Vulnhub Raven 1 Walkthrough

broken image


This is my first Vulnhub walkthrough (yay!) Hope you guys like it. The VM can be found here Game Of Thrones 1.0 Big props to v1s1t0r for making this masterpiece. Let's begin: NOTE. When you import the VM and you boot it for the first time wait for 5-10min before starting the challenge.

  1. Vulnhub Raven 1 Walkthrough Xbox 360
  2. Vulnhub Raven 1 Walkthrough 4
  3. Mr Robot Vulnhub Walkthrough
  4. Vulnhub Raven 1 Walkthrough 2
  5. Vulnhub Beginner

Difficulty level: Easy
Aim: attack the VM and gain root privileges
Author: Josiah Pierce

Download: https://www.vulnhub.com/entry/basic-pentesting-1,216/

The first step is to find the IP address of the target machine, which can be located using netdiscover:

  • The walkthrough Step 1 After running the downloaded virtual machine, the machine will automatically be assigned an IP address from the network DHCP and be visible on the login screen. The victim machine IP address can be seen in the following screenshot: CLICK IMAGES TO ENLARGE.
  • So Simple: 1 Vulnhub Walkthrough. Here is the description from vulnhub.com. This is an easy level VM with some rabbitholes. Enumeration is key to find your way in. There are three flags (2 user and 1 root flag). The VM is tested on Virtualbox. After the startup it shows the IP address. Share your rootflag with me on Twitter: @roelvb79.

Target: 192.168.56.103 (your target IP will likely be different)

We can then run a basic nmap scan against the target to discover open ports and services: Low stakes roulette.

From this we can see the following ports and services:

  • port 21/tcp - FTP - (ProFTPD 1.3.3c)
  • port 22/tcp - SSH - (OpenSSH 7.2p2 Ubuntu)
  • port 80/tcp - HTTP - (Apache httpd 2.4.18)

searchsploit can be used to run a quick search against the version of ProFTP running on the target:

This search reveals a backdoor RCE vulnerability in ProFTPD 1.3.3c which could be exploited easily (I'll come back to this later).

Instead of taking the easy route, let's first have a look at the HTTP service running on Port 80:

There was not much to go off here. There is nothing to be found in the page source and there is no robots.txt file available to indicate any potential folders or sitemap.

Photoshop cs trial. However, dirb can be used to brute-force directories and file names by using one of the predefined wordlists that come packaged with this tool:

The dirb scan reveals an interesting URL: http://192.168.56.103/secret so we'll take a look at this in our browser:

The page doesn't seem to have rendered correctly and when you attempt to view the 'Hello world!' post, you will discover why.

It seems that some of these links refer to a domain named 'vtcsec' instead of IP address. To correct this, we can manually add an entry to our hosts file:

After saving this file and refreshing the webpage, the content is correctly displayed: Script debugger 7 0 10 tablet.

The link to the log in panel can then be found on the right-hand side near the bottom of this page:

The next step is to enumerate any potential users and vulnerabilities in the site by using wpscan:

This revealed a number of vulnerabilities (19) and that the default WordPress username of 'admin' is still in use:

With the default username being 'admin' it's worth trying to log in with the default password as 'admin' too. sure enough, this works!

If the password had not been 'admin' then we could have attempted to brute-force this by using wpscan with a pre-configured password list:

Now we have admin access to the WordPress site, Metasploit can be used to generate a plugin which will automatically upload a payload and give us a shell:

These are the values I used for each option and payload; you will need to amend based on your own IP (LHOST):

With the options and payload set this can then executed by running:

The exploit should executed successfully and open a meterpreter session. Running a getuid command from this session (or id from a shell) shows we currently have access as the user: www-data. Therefore, some additional work is required to obtain root access.

To check for any potential misconfigurations that could lead to privilege escalation, a good script to use is the unix-privesc-check script from pentestmonkey.

