- Information
- AI Chat
Basic Pentesting 1 Walkthrough
Computer and Network Security (ECC4703)
Universiti Putra Malaysia
Preview text
Lab - Basic Pentesting: 1 CTF Walkthrough
This small boot2root VM contains multiple remote vulnerabilities and multiple privilege escalation vectors. The validation for this walkthrough used VirtualBox, which is the recommended platform. It may also work with VMware.
Hardware Requirements
Installation of VirtualBox
One virtual install of Kali Linux
One virtual install of the Basic Pentesting OVA file which can be downloaded from here.
Ensure the network adapter for both machines to set to either bridged or NAT.
This VM will not boot until you go into the settings and disable the USB controller.
This CTF is specifically intended for those new to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right.
Your goal is to attack this VM and gain root privileges remotely.
Organization
1
Create a folder on the desktop of your Kali machine. Name the folder, pentest. When using a terminal, change directory to the pentes t folder and run all your commands from this location. Save any downloads or captured files to this location.
Enumeration
We begin with the basics (always) by enumerating the machine for it’s IP address and any open ports and services that are running.
There’s no harm is getting the network ranges by doing an IFCONFIG from your Kali terminal.
Once we have our network range, we can discover the target machine’s IP address by using netdiscover, Nmap or ARP.
Using netdiscover
netdiscover -r -192.168.0/
2
Port: 21
There is an ftp server listening on port 21. Nmap informs us that the ftp service is likely ProFTPD 1.3.
Port: 22
There is an ssh service listening on port 22. Nmap informs us that is likely OpenSSH 7 Ubuntu 4ubuntu 2.
Port: 80
There is an HTTP server listening on port 80. It is likely Apache httpd 2.4.
Since we have HTTP running on port 80, let’s conduct a web server scan using Nikto and dirb.
nikto -host 192.168.
4
dirb 192.168.
DIRB is a Web Content Scanner. It looks for existing or hidden Web Objects. It works by launching a dictionary-based attack against a web server and analyzing the response.
Nikto and dirb both indicate the existence of a secret directory at /secret/. Furthermore, the files and directories discovered by dirb suggest that /secret/ is a WordPress site. Visiting the page confirms this, so we will run a scan to enumerate the site.
Using our browser and the IP address of the target, we get the default page for the site.
5
Scroll down the page until to you come to link for the login.
Nearly all well know applications, and networking devices come preconfigured with a default username and password. We should always try the well-known default username password when attempting to guess the login information. For example, for a Cisco appliance out of the box, the default username, and password are cisco: cisco, and for a WordPress site it is, admin: admin.
We attempt to login into the word press site using the default username and password of admin: admin.
7
And we are in! We now have complete administrative access to the WordPress site. This is more common than you might think. As a pentester or hacker, you will find plenty of default usernames and passwords being used.
We need not waste our times trying to guess login credentials. These can be discovered using any number vulnerability scanners which will have a signature file that will attempt to login using the default credentials.
For a WordPress, we can use wpscan scan to brute-force the login credentials for a WordPress site.
wpscan -u 192.168.0/secret/ --enumerate u
o-banner
We can now use wpscan with a wordlist to try and brute force the password.
8
Vulnerability Analysis
We have two additional ports to examine. Using searchsploit, we can look for any known exploit that might be used against the FTP service and version running on the server, ProFTPD 1.3
FTP
searchsploit ProFTPD 1.3
Searchsploit indicates that this version of ProFTPD can be backdoored and there is a Metasploit module for the exploit. We will return to this opportunity later.
SSH
searchsploit OpenSSH 7
We find a vulnerability in this version of OpenSSH that allows username enumeration, but since we are likely to get a shell through either FTP or HTTP, we can mark this as the last chance for romance type possibility.
Exploitation
We can search Metasploit for the FTP exploit we found earlier using searchsploit.
10
We found our exploit, and it is rated as excellent. We next need to load the exploit. Use the show options command to see what setting to configure.
For this exploit all we need to set is the IP address of the remote host which is our target IP address.
Type in the exploit command.
11
Everything shown is reusable and overtime, and with enough practice, you will start to recall some of your favorite exploits.
End of the Walkthrough!
13
Basic Pentesting 1 Walkthrough
Course: Computer and Network Security (ECC4703)
University: Universiti Putra Malaysia
- Discover more from:
