CTF - Basic Pentesting 1

Home Blog


I’m back and going to attempt another beginner friendly CTF. This time decided on one called Basic Pentesting: 1 from vulnhub

OBJECTIVE

Gain root access on the Victim Machine.

PREPERATION

This time, I didn’t use bridge connection. I used Host-only Network connection so my VM’s are not visible to from the outside network. I turned both my attacking VM (Kali Linux) and the Victim VM (Basic Penetration : 1). Once both is loaded I had a look at the Victim VM. This is what I saw from observiation.

Things to consider:

Probing further, I logged onto the Guest session without any password. I couldn’t find anything interesting. I assume that this only a Guest account, it wouldn’t have any privileged access.

RECONNAISSANCE

Firstly, I need to find out the IP address. There are two way that I could do this. Since I was in the Victims machine as GUEST, I enetered ifconfig and obtained the IP address of 192.168.56.4. Also I did a netdiscover -r 192.168.56.0/24 which is the subnet of my Host only adaptor and yeiled the same results.

The next step is to find out which ports are opened on the 192.168.56.4. I entered the command nmap -sV -sC -oA nmap 192.168.56.4 on my Attacking VM (Kali Linux)

Top: Reults of netdiscover/ Bottom: nmap command

 

Lets see what the nmap reults gave us by typing cat nmap.nmap

nmap results:

21/FTP — FIRST TRY

Firstly I’m going to see if I can log onto this first and see if I can find anything. To do this, I enter the command ftp 192.168.56.4

This prompted with the root password, in which I don’t know and I need to figure out. Im going to scratch this and find another way.

21/FTP —SECOND TRY

Researching ProFTPD, I discovered that there was a vulnerability that I can exploit. I will use msfconsole to get into the metasploit framework and will search for proftpd to see if there is a particular exploit I am looking for. I am looking for exploit/unix/ftp/proftpd_133c_backdoor as mentioned in the site researched.

METASPLOIT — SEARCHING FOR FTP

I entered the command msfconsole. Then I entered search proftpd. Once the results appeared I found the exploit I was looking for. I then typed in use exploit/unix/ftp/proftpd_133c_backdoor.

To begin the exploit, I need to set the parameters. To do this, I typed in show options. Then I entered the correlating details required. I typed in set RHOST 192.168.56.4 because this is the remote host. Once done, I typed exploit

This is good!! Looks like the exploit has been completed. Now I have a session open.

After doing a bit of research, I need to obtain a python shell to be able to navigate with bash. To do this, I need to type in python -c ‘import pty; pty.spawn(“/bin/bash”)’. This imports a python script allowing me to run a python shell. This took me a while to find out as I did not know what the next steps were.

That was easy!! After launching the python shell, I have successfully gained ROOT access on my second CTF! Really happy and excited about this one!

LESSONS LEARNED (FTP)

MORE TESTING

I was interested in learning more about this VM. So I dug deeper. Firstly, I wanted to test marlinspike’s password to see if it was anything easy such as Password123.. After a couple of tries, I managed to get in by typing in his username marlinspike as the password. If I was to suggest something, I would highly suggest the creator to issue a more difficult password.

After guessing this password, I tested ssh by typing in ssh marlinspike@192.168.56.4 -p 22

I then typed in sudo -i and typed in the password to obtain root