This can be uploadeded from the meterpreter session by running the following command:

We can then drop into a shell to make the script executable:

The author of unix-privesc-check recommends to grep the output for WARNING, which will show any potential misconfigurations. This can be run as one single command:

The output from this script revealed that the /etc/passwd Vacon cxl manual. file has world writeable permissions. This means we will be able to modify this file and change the root password in order to gain root access.

First, we will drop back into the meterpreter session to download the /etc/passwd file to our local machine:

Then, from a local terminal, we can use openssl to generate a new hashed password:

Finally, we can edit the passwd file using nano and replace the x value for the root user with the hashed password from the above command:

The modified passwd file can then be uploaded to the target via the meterpreter session:

Using the the shell command in meterpreter this can then be tranformed into an interactive bash shell via Python:

Finally, we can su to the root user using the new password generated above:

Vulnhub

ProFTPD 1.3.3c exploit

As mentioned earlier, there is a quick and easy method of gaining access to this machine as the root user via the backdoor RCE vulnerability within the ProFTPD 1.3.3c service running on Port 21 of the target.

This attack can be performed using the exploit/unix/ftp/proftpd_133c_backdoor module withing Metasploit (msfconsole):

The values I used for each option and payload were as follows, yours will likely differ:

Once the command has executed and a session is opened, you are then able to run the id command to confirm that you are now logged on as the root user:

Vulnhub Raven 1 Walkthrough Xbox 360

Please feel free to contact me via Twitter and thanks for reading.

Hello, guys Today we are going to solve another boot to root challenge called Loly: 1. https://softsos.mystrikingly.com/blog/pinnacle-dazzle-dvc-150-drivers-for-mac. It's available at VulnHub for developing our penetration testing skill and you can download it from here. this is easy level machine.

Network Scanning

Let's get started with network scanning first we run the nmap ping scan discovering our target IP address.

now we have an IP address for our target machine. Let's start the Nmap service and version discovering the open port's target machine.

Enumeration

After trying some different URLs I found a WordPress page but there we see the error we navigate the admin page URL and again our URL IP is changed to loly.lc then we add the domain our hosts file

this is a simple page nothing is there useful. we try to log in admin page but didn't found any correct username and password

we try manual some common password but we fail to log in then we run the wpscan first we enumerate the username and try password brute-forcing using the wpscan command.

Vulnhub Raven 1 Walkthrough 4

As we see our password brute-forcing attack is successful we found a valid password combination again we navigate the word-press login URL and try to login again

Mr Robot Vulnhub Walkthrough

After enumeration the word press panel we try uploading PHP file but they are blocked for security reason and we going to install a buggy plugin but there is no option to upload plugin and themes after checking the pre-install plugin

Vulnhub Raven 1 Walkthrough 2

w found a vulnerable plugin( AdRotate ) we upload a shell by compressing our payload a zip file as a new banners file.

Now our shell is uploaded the target website successful after a second this is automatic unzip in the banners directory let's star the netcat listener and using the curl command we call our shell.

Now we move the system enumeration step first we check the word-press config.php file and we try DB_PASSWORD for Linux user login and we successfully change our current shell WWW-DATA to loly user

Privilege Escalation

we run the uname -r command and we see the target machine kernel version we search the following kernel version on exploit-db and we found a local privilege exploit. ( /exploits/45010 ) then we download the exploit target system and compile the exploit

before executing the exploit we need to add execute permission our exploit and then we execute the exploit

After run the following command and we obtain the root shell and finished the challenge by reading the root flag

Vulnhub Beginner

ONsystem Shelldredd Vulnhub Walkthrough link





broken image
PreviousNext
Cookie Use
We use cookies to improve browsing experience, security, and data collection. By accepting, you agree to the use of cookies for advertising and analytics. You can change your cookie settings at any time. Learn More
Accept all
Settings
Decline All
Cookie Settings
Necessary Cookies
These cookies enable core functionality such as security, network management, and accessibility. These cookies can’t be switched off.
Analytics Cookies
These cookies help us better understand how visitors interact with our website and help us discover errors.
Preferences Cookies
These cookies allow the website to remember choices you've made to provide enhanced functionality and personalization.
Save