Difference between revisions of "The Ether: EvilScience (v1.0.1) - Walkthrough"
(Created page with "Category:Pentesting == Objective == Remotely attack the VM and find all 4 flags eventually leading you to full root access. Source: https://www.vulnhub.com/entry/derpns...") |
|||
Line 1: | Line 1: | ||
[[Category:Pentesting]] | [[Category:Pentesting]] | ||
== Objective == | == Objective == | ||
− | + | The goal is to find out what The Ether is up to. You will be required to break into their server, root the machine, and retrieve the flag. The flag will contain more information about The Ether’s ominous operations regarding this medicine. | |
− | Source: [[https://www.vulnhub.com/entry/ | + | Source: [[https://www.vulnhub.com/entry/the-ether-evilscience-v101,212/ VulnHub.com]] |
Status: [<span style="color:green">Completed</span>] | Status: [<span style="color:green">Completed</span>] | ||
Line 9: | Line 9: | ||
== Methodology == | == Methodology == | ||
=== Discovery === | === Discovery === | ||
− | <syntaxhighlight lang="shell-session" highlight=" | + | <syntaxhighlight lang="shell-session" highlight="6,7" line> |
+ | # Nmap 7.60 scan initiated Tue Apr 24 07:34:52 2018 as: nmap -O -p- -sT -sV -T5 -o nmap.txt 192.168.56.101 | ||
+ | Nmap scan report for 192.168.56.101 | ||
+ | Host is up (0.0012s latency). | ||
+ | Not shown: 65533 closed ports | ||
+ | PORT STATE SERVICE VERSION | ||
+ | 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ||
+ | 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | ||
+ | MAC Address: 08:00:27:36:82:0F (Oracle VirtualBox virtual NIC) | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 20:29, 10 May 2018
Contents
Objective
The goal is to find out what The Ether is up to. You will be required to break into their server, root the machine, and retrieve the flag. The flag will contain more information about The Ether’s ominous operations regarding this medicine.
Source: [VulnHub.com]
Status: [Completed]
Methodology
Discovery
# Nmap 7.60 scan initiated Tue Apr 24 07:34:52 2018 as: nmap -O -p- -sT -sV -T5 -o nmap.txt 192.168.56.101
Nmap scan report for 192.168.56.101
Host is up (0.0012s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:36:82:0F (Oracle VirtualBox virtual NIC)
Entry Point #1 - Port 80 (HTTP)
Enumeration
Exploitation
Appendix A: Vulnerability Detail and Mitigation
Rating | High |
Description | The password for WordPress admin account is the same as username (admin:admin) |
Impact | These types of passwords are very easy to guess |
Remediation | Enforce stronger password policies. A strong password should be at least 8 characters, should not contain any personal information, including user id, it should not contain any words spelled correctly and it should contain numbers, letters, and special characters. |
Rating | High |
Description | User 'unclestinky" was found to reuse the same password between mysql and system logins. |
Impact | Password reuse is a practice which should be highly discouraged and prevented to the extent possible as it potentially allows an increase in attack surface. In this case, the impact is amplified by the fact that an attacker who was able to extract user credentials from mysql database would be able to reuse said credentials to gain access to user's system account. |
Remediation | Policies need to be put in place to enforce the use of unique passwords. The use of password managers should be encouraged to aid users in utilizing unique passwords across various systems. |
Rating | High |
Description | Website contains a number of plug-ins with known vulnerabilities. |
Impact | A combination of unpatched components and weak authentication allows an attacker to upload arbitrary scripts and files to the system which can be then loaded via the website allowing an attacker to execute arbitrary commands to escalate access, exfil data, or otherwise damage the system. |
Remediation | All assets should be kept current with latest patches and updates. This can be achieved with native tools (e.g. built-in auto-update functionality) or third party applications. |
Rating | High |
Description | 'sudo' is improperly configured for 'mrderp' account |
Impact | An attacker who manages to compromise this account will be able to execute arbitrary commands with 'root' access. |
Remediation | Do not allow executing commands as 'root' which are located in user home directory or any location where these can be modified by a non-root user. |
Rating | Low |
Description | PHPMyAdmin was discovered at the default install path |
Impact | Using default path/locations makes it easier for attackers to locate components |
Remediation | Use non-standard naming convention where possible. |
If you have any questions feel free to hit me up on twitter @blaksec