VulnHub – Basic Pentesting 1 (alternative exploit)

In my last post, I was able to gain root access the Basic Pentesting 1 virtual machine, downloaded from Vulnhub.com. In today’s post, I’ll be attempting to exploit the same machine in a different fashion!

Let’s have a quick reminder of our Nmap scan of the VM, in order to see what services are available.

The http service is running! If we were to plug the address 10.10.1.12 into an address bar, we don’t really see much. But this doesn’t mean we should give up! Let’s try brute forcing some directories with DirBuster.

Here, I plugged the address of the VM into “target URL”, and chose a simple dictionary list to brute force with. After letting DirBuster run for a bit, we start getting some results back:

The directory called “secret” just screams: “Hey Mr. Hackerman! Come look over here!”. Okay then, let’s browse to 10.10.1.12/secret/.

We have…something! There isn’t a ton of information here, however there are links! But wait a second, if we click on one of the links we’re greeted with this ugly message:

Shoot! We were making decent progress too. Hmm? The messages says “we can’t connect to the server at vtcsec”. Vtcsec? Is that what we should be browsing to instead of the IP address? Just for fun, let’s add that record to our host file in our attacking machine, using the command leafpad /etc/hosts.

Alright, the host file is updated. Let’s browse to vtcsec/secret.

Whoa, it worked! More progress! Now the next interesting part on this website is the login panel. Before we start enumerating users and cracking passwords right off the bat, let’s try some simple credential guessing. I’ll start with the admin (username)/password (password) combo. Nope. Maybe admin/admin?

Thank you default credentials, very cool!

Now that we are into the website with valid credentials, we’re going to try to upload a shell. So let’s fire up Metasploit to see what we have for options! After a little bit of looking (and then researching), it looks as though the exploit we’re looking for is exploit/unix/webapp/wp_admin_shell_upload. Works for me! Time to configure the options for the exploit.

After running the exploit, we receive a meterpreter session!

Well, no root access yet. I guess that means one thing: *in Bruce Buffer’s voice* “IIITTT’SS TIIIIIMME (to escalate privileges)!”

I downloaded a fantastic tool called linuxprivchecker.py from
http://www.securitysift.com/download/linuxprivchecker.py, which will help us find ways to escalate our privileges. Once downloaded, I placed it in the /var/www/html folder. This is going to allow the file to be shared on our attacking system when acting like a webserver.

Ok then, time to start the Apache service on our system.

Great! Now let’s bring up our meterpreter session again. Here, we’re going to move into the /tmp folder of our victim, and download the linuxprivchecker.py tool from our system using the wget command.

Before we can run the tool, we’ll need to change the permissions of it so we can run it without issue, using the command chmod +775 linuxprivchecker.py. Now we can finally run it.

Now there is going to be a ton of information that is returned, which may take a while to look through. Something that caught my attention was the information returned from the /etc/shadow file.

Near the bottom, we see that there is a user named marlinspike. Hey wait, remember our initial Nmap scan? There was another service that was found: SSH! Maybe we can SSH into the system with this marlinspike account!

First, we’re going to need to try and crack the user’s password. Time to fire up Hydra!

Success! I didn’t want to begin with a huge password file, and wanted to check to see if the user either didn’t use a password, used their username as the password, or if their password was reversed, hence the “-e nsr” switch.

Now it’s time to SSH into the target system with our newly found credentials.

We’re in, but we still need to escalate our privileges again!

Okay, this means we should be able to perform the sudo su command to get root access!

We did it!

I had a lot of fun attacking this VM. Now it’s time to get started on another vulnerable virtual machine, so stay tuned for a post regarding exploiting it!

Thanks for reading!