali-linux-vm-vmware-virtualbox-image-download/

  3. Import both VMs in VirtualBox. For each of them, go in settings -> network and select Host-only Adapter (the name should appear by default. If it does not, create one from the initial menu: File -> Host Network Manager -> create). With this configuration, the VMs are isolated on a network. It is also possible to set both VMs in bridged adapter, and add a second interface for the Kali machine with NAT (so that kali can access the internet).

Before we begin: find the victim’s IP address and verify we can communicate with it

First, we turn on the 2 VMs. We can’t connect to the target machine, because we don’t know the credentials. The purpose will be to gain root access on this machine.

Sometimes, the IP address of the target is given on the start-up screen, but it is rarely the case. Let’s look at our IP address :

ifconfig

There are 2 interfaces, eth0 and lo (for loopback). Our IP address is 192.168.56.102, and the subnet mask is 255.255.255.0. The local IP address is always 127.0.0.1, it’s a convention.

What’s a subnet mask, and how can we find our victim on the network ?
As we saw, our subnet mask is 255.255.255.0. In binary, this can be written
11111111.11111111.11111111.00000000
because:
255 = 1*2^7 + 1*2^6 + 1*2^5 + 1*2^4 + 1*2^3 + 1*2^2 + 1*2^1 + 1*2^0
255 = 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1

A very important concept is that 1s and 0s cannot be mixed in the mask. Therefore, if we know the number of 1s in a mask, we know the complement. In our subnet mask, there are 24 bits up. So, our IP address and the subnet mask can be written 192.168.56.102/24 (24 is the complement). This is called CIDR (classless interdomain routing) notation. Without it, we would have to write 192.168.56.102/255.255.255.0.

What does the mask tell us ?
It gives some information on the network: it says how many bits (what portion) of the IP address belong to the network, and how many belong to the hosts. For example, the mask 255.255.255.0 applied to our IP address 192.168.56.102 tells that 192.168.56 represents the network portion of the address, and 102 is the host on this network.

How many hosts can a network support ?
There is a simple formula to answer this question: the number of hosts on a network = 2^(nb of 0s in the mask). There are eight 0s in our mask, so there are 2^8 = 256 potential hosts (in reality 254, because we remove the first and last addresses (gateway and broadcast). The last address of the range is always the broadcast one.

Finally, we can scan our network to find the target’s IP address. To do so, we scan it from the first to the last address with the following command :

netdiscover

which results in :

netdiscover result

The target’s IP address is 192.168.56.106. To be sure, we can use nmap:

nmap

As we can see, 192.168.56.106 indeed is our target, because its mac address is VirtualBox. Now that we have our target, we can verify that we can communicate with it. To check this, we simply ping the target from Kali as follows:

ping

The flag -c allows to specify how many packets we send (2 here). We have the confirmation that the machines can communicate, so we’re ready to really start this box :) !

1. Scan the ports of the target

There are a total of 65,535 possible TCP ports, and 65,535 possible UDP ports. Some ports are “reserved” for certain services, among which:

A scanner like nmap allows us to see what ports are open on the target, and what services are running. It basically sends different types of packets and analyze the response.

nmap2

The flag -sV specifies that we only want to scan open ports (to speed up the process), and returns the services that are running as well as their version. Here, we see 3 open ports :

Later, we will look for potential vulnerabilities for the versions of the services running on those ports. Another useful information here is that the target is a Ubuntu machine. If this was not specified, we could try to detect the target’s OS (this is called banner grabbing) in different ways. We could, for example, try to start a Telnet session with the victim on the port 80: obviously, this will not work since Telnet is on port 23, and port 80 is for HTTP. The target machine would send us an error message with information on its OS :

banner grabbing

Knowing the OS is necessary, because some exploits are OS-specific.

2. Find and exploit vulnerabilities

Now, we will investigate the 3 open ports, starting with FTP.

