Difference between revisions of "DerpNStink: 1 ~ VulnHub - Walkthrough"
(Created page with "Category:Pentesting == Objective == Explore multiple remote vulnerabilities and multiple privilege escalation vectors to gain access to and gain root privileges on the tar...") |
|||
Line 1: | Line 1: | ||
[[Category:Pentesting]] | [[Category:Pentesting]] | ||
== Objective == | == Objective == | ||
− | + | Remotely attack the VM and find all 4 flags eventually leading you to full root access. | |
Source: [[https://www.vulnhub.com/entry/derpnstink-1,221/: VulnHub.com]] | Source: [[https://www.vulnhub.com/entry/derpnstink-1,221/: VulnHub.com]] | ||
Line 9: | Line 9: | ||
=== Discovery === | === Discovery === | ||
<syntaxhighlight lang="shell-session" highlight="6-8" line> | <syntaxhighlight lang="shell-session" highlight="6-8" line> | ||
+ | root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.105 | ||
+ | Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 05:21 EDT | ||
+ | mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers | ||
+ | Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan | ||
+ | Service scan Timing: About 66.67% done; ETC: 05:21 (0:00:03 remaining) | ||
+ | Nmap scan report for 192.168.56.105 | ||
+ | Host is up (0.00068s latency). | ||
+ | Not shown: 65532 closed ports | ||
+ | PORT STATE SERVICE VERSION | ||
+ | 21/tcp open ftp vsftpd 3.0.2 | ||
+ | 22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ||
+ | 80/tcp open http Apache httpd 2.4.7 ((Ubuntu)) | ||
+ | MAC Address: 08:00:27:FF:CF:9E (Oracle VirtualBox virtual NIC) | ||
+ | Device type: general purpose | ||
+ | Running: Linux 3.X|4.X | ||
+ | OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4 | ||
+ | OS details: Linux 3.2 - 4.8 | ||
+ | Network Distance: 1 hop | ||
+ | Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel | ||
+ | |||
+ | OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . | ||
+ | Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds | ||
</syntaxhighlight> | </syntaxhighlight> | ||
+ | |||
+ | <syntaxhighlight lang="shell-session" highlight="6-8" line> | ||
+ | |||
+ | </syntaxhighlight> | ||
== Recommendations == | == Recommendations == |
Revision as of 23:19, 2 May 2018
Contents
Objective
Remotely attack the VM and find all 4 flags eventually leading you to full root access.
Source: [VulnHub.com]
Status: [Work in progress]
Methodology
Discovery
root@kali:~# nmap -O -sT -sV -p- -T5 192.168.56.105
Starting Nmap 7.60 ( https://nmap.org ) at 2018-03-26 05:21 EDT
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 05:21 (0:00:03 remaining)
Nmap scan report for 192.168.56.105
Host is up (0.00068s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.2
22/tcp open ssh OpenSSH 6.6.1p1 Ubuntu 2ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.7 ((Ubuntu))
MAC Address: 08:00:27:FF:CF:9E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.8
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.92 seconds
Recommendations
Appendix A: Vulnerability Detail and Mitigation
Rating | High |
Description | xxxxxx |
Impact | xxxxx |
Remediation | xxxxx |
Rating | High |
Description | xxxxxx |
Impact | xxxxx |
Remediation | xxxxx |
Rating | High |
Description | xxxxxx |
Impact | xxxxx |
Remediation | xxxxx |
Rating | High |
Description | Unix file permissions for /etc/shadow are incorrect. |
Impact | Allow any user with a shell to access this file and extract password hashes which can be further passed to a password cracking utility to extract user credentials. |
Remediation | Set unix file permissions for /etc/shadow to "600" and change ownership to root:root |