This is a beginner level penetration testing challenge on Vulnhub.
Lets start, shall we?
Firstly, you’ll have to find the IP address of the vulnerable device, in my case it is 172.16.217.130. Now, you can proceed as shown.
nmap -sC -sV 172.16.217.130
Here, it shows that there are 3 ports up and running on the vulnerable server which is a Ubuntu Linux machine. Here, Apache service, a web server is running. Therefore, go ahead and enter the IP address of the machine on your browser. You must see a webpage but that webpage doesn’t reveal much. Now we use the
dirb command to see if there are any webpages or directories in the web server that has matching names with our wordlist.
Here, we can see that there is a directory called secret. Hmm, pretty suspicious, isn’t it? Okay, we should take a look what’s inside. Let’s go to the browser and insert
http://172.16.217.130/secret/. Huh, a WordPress blog. Now, let’s try the default WordPress login link:
Hmm, we are being redirected to this “vtcsec” thing. Let’s try using “vtcsec” as a pointer to our desired permalink.
echo "172.16.217.130 vtcsec" >> /etc/hosts
Now, let’s go to the browser and try reloading the page.
BOOM! We have a login form now. This is progress, isn’t it?
We need the username and the password now. Maybe we should try admin/admin. It is the default of many and it could possibly work here.
IT WORKED! WE ARE IN!
Now, we need to get ask the website to send us a reverse shell and be ready to catch it with our netcat listener so that we can get into the web server.
We can do this by adding the code to the header section of the theme.
Copy the code from
/usr/share/webshells/php/php-reverse-shell.php and paste it in the header section of the theme.
Let’s set up a netcat listener to catch the reverse shell.
nc -vnl -p 1234
python -c 'import pty; pty.spawn("/bin/bash")'
Now, open a notepad and paste all the contents of
/etc/passwd in the file.
Open a new terminal and enter:
openssl passwd -1 iamroot
Copy the output and paste it in the root’s data of
/etc/passwd file instead of the “x” present there.
Now, all you need to do is switch to root.
Congratulations on your first successful hack!
If you have any questions, feel free to drop them in the comments below.