FTP

FTP is a standard network protocol used for the transfer of computer files between a client and a server on a network. Users authenticate themselves with a username and a password. However, it is sometimes possible to connect anonymously (the server has to be configured to allow it). This is done to allow the public to connect to the server and access the files without identification.
We can connect anonymously with the login anonymous and any password (usually an email address, the word guest, no password at all, etc.). So, let’s try this first:

anonymous FTP

I tried different passwords, but couldn’t get in… That’s not a problem, we’ll find another way in.

On the result of the nmap scan, we saw that the version of FTP is ProFTPD 1.3.3c. We could look for more information on the net (for example on https://www.cvedetails.com/). However, let’s look at Metasploit instead :

searchsploit

There are 2 modules for this vulnerability. Let’s launch Metasploit with the following command:

msfconsole

In Metasploit, the line starts with msf5. Now, we can search more information on the modules:

msf search

We see 6 different exploits. We could try some of these, but there’s one that seems to be what we’re looking for: the 4th one, exploit/unix/ftp/proftpd_133c_backdoor. It’s rated excellent, it’s the right version, and it’s a backdoor command execution.
Let’s launch this exploit and see what parameters it requires (with the options command):

exploit

The options show that there are 2 required parameters, RHOSTS and RPORT. RPORT is already set to 21, so we just have to complete RHOSTS. Also, we see that the target is automatic. So, let’s set the RHOST parameter and launch the exploit !

exploit result

It worked, and it opened a session for us. Who are we ?

whoami

returns root. We did it! Then, we can look for interesting things with the usual commands cd, ls, … We see that there is a wordpress instance and a user called Marlinspike - let’s save it for later, it could be useful information.

HTTP

We also saw with nmap that there is a web server running. After successfuly connecting with FTP, we saw that it is a wordpress instance. Let’s connect to it from Kali:

wordpress

We arrive on the default Apache page. We can try to manually find directories, such as /wp-admin (the default login page for Wordpress - doesn’t work here), but it’s not easy. Instead, let’s perform a dictionnary attack with dirbuster: it brute-forces directories and file names on web servers.

dirbuster

dirbuster

We see that dirbuster found 13 directories (not all of them are listed here). Let’s have a look at this secret directory:

secret directory

The appareance is weird… If we scroll down the page, we see a Log In button. When we click on it, we get the following error message:

wp login error

In fact, we can click anywhere, we get the same error message: “We can’t connect to the server at vtcsec”. It seems like there is a DNS problem. Some links refers to the domain vtcsec, but since my Kali isn’t connected to the internet, it doesn’t find the link between the IP address and the domain name. However, we can manually add an entry for the server vtcsec in our hosts file. First, we open the file with nano, and then we add the server’s IP and name:

nano /etc/hosts

hosts

and we save with ctrl+o, ctrl+x. We refresh the page in the browser, and we see that it’s now working properly.

site working

Finally, we can access the login screen…

wp login working

Now, we want to find the credentials to connect to the server. The first thing to try is of course admin/admin.

connected

Well, that was easy… However, it won’t always be the case. So, let’s imagine it didn’t work: we need to find a username and a password. Sometimes, the username is visible on the webpage but it is not the case here. We are going to use the tools Wpscan (WP stands for WordPress) to find a username, and Hydra to find the associated password.

wpscan user

wpscan user result

As we expected, wpscan found the username admin. Now, we can use another dictionnary attack to brute-force the password. The idea is to try to connect automatically with the username we found (admin) and a password coming from a list of passwords. This automated process will be handled by Hydra. In real life, it is not that easy because sending thousands of requests isn’t very discrete. Also, our IP could be banned after a few failed attempts.

Before using hydra, we need 2 things:

Let’s look at the available password lists:

wordlist

There are hundreds of them, and we could also create our own or find another one on the internet. In our case, we will use a short one because we know that the password is admin, and this word is present in almost each of these list.

