Description: This is a small boot2root VM I created for my university’s cyber security group. It contains multiple remote vulnerabilities and multiple privilege escalation vectors. I did all of my testing for this VM on VirtualBox, so that’s the recommended platform. I have been informed that it also works with VMware, but I haven’t tested this personally.
This VM is specifically intended for newcomers to penetration testing. If you’re a beginner, you should hopefully find the difficulty of the VM to be just right. Your goal is to remotely attack the VM and gain root privileges. Once you’ve finished, try to find other vectors you might have missed! If you enjoyed the VM or have questions, feel free to contact me at: [email protected]
If you finished the VM, please also consider posting a writeup! Writeups help you internalize what you worked on and help anyone else who might be struggling or wants to see someone else’s process. I look forward to reading them!
Basic Pentesting 1 is a beginner-friendly, boot2root CTF challenge that offers an exciting way to dive into penetration testing. In this lab, you’ll uncover vulnerabilities, exploit them, and elevate your privileges to gain root access. It's perfect for sharpening your skills in a controlled environment!
Think like a hacker, use popular tools like Nmap, Hydra, and Metasploit, and navigate your way to success. Ready to take on the challenge? Let’s get started!
Author: Josiah Pierce
Release Date: December 8, 2017
Objective: Gain root access by exploiting vulnerabilities.
Before starting the challenge, ensure the virtual machine is configured correctly:
Ensure the VM is set up correctly with VMware Workstation 17.5+. Verify network configuration before starting.
Upon powering on the VM, you'll see the Ubuntu 16.04 LTS login screen. Username: marlinspike; password must be discovered during the challenge.
This is where the challenge begins—time to put your hacking skills to the test!
Scanned the network with netdiscover to identify active devices in the 192.168.164.0/24 subnet.
This step is critical to identifying the target machine's IP address for further exploitation.
Confirmed target availability at 192.168.164.129 using the ping command. Successful ICMP responses indicate the target is reachable.
Conducted a detailed Nmap scan on 192.168.164.129 to identify open ports and services, providing valuable exploitation information.
This scan lays the groundwork for identifying potential vulnerabilities to exploit.
Performed an Nmap vulnerability scan on port 21 (FTP) to identify potential issues.
Launched Metasploit Framework (msfconsole) to exploit identified vulnerabilities.
This step sets the stage for using Metasploit to exploit the ProFTPD backdoor vulnerability identified earlier.
Identified the ProFTPD 1.3.3c Backdoor Command Execution module in Metasploit as a potential exploit.
Selected the proftpd_133c_backdoor module in Metasploit and configured necessary parameters.
Configured the ProFTPD 1.3.3c Backdoor exploit by setting the payload and options for a reverse shell connection.
Executed the exploit successfully, resulting in a reverse shell session with root privileges.
This marks the successful exploitation of the ProFTPD 1.3.3c backdoor, providing full root access to the target system.
Established a fully interactive shell on the target system after gaining a reverse shell.
Accessed the /etc/shadow file with root privileges to view stored password hashes, which are critical for user authentication.
Cracked the password hash from /etc/shadow using John the Ripper to retrieve the plaintext password.
Established FTP server access using cracked credentials.
Conducted an Nmap vulnerability scan on the Apache HTTP server (port 80).
Navigated to http://192.168.164.129/ and confirmed the default Apache web server page, indicating the HTTP service is operational.
Performed directory brute force on http://192.168.164.129/ using dirb and the big.txt wordlist.
Discovered a WordPress site titled 'My Secret Blog' in the /secret/ directory. The homepage displays the default WordPress theme.
Accessed the WordPress site at /secret/ and found the default 'Hello World!' post, indicating minimal customization.
Analyzed the WordPress login page (/wp-login.php) for administrative access.
Observed the features and potential weaknesses of the WordPress login page.
Used WPScan to identify vulnerabilities in the WordPress site.
WPScan identified valid admin credentials (username: admin, password: admin) for the WordPress site.
Enumerated WordPress-related exploit modules in Metasploit.
Configured a Metasploit exploit module for uploading a shell via WordPress admin.
Authenticated with WordPress admin credentials (admin:admin), uploaded and executed the payload, establishing a reverse TCP connection and Meterpreter session.
Demonstrated an alternative method using a reverse shell script.
Customized the php-reverse-shell.php script with the attacker's IP (192.168.164.128) and listening port (1234).
Gained access to the WordPress admin dashboard, allowing control over content, themes, plugins, and settings for potential malicious modifications.
Accessed the WordPress plugin directory for potential exploitation
Attempted to upload a PHP reverse shell as a WordPress plugin.
Accessed the reverse shell file to trigger the payload and establish a connection to the attacker's machine.
Set up a Netcat listener to receive the reverse shell connection
Established a reverse shell connection, providing user-level access
