This VM will give you the basic idea of penetration testing. If you are beginner then definitely you will face some difficulty while solving this VM.
Here we can gain root access using two different methods.
So lets start to solve VM.
Step 1 ==> Always try to find open ports first.
Aggressive scan & service version scan for the open ports is required to understand which version is running and accordingly we can search exploit. Take one port at time. It will avoid confusion.
Step 2 ==> Checking for the FTP port
Step 3 ==> Lets check, if any public exploit is available for this service version using searchsploit.
Step 4 ==> Trying to gain reverse shell using 15921 exploit
Here received root access which is our destination.
Method 2 :-
Step 1 ==> Enumerate http port. As per directory bruteforce we determined its an wordpress site
Step 2 ==> Simply open wordpress default login page and try default credentails.
http://192.168.210.132/secret/wp-admin (It will redirect on wordpress login page. Try with admin admin and its worked)
Step 3 ==> Once we get admin login then we can try to exploit using plugin and theme upload.
Lets try to upload plugin(Upload php reverse shell file).
PHP reverse shell file(https://github.com/pentestmonkey/php-reverse-shell). Replace IP with the attacker system IP.
Step 4 ==> Enable listener on attacker machine to take reverse shell
Step 5 ==> Access plugin upload directory on browser and click on php reverse shell file.(Will get this directory using dirb)
Step 6 ==> Received reverse shell of www-data user on attacker machine using nc
Step 7 ==> Privilege escalation required to gain root access.
We have received read & write access to /etc/passwd file where all password hash is stored. Means we can change root password.
Step 8 ==> To download the passwd file on attacker system there are multiple ways are available. We are going to try simple python server option here. Run below command on received shell.
In browser access python server path where passwd file is present
Step 9 ==> Next is create password hash and replace it in passwd file . Here Sushant@123 is my password
Step 10 ==> Changes in passwd file
Step 11 ==> FInal stage is upload this modified passwd file. Now this time we need to start python server on attacker system.