This article describes the process of exploiting the vulnerable box – ReconForce. I have created a step-by-step procedure on the exploitation of ReconForce with screenshots below.
How to Exploit:
The Exploitation of ReconForce-1 from vulnhub in steps from enumeration, scanning to getting a normal user following with the post-exploitation and become a root user.
Download ReconForce-1: hackNos file from Vulnhub and import it to your virtual box.
Note: I am not sure if the VM is still available over Vulnhub, so you can use this writeup as a guide to exploit a similar environment.
- Login to Kali Linux and start with finding your own IP, and then use the same for host discovery.
Enumeration using Nmap:
2. Once you locate your target start with port and service enumeration using Nmap.
3. I tried probing around with HTTP but not much to offer other than a basic login prompt and one directory with listing enabled.
4. Tried fiddling around with the FTP port, but nothing more than one interesting clue.
Login Prompt with Burp Intruder:
5. Now with few clues gathered from a web application and FTP service I tried some juggling on the login prompt with Burp intruder.
Note: In this case, few clues were already available, the intention of showing intruder configuration is for the brute force cases.
6. I was able to log in with the username ‘admin’ and password ‘Security@hackNos’.
7. Once I landed on the home page, it was a simple input box with IP as a requirement. Once provided it pinged the target IP and output was rendered in the browser.
8. The output prompted me to check for command injection possibility, and it did work.
9. Now the target is to identify a suitable payload that can be executed with command injection. I tried one-liner with “nc” to get the shell but it did not work, which made me go to the trusted ally in ‘msfvenom’.
10. Now using “wget <url>” and “python –m SimpleHTTPServer <port>” the shell file was uploaded on the server.
11. Once the file was successfully uploaded, run the handler first and then execute the shell.
12. With the shell access I tried looking around for further clues.
13. With a little bit of looking through the directories I landed with our first flag.
Post-Exploitation (Privilege Escalation):
14. Now it was time for escalating the privileges, so I switched user to “recon” and checked what rights are available.
15. With “All” access available it was time to gain ‘root’ privileges.
There it was, our final flag.
Hope my write-ups are helpful in order to understand the approach towards exploiting an environment but there could be other ways as well.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.