five86 1 walkthrough vulnhub ctf

five86: 1 Walkthrough Vulnhub CTF

Today we are solving five86: 1 is created by DCAUC and This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. five86 1 walkthrough

Download here five86: 1

Network Scanning

our first step is to identify the target IP address we will initiate with netdiscover.

five86 1 walkthrough

Nmap Aggressive scan. All port and services. and wee see target machine port 22 ssh, 80 http, 10000 Webmin httpd service is running

five86 1 walkthrough

Enumeration

enumerating port 80 http service we open the IP address in the web browser

we see the /ona directory look like openNetAdmin service is running I go to about page and we see the openNetAdmin version.

five86 1 walkthrough

we go to exploit-db and search openNetAdmin v18.1.1 and I found a command injection exploit now I download the exploit our local system

five86 1 walkthrough

adding exploit msfconsole copy our exploit Download directory to Metasploit directory

five86 1 walkthrough

our session 1 is open and we got a reverse connection target machine

five86 1 walkthrough

The shell it gave was not proper so to fix that we run the Python One-Liner. As this machine was loaded with the Python3, we need to use the Python3 variant of the One-Liner. for proper shell

five86 1 walkthrough

ls -lsa command to check all hidden file and directory and I open .htpasswd file

five86 1 walkthrough

Privilege Escalation

Creating a wordlist using crunch and length is 10 and use target password character

five86 1 walkthrough

Try to crack the hash file with john using our custom wordlist

five86 1 walkthrough

our hashes are crack now changing our shell www-data to user douglas and successfully login with douglas account.

run sudo -l to check for commands that can run as sudo. It looks like dpkg can run as sudo.

five86 1 walkthrough

Generating an ssh key for our second user

I copying this key target machine /tmp directory and changing name authorized_keys

five86 1 walkthrough

After Creating key now changing the permission this file and copy our second user jen /home/jen/.ssh directory

five86 1 walkthrough

Try to connecting ssh connection without any password and us successfully login with Jen user

five86 1 walkthrough

After try many directory enumeration I found a mail massage

five86 1 walkthrough

changing user Jen to the moss with the password found in the mail message

five86 1 walkthrough
five86 1 walkthrough
EnuBox Mattermost Walkthrough Vulnhub CTF