This article describes the process of exploiting hackNos v2.1 target environment downloaded from Vulnhub. I have included all the necessary screenshots which will help you understand the methodology. Wherever needed I have added the required description. If you have more things to add or questions which are not clear, do let me know in the comments section.
Download the target environment from Vulnhub and import it in your VirtualBox or VM player setup.
How to Exploit?
- Login to kali and identify the IP address, from IP address we get information about the network IP schema. Using this information I started the host discovery.
Enumeration using Nmap:
2. With target IP identified, let’s start the enumeration with Nmap. The Nmap results provide two open ports 22 and 80.
3. The port 80 found to be running the Apache web server, I checked what application is hosted from the browser.
And it was nothing more than a single HTML page.
4. So the next move was to enumerate directories under the root web directory.
5. The directory enumerations results were not that impressive using the directory buster wordlist, so I tried changing the wordlist.
And this yielded some interesting results.
6. Using these results I went back to the browser to check what’s there in the newly discovered directory.
A web application! tried all the links and functions available on the page nothing to move forward.
7. So I thought of using a web application vulnerability scanner.
And bingo! Nikto has given very useful information. It’s a WordPress application, so now we have a tool that can give more info.
8. I started a WordPress scan, specifically looking for plugins.
And found a plugin. With a bit of search on the internet, discovered that it is vulnerable to LFI.
9. Now it was time to find if there is any known exploit for this.
10. Now it’s time to use this information to extract ‘passwd’ file.
In this, we got our first flag.
11. Using john I tried cracking this hash.
12. With password available tried login with user ‘flag’.
13. When I tried moving around the user seems to have a lot of restrictions.
14. After some research, I discovered that this user has no profile hence the challenge. I changed my login method and it worked.
15. Now it was to look around for more clues, I found one.
16. Using john cracked this second hash.
17. Interestingly there was another user we found when we accessed the password file ‘rohit’. So used this new password to switch user as ‘rohit’.
18. I checked what is available in the home directory and I found the second flag.
Post-Exploitation (Privilege Escalation):
19. Now next step is privilege escalation, to start with that I checked what current user can do.
It can be seen that the user has permission to run all commands. So that’s it, with ‘sudo –i’ we are there with root privileges.
20. It’s time to get our final flag.
I hope you will find this write-up helpful in understanding the approach towards similar environments, let me know if you have something to add-in.
Found this article interesting? Follow DefenseLead on Twitter, Facebook and LinkedIn to read more exclusive content.