.png)
4 months ago
38 BOOK THIS SPACE FOR AD
ARTICLE AD
Hello, in this article I will show you step by step how to solve Basic Pentesting 1. The purpose of this CTF will be to become root. Click to get more information about CTF.
LEVEL : Easy
Learning the target’s IP address with Netdiscover toolDetection of open ports with Nmap toolAttacking the MSFConsole FTP applicationCollecting information via port 80 with Dirb toolObtaining information via WordPress with WPScan.Getting a reverse shell with MSFConsolePassword cracking with John the RipperBased on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.88.0/24The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n -sV --reason -p- 192.168.88.144After this process, a research was made on the open ports and services and started working on FPT. It has been observed that there is a previously detected vulnerability called Backdoor Command Execution in the relevant FPT version.
Necessary adjustments have been made on MSFConsole and the final status is as follows.
After the relevant exploit was run, root rights were accessed on the target.
It was previously determined that port 80 was open on the target. To collect more information on this port, the dirb command was run and file directory enumeration was performed.
dirb http://192.168.88.144/The detected endpoints were visited and it was observed that the content was not fully reflected. When the incoming responses were examined, it was seen that the domain information named “vtcsec” was used.
Since the requests made were IP-based, “vtcsec” was assigned to the relevant IP on the Kali machine where the work was done and the requests were sent again.
According to the content information obtained, it has been fully confirmed that WordPress is running on the target. The WPScan tool was used to collect more information.
wpscan --url http://vtcsec/secret/ --enumerate uThe information obtained was left active as an Admin user on Wordpress. Using the previously obtained information, experiments were made using default credentials in Wordpress. From these attempts, it was possible to log in successfully with username: “admin” password: “admin”.
PHP codes can be written within the theme used in WordPress and can be made to perform RCE directly. In this step, manual steps have been automated by using MSFConsole.
In this step, since the part where Wordpress is located can be written, MSFConsole has run successfully and received RCE with Shell Upload in the background. Otherwise, it would be necessary to perform manual operations here.
In the RCE trial conducted with MSFConsole, the Meterpreter connection was successfully obtained and /etc/passwd and /etc/shadow files were downloaded to the Kali machine via the target.
Many different operations could be done in this step, at least the files, directories etc. in the OS could be checked using enumeration tools.
The obtained passwd and shadow information was combined with the unshadow tool and prepared for the password crack attack.
unshadow passwd shadow > un_shadow.txtAt this stage, the password crack attack was started using the John tool and the results were obtained.
wpscan --url http://vtcsec/secret/ --enumerate uIt was determined that the SSH port was open on the target. Using the information obtained, “marlinspike:marlinspike” SSH access was obtained.
ssh marlinspike@192.168.88.144After login, information about the user and their authorizations begins to be collected. The User Group information to which the user belongs is as follows.
It was determined that the user was given sudo rights and the user was switched to root as follows.
whoamisudo su
Click here to see my other articles about OSCP Walkthrough. Link
Bengali (Bangladesh) · 
English (United States) ·