VulnHub: Basic Pentesting 1 Walkthrough WITHOUT Metasploit

This is a beginner level penetration testing challenge on Vulnhub.

https://www.vulnhub.com/entry/basic-pentesting-1,216/

Lets start, shall we?

Firstly, you’ll have to find the IP address of the vulnerable device, in my case it is 172.16.217.130. Now, you can proceed as shown.

nmap -sC -sV 172.16.217.130

Here, it shows that there are 3 ports up and running on the vulnerable server which is a Ubuntu Linux machine. Here, Apache service, a web server is running. Therefore, go ahead and enter the IP address of the machine on your browser. You must see a webpage but that webpage doesn’t reveal much. Now we use the dirb command to see if there are any webpages or directories in the web server that has matching names with our wordlist.

dirb 172.16.217.130

Here, we can see that there is a directory called secret. Hmm, pretty suspicious, isn’t it? Okay, we should take a look what’s inside. Let’s go to the browser and insert http://172.16.217.130/secret/. Huh, a WordPress blog. Now, let’s try the default WordPress login link: http://172.16.217.130/secret/wp-login.php.

Hmm, we are being redirected to this “vtcsec” thing. Let’s try using “vtcsec” as a pointer to our desired permalink.

echo "172.16.217.130 vtcsec" >> /etc/hosts

Now, let’s go to the browser and try reloading the page.
BOOM! We have a login form now. This is progress, isn’t it?

We need the username and the password now. Maybe we should try admin/admin. It is the default of many and it could possibly work here.

IT WORKED! WE ARE IN!

Now, we need to get ask the website to send us a reverse shell and be ready to catch it with our netcat listener so that we can get into the web server.

We can do this by adding the code to the header section of the theme.
Copy the code from /usr/share/webshells/php/php-reverse-shell.php and paste it in the header section of the theme.

Let’s set up a netcat listener to catch the reverse shell.
nc -vnl -p 1234

whoami
python -c 'import pty; pty.spawn("/bin/bash")'

Now, open a notepad and paste all the contents of /etc/passwd in the file.
Open a new terminal and enter:
openssl passwd -1 iamroot

Copy the output and paste it in the root’s data of /etc/passwd file instead of the “x” present there.

Now, all you need to do is switch to root.

Congratulations on your first successful hack!

If you have any questions, feel free to drop them in the comments below.

Published by Abhinav Gyawali

Hello there! I'm a teenager, who spends most of his day thinking and analyzing things. I'm full of ideas and creativity! Hence, I realized a blog would be perfect for me to share my ideas!

Leave a comment

Your email address will not be published. Required fields are marked *

%d bloggers like this: