This article is about the process of exploiting a target machine downloaded from the Vulnhub forum. I have added the required screenshots and described the process with simple statements. Do let me know if you have something to say about this.
Download the hackNos v1.1 machine from Vulnhub and import it into your VirtualBox/VM player.
How to Exploit:
- Login to kali and identify the IP address, as this will help us to know the IP schema/range. Now start host discovery using the identified IP range.
Enumeration using Nmap:
2. With target IP identified, let’s start the enumeration with nmap.
3. Nothing much can be understood from what is being rendered from browser.
4. So I moved on to the tried and tested method of enumerating directories on web server.
5. Accessed the discovered directories from browser, nothing more than login page of web application. Probed login with guessing passwords, no luck.
6. Went back to directory enumeration, now this time with something better in offer.
and refined the above search with adding few extension to look for
7. With the above results I was able to confirm exact version of the Drupal.
8. As I have the drupal version, let’s check with metasploit if it has anything readily available to crack this.
9. I checked information about each exploit and zeroed on to the one highlighted above, the obvious reasons are highlighted in below screenshot.
10. Now the next step is getting the exploit ready and its exploitation.
11. The exploitation landed me with shell access, now its time to look further.
12. Changing through directories I was able to find something, seems like our first flag.
13. After decoding the value there was something new which I have never seen before, so google helped me to understand it was brainfuck encoding.
14. With some googling I found an online decoder for this, so using python HTTP server accessed this code on my host machine and decoded to plain text.
15. Now with these credentials tried switching user to james but it did not work, neither did web login.
16. So tried more probing around and found our second flag.
Post-Exploitation (Privilege Escalation):
17. After reading the flag still there was no breakthrough for escalating privileges. So in order to move forward I started with discovery of ‘SUID’ enabled files or commands.
18. I found that “wget” has SUID enabled, now what we can do with this?
I copied the contents of ‘passwd’ file locally.
19. The next thing was adding my user ‘hacker’ to the local passwd file, so I generated a password hash and added to the local ‘passwd’ file.
20. After adding this user I used ‘wget’ to upload this local file to target machine, overwriting the exiting ‘passwd’ file residing in ‘/etc’ directory.
21. 1. With ‘passwd’ file successfully replaced, now let’s switch user to ‘hacker’. With this have successfully escalated privileges to ‘root’.
22. With ‘root’ privileges achieved, it’s time to get the final flag.
As I always say this is the path which I discovered, bring on your game to find yours.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.