Now, we need to know the form of the request. We could use tools such as Postman or Burpsuite, but here we will just use the developer mode in our browser. In Firefox, we open the menu in the upper right corner -> Web Developer -> Network. Then, we try any username and password combination: let’s try admin/1234. We see a POST request sent to the server.

dev mode

In the parameter tab, we see the parameters sent to the server: the username is in a variable called log, the password in pwd, and there is also teestcookie: 1 and wp-submit: Log+In. Now, let’s examine the answer of the server:

dev mode

The string is incomplete on the image, but this is what we needed: the error message that will let Hydra know that the combination was wrong and that it has to keep trying.

We have everything we need, let’s use Hydra:

hydra

hydra

That’s it, we found the password (this list contained 959 words… Some lists have up to millions of words).

More details on the command:

Ok, we can now connect to the site with an admin access. We’re now going to use Metasploit to generate a plugin that will give us a shell when we invoke it. It is the module wp_admin_shell_upload. The module will connect to Wordpress with the credentials we found, and upload a plugin on the site that invokes a reverse meterpreter shell on our machine. We start Metasploit with the command msfconsole, and configure the exploit:

exploit

We could type options to see the available/required options as well as the parameters we just entered. For rhosts, I entered vtcsec but could also have given the IP address. Let’s run the exploit.

exploit

We have a meterpreter session (a reverse connexion with the web server). We can get information with the commands sysinfo and getuid:

exploit

We see here that we are in the system as the user “www-data (33)”. This user probably has limited privilege, and we must find a way to escalade them (privilege escalation). We will use the script unix-privesc-check to see if we can do interesting things we our privileges. Let’s upload the script from our machine to the server (I had to cd .. before executing the next command):

upload privesc

In meterpreter, we now use the command shell to get a shell:

shell proc

Now, we look for the script unix-privesc-check (with ls) and enter the following commands (in red):

shell proc

The command chmod +x gives the permission to anybody to execute this file (we can see the permissions with ls -l. There are 3 groups: read (r), write (w), and execute (x)). Then, we can execute the script (it’s not on the image above, but we must specify a mode to execute the script. I just had to add standard after ./unix-privesc-check): it will check permissions on various files and tell us what we could do next.

shell proc

The result of the script is way longer than what is shown, but here for example we see that anybody can modify the password file. At the beginning of the script, it is mentionned that interesting discoveries begin with WARNING. So next time, we could write the following command to shorten the list:

./unix-privesc-check standard | grep WARNING

First, let’s have a look at that file.

password file

password file

We see that there’s the root password, as well as the user Marlinspike password. So, let’s download this file on our machine, modify it, and reupload it on the server.

download file

We downloaded the file and stored it on our desktop. Now, we can edit it. We need a new password - let’s use openSSL to create the hash corresponding to the password (we open a new tab with File -> New Tab):

generate passwd

We copy the generated hash and open the password file with nano. Then, we replace the old password by the new one:

modify pw

We save the modifications and exit. We go back to meterpreter and reupload the file on the server.

upload passwd

Finally, in meterpreter, we open a shell and connect as admin:

root!

I executed here a python command to get bash. Then, we connect as root with the password we changed and check our privileges - we’re root ! Note that we could have done more or less the same with the user Marlinspike: we would have downloaded the shadow file (after making sure we can read it by checking privileges), which contains user password, and use a password cracking tool like John the Ripper. Then, we could connect with this username and password.

Although we got what we wanted, it is worth noting that we only have access until the server is restarted or passwords are changed. To make this access permanent, we would have to put a backdoor on the server. This can be relatively easy to do on Wordpress, it just requires to edit a theme and inject a piece of code.

SSH

Finally, let’s have a look at the 3rd service. We’ll start by launching Metasploit and look if there is any exploit.

msfconsole

root!

The first one looks interesting. Let’s search more information.

root!

root!

We have to provide a user and a password list. For the passwords, let’s use the same we used with hydra. For the users, we will create a short and personalized file:

nano Desktop/user.txt

users

We can now specify these parameters in the module’s options and run it:

exploit

search

I decided to stop the process because it was very slow, but I might come back to it someday!

My thoughts

I have mixed feelings about this box. Although I learned some things, I didn’t have that much fun. However, I liked that there were at least 2 possibilities (and maybe 3 with SSH?) to reach the goal.