Hack the Basic Penetration VM (Boot2Root Challenge)
Today we are going to take another CTF challenge known as Basic Penetration. The credit for making this VM machine goes to “Josiah Pierce” and it is another boot2root challenge where we have to root the server to complete the challenge. You can download this VM here.
Security Level: Beginner
- Web Directory search
- Credential harvesting
- Metasploit shell upload
- Privilege Escalation
- Exploit Sudo rights
Let’s start off by scanning the network and identifying the host IP address. We can identify our host IP as 192.168.1.100 by using Netdiscover.
Then we used Nmap for port enumeration. We find that port 21(ftp), 22(ssh) and 80 are open on the target.
nmap -A 192.168.1.100
As we can see port 80 is open, so we tried to open the IP address in our browser but we didn’t find anything on the webpage.
So we used dirb for directory enumeration.
After bruteforcing with dirb we found a directory named /secret
Now we tried to open it in our browser. We came to know that the website is a WordPress site.
We tried to open the admin page 192.168.1.100/secret/wp-admin but it wouldn’t open and we got redirected to the URL which you can see in the screenshot
Then we added vtcsec to the hosts file.
Now we were able to access the admin page.
We tried some basic credential combinations used in WordPress and found admin: admin was working for us.
Then we used Metasploit to upload admin shell into the target using the above credentials and wait for a meterpreter session.
use exploit/unix/webapp/wp_admin_shell_upload set username admin set password admin set targeturi /secret/ set rhosts 192.168.1.100 run
We successfully got a meterpreter session.
We then uploaded LineEnum.sh script to check if password hashes are stored in /etc/passwd and also attempt to read restricted file i.e. /etc/shadow.
Here we can see the /etc/shadow has read-only permission.
After opening the /etc/shadow file we can see there is a user with the name marlinspike
We downloaded this shadow file into our local system and used John the Ripper to crack the password.
We found the password for the user marlinspike is marlinspike
Now we log in as marlinspike.
We checked the sudoers list and found that we have all the access as root, so we did sudo as superuser.
Great! We have successfully completed our challenge as we able access the target as a root user.
su marlinspike sudo –l sudo su id
Author: Auqib Wani is a Certified Ethical Hacker, Penetration Tester and a Tech Enthusiast with more than 5 years of experience in the field of Network & Cyber Security. Contact Here