Difference between revisions of "DerpNStink: 1 ~ VulnHub - Walkthrough"

(Created page with "Category:Pentesting == Objective == Explore multiple remote vulnerabilities and multiple privilege escalation vectors to gain access to and gain root privileges on the tar...")
 
Line 1: Line 1:
 
[[Category:Pentesting]]
 
[[Category:Pentesting]]
 
== Objective ==
 
== Objective ==
Explore multiple remote vulnerabilities and multiple privilege escalation vectors to gain access to and gain root privileges on the target host.  
+
Remotely attack the VM and find all 4 flags eventually leading you to full root access.
  
 
Source: [[https://www.vulnhub.com/entry/derpnstink-1,221/: VulnHub.com]]
 
Source: [[https://www.vulnhub.com/entry/derpnstink-1,221/: VulnHub.com]]
Line 9: Line 9:
 
=== Discovery ===
 
=== Discovery ===
 
<syntaxhighlight lang="shell-session" highlight="6-8" line>
 
<syntaxhighlight lang="shell-session" highlight="6-8" line>
 +
root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.105
  
 +
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 05:21 EDT
 +
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
 +
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
 +
Service scan Timing: About 66.67% done; ETC: 05:21 (0:00:03 remaining)
 +
Nmap scan report for 192.168.56.105
 +
Host is up (0.00068s latency).
 +
Not shown: 65532 closed ports
 +
PORT  STATE SERVICE VERSION
 +
21/tcp open  ftp    vsftpd 3.0.2
 +
22/tcp open  ssh    OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
 +
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
 +
MAC Address: 08:00:27:FF:CF:9E (Oracle VirtualBox virtual NIC)
 +
Device type: general purpose
 +
Running: Linux 3.X|4.X
 +
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
 +
OS details: Linux 3.2 - 4.8
 +
Network Distance: 1 hop
 +
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 +
 +
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
 +
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds
 
</syntaxhighlight>
 
</syntaxhighlight>
  
 +
 +
<syntaxhighlight lang="shell-session" highlight="6-8" line>
 +
 +
</syntaxhighlight>
  
 
== Recommendations ==
 
== Recommendations ==

Revision as of 22:19, 2 May 2018

Objective

Remotely attack the VM and find all 4 flags eventually leading you to full root access.

Source: [VulnHub.com]

Status: [Work in progress]

Methodology

Discovery

root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.105

Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 05:21 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 05:21 (0:00:03 remaining)
Nmap scan report for 192.168.56.105
Host is up (0.00068s latency).
Not shown: 65532 closed ports
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.2
22/tcp open  ssh     OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:FF:CF:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds


Recommendations

Appendix A: Vulnerability Detail and Mitigation

Unpatched Software Components
Rating High
Description xxxxxx
Impact xxxxx
Remediation xxxxx
Relaxed sudo Roles
Rating High
Description xxxxxx
Impact xxxxx
Remediation xxxxx
Default Weak Passwords
Rating High
Description xxxxxx
Impact xxxxx
Remediation xxxxx
Relaxed Filesystem Permissions
Rating High
Description Unix file permissions for /etc/shadow are incorrect.
Impact Allow any user with a shell to access this file and extract password hashes which can be further passed to a password cracking utility to extract user credentials.
Remediation Set unix file permissions for /etc/shadow to "600" and change ownership to root:root