We covered the solution walkthrough of Basic pentesting 1 Vulnhub by introducing the basic steps and methodology involved in a penetration test.
The Complete Practical Web Application Penetration Testing Course
Initial Scanning and Enumeration
The first step is scanning the machine with Nmap to discover open ports and services. The scan reveals three open ports: FTP (21), SSH (22), and HTTP (80).The tester then updates the host file to map the machine’s IP to vtac and uses Nikto to scan the web server for vulnerabilities.
Open Ports
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2
80/tcp open http Apache httpd 2.4.18 (Ubuntu)
We used searchsploit commond to search ProFTPD 1.3.3c on ExploitDB.
And for that, we discovered two exploits. There was a backdoor in ProFTPD 1.3.3c. A backdoor is a malicious code hidden in the source code. Furthermore, Metasploit-framework is capable of exploiting this Backdoor Command Execution vulnerability.
Discovering a WordPress Installation
Nikto reveals a WordPress installation in the /secret directory. The tester uses WPScan to enumerate the WordPress site.WPScan identifies the WordPress username as admin, and the tester tries the default credentials admin/admin, which successfully grants access to the WordPress dashboard.
Exploitation Using Metasploit
After logging into WordPress, the tester uses Metasploit to exploit the WordPress installation.The WP Admin Shell Upload exploit is used to upload a shell and gain a Meterpreter session on the target machine, providing shell access as the www-data user.
Privilege Escalation
To escalate privileges, the tester runs Unix Privilege Checker, which checks for privilege escalation vectors on the system.The tool identifies that the /etc/passwd file is writable, which allows the tester to modify the file and add a new root password.The tester generates an encrypted password using OpenSSL and replaces the root password in /etc/passwd, allowing them to log in as root.
Alternative Methods
The tester also explores the possibility of exploiting FTP or SSH services, suggesting further enumeration of these services to find other vulnerabilities that might allow root access.
