Wednesday, March 14, 2018

Vulnhub Walkthrough: Basic Pentesting 1

Walkthrough: Basic Pentesting 1
Author: Agoonie
Date: 2018-03-14

* Target IP (
* Full Scan

Looks like we have ports 21, 22, and 80.  Let's try port 80.  Starting with NIKTO to find some vulns.

Ok. Let try to look up some directories.  Ah there's a secret...

Looks like from the page source I should edit my hosts file for DNS resolution.

Ok.  Now we look at the WordPress page.  Let's try the usual credentials.  Welp that works.

HELLLOOOO Dollllllyyy.  With this plugin, we can add a webshell and activate the plugin.  Initially I added it in the beginning of the plugin and it did not work well.  Then, I added it to the end of the plugin and viola.

We have a meterpreter session.  Let's do some exploring.

Ok.  You know the drill.  Let's look at some of the config files.  Let's look at the HOME directory.

Woah. Proftpd backdoored? Uh, I know there is a vuln of that.
ProFTPD Backdoor

Got Root?  Well I guess now we just check for flags if there any.  Looks like this server was hacked and a backdoor was entered.  I did not check if there was a kernel privilege escalation vulnerability but I suspect there is.  I will revisit it later.  I did check John the Ripper for the Marlinspike password.  It is just marlinspike :)

Walkthrough: DerpNStink: 1

Walkthrough:  DerpNStink: 1
Author: Agoonie
Date: 2018-03-13

* Target IP (
The VM is setup with host-only in VMware workstation.  I identified the IP address with a ping sweep.
* Full Scan (nmap)
Used nmap for a full scan to discover ports 21, 22 and 80.

* I took a quick look at port 80 to see what kind of web app was presented. I did not see much so I went to directory enumeration with DIRB.

Looks like there is a WordPress app in the weblog directory.  Let's use the usual credentials to see if it will log me in:  admin: admin

Ok, that worked.  Did more searching while looking around in WordPress.  Checked out more directories and did a NIKTO scan.

Ah, "try harder", still have nightmares.  Anyway, trying more scans, I used the tool WPSCAN to see if there were any vulns for the WordPress app.

The scan picked up a Slideshow Gallery file upload vulnerability.  I will try to use a webshell to upload.  Once uploaded, I just need to start a meterpreter session listening on port 5555.  I created a PHP meterpreter webshell using MSFVENOM for port 5555 and named it agoonie.php.  I should be able to browse to it for the server to execute it.

Looks like that worked.  Now, to find out the usual information about the server.  It will help when I am trying for privilege escalation.

I can see two users to keep a look out for, stinky and mrderp.  They have home directories that I cannot access yet.  Let's look at some config files to see what credentials we may find.

We have credentials but they did not work for the wordpress app. Well we saw phpmyadmin and web have creds for that.  Let's do the usual digging there.

I looked around at the tables and made notes.  Let's try the root account for phpmyadmin.

We have hashes! Let's try to decode for more passwords. Well, we have 'unclestinky'.

Well we have the second flag and it is Mexico.  I could not get the second hash.  Some day I will build a dedicated password cracking machine like the OffSec guys build.  Some day ...

Example 1
Example 2
Example 3

We see more flag2 hashes.  We have that one already.  Let's do more digging around.  Looks like more hashes.  We have root, unclestinky and phpmyadmin to check out.

Let's try 'unclestinky'.

Looked around for new info. Nothing really stands out.  Now that we have another credential for 'unclestinky', we should try FTP and SSH.

Ok.  Checking out the files.  Looks like the credentials belong to sysadmins.  That's good.  This key seems like the SSH key to log in.  Of course, still requires a password so that is fail.  Well, we know there is a packet capture somewhere that we need to find.  Let's go back to our meterpreter session.

Well, let's see if I can just switch to stinky with the creds.

We have our third flag!  Well take note of it and keep digging.

Oooookkkkk, so wireshark captured the creation of the mrderp account with its password, derp x 7.
Well, time to switch to mrderp??

Hmm, helpdesk.log has some info sudoers.  Let's try the helpdesk log for mrderp pastebin URL ( )

So the user can sudo as long as it is coming from a command in the binaries directory.  Wait but there is no binaries directory.  Well time to create one.

So we have the directory created.  Time to make a command to sudo.  I figured just make a command to open shell which would have root permissions.

Alrighty, command set.  Let's sudo! We have root anddddd the fourth flag.

Well, if you want all the flags decoded. Here you go:

AB0BFD73DAAEC7912DCDCA1BA0BA3D05 md5 flag1

flag2(a7d355b26bda6bf1196ccffead0b2cf2b81f0a9de5b4876b44407f1dc07e51e6)                            Mexico

07f62b021771d3cf67e2e1faf18769cc5e5c119ad7d4d1847a11e11d6d5a7ecb sha256 Brazil

49dca65f362fee401292ed7ada96f96295eab1e589c52e4e66bf4aedda715fdd    sha256    United States