Vulnhub will test your skills in a different way.
This Walkthrough is on Basic Pentesting: 1 Vulnhub Machine made by Josiah Pierce. It includes many remote vulnerabilities and vectors for escalation privileges.
So first of all, I have to find the IP address of the target machine. Then I used netdisover command for that
In the first step of reconnaissance, I performed a nmap scan to identify the open ports.
nmap -sC -sV -Pn < IP >
-sC : Default Scripts
-sV : Default Versions
-Pn : Skip Host Discovery
So there are three open ports in this target machine.
- port 21/tcp — FTP — (ProFTPD 1.3.3c)
- port 22/tcp — SSH — (OpenSSH 7.2p2 Ubuntu)
- port 80/tcp — HTTP — (Apache httpd 2.4.18)
I chose the open port 21 FTP service to find a way to get root access to this target machine.
I used searchsploit commond to search ProFTPD 1.3.3c on ExploitDB.
[Searchsploit is a command-line search tool for Exploit-DB, which also allows you to bring a copy of Exploit-DB with us.]
[ProFTPD is an FTP server for Unix/Linux servers, very configurable and very effective, it is free & open-sourced, released under the GPL license.]
Then I found two exploits for that. ProFTPD 1.3.3c was compromised by a backdoor, a backdoor is a malicious code behind the source code. And this Backdoor Command Execution vulnerability can be exploited by Metasploit-framework.
In the Metasploit Console, I searched the proftpd to find an exploit for that.
There are several exploits have to this proftpd. And I used exploit/unix/ftp/proftpd_133c_backdoor to attack the target machine.
And now I am going to look at the options of this exploit.
So, now I have to specify the RHOST [ IP Address of Target Machine ]
After setting the RHOST I searched payloads for this.
So there are various PAYLOADS and I chose cmd/unix/reverse payload to exploit this vulnerability.
Set up the PAYLOADS
After the set payload, I have to specify the LHOST [ IP of my Kali Machine ]
Ok cool, all of the setups have been done. Now I have to exploit this.
Right, Now I have root access to the target machine. Now I am going to find the password of marlinspike forth.
Now I opened python spawned shell
Interactive Terminal Spawned via Pythonedit
Identifies when a terminal (tty — The tty command of terminal basically prints the file name of the terminal connected to standard input.) is spawned via Python. Attackers may upgrade a simple reverse shell to a fully interactive tty after obtaining initial access to a host.
Then I am looking for the shadow file
The shadow password file is a system file in which encryption user passwords are stored so that they aren’t available to people who try to break into the system.
Now I copied this to a new file to crack this hash
marlinspike:$6$wQb5nV3T$xB2WO/jOkbn4t1RUILrckw69LR/0EMtUbFFCYpM3MUHVmtyYW9.ov/aszTpWhLaC2x6Fvy5tpUUxQbUhCKbl4/:17484:0:99999:7:::
And now I used John The Ripper to crack this hash
Finally, I found the password for the marlinspike and it is marlinspike
Finally, I get the root access and find the password of the marlinspike user of this box. I used open port 21/tcp — FTP — (ProFTPD 1.3.3c) to exploit this Basic Pentester:1 Box in Vulnhub.
Overall, this is a fun task. It took a while for me to find out details, but it provided me with an excellent introduction to the basic tests of penetration and to make sure my home laboratory worked well.
Written by Dinidhu Jayasinghe — 3rd Year 2nd Semester -Cyber Security Student-SLIIT