This article describes the process of exploiting the MyWebServer1 target environment downloaded from vulnhub. I have included all the necessary screenshots which will help you understand the methodology easily.
Wherever needed I have added the required description still, if you have more things to add or questions that are not clear, do let me know in the comments section
Download the target environment from vulnhub and import it to your VirtualBox or VM player setup.
How to exploit ?
- Login to Kali Linux and identify the IP address, from IP address we get information about the network IP schema. Using this information I started the host discovery.
Enumeration with Nmap:
2. With the target IP identified, let’s start the enumeration with Nmap.
3. Let’s use the browser to check what we have on HTTP services.
Nikto Scan for more Pointers:
4. Let’s try using Nikto scanning for discovering more pointers.
It seems the application running on port 80 was built with WordPress.
WordPress (WP) Scan:
5. Let’s run a WordPress scan to see what more can be discovered?
The scan gave us a username, tried a password attack with this but did not get the success. Also, there were no other vulnerabilities reported by ‘wpscan’.
6. Now from ‘Nmap’ results above there is one interesting service running on port 2222, ‘Nostromo 1.9.6’ check over the web and it seems to be vulnerable. Check Metasploit for any available exploit and there seems to be one.
7. Let’s set the required parameters and run the exploit.
And it worked, we get the shell.
Post-Exploitation (Privilege Escalation):
8. Let’s check what we can do with our current privileges.
9. No special rights, let’s follow the process look for a way to escalate privileges.
10. Let’s check what this file has on offer?
It has credentials for the Apache webserver.
11. Using these credentials let’s log in to the webserver.
It seems we can deploy war files.
12. In order to exploit this war file upload functionality ‘msfvenom’ seems to be useful.
13. Deploy the created file from the web admin interface.
14. Run the listener on port 8001 and execute the file through a web interface.
and it returns the reverse shell as ‘tomcat’ user.
15. Let’s check our privileges:
It seems the user has privileges to run java as ‘root’.
16. Not to exploit this, let’s create another payload using ‘msfvenom’.
and get it downloaded on our target.
17. Run the file as root and we get a reverse shell as ‘root’ user.
and there we get our flag.
Happy Hacking!
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.
Excellent Article