My Web Server: 1 Walkthrough

My Web Server: 1 Walkthrough Vulnhub | My Web Server: 1 Vulnhub Writeup

In this Articles we are solving another Vulnhub CTF My Web Server: 1 is created by Akanksha Sachin Verma you can download here this VM

Description

This boot to root VM is designed for testing your pen-testing skills and concepts. It consists of some well-known things but it encourages you to use the functionalities rather than vulnerabilities of the target

Network Scanning

First we Scanning our local network using netdiscover arp scan

My Web Server: 1 Walkthrough Vulnhub | My Web Server: 1 Vulnhub Writeup

Let’s proceed further with Nmap to scan our target IP to find open ports and running services.

My Web Server: 1 Walkthrough Vulnhub | My Web Server: 1 Vulnhub Writeup

Nmap out is shown our target many ports are open different running services We saw FTP’s anonymous login enabled and port 445 was also available for SMB

Enumeration

We also explore the target IP in the web browser and we see a simple Apache HTTP page

SMB Enumeration

we move on next step and enumeration the samba server using smbmap and we see a disk drive smbdata is read-write permission

My Web Server: 1 Walkthrough Vulnhub | My Web Server: 1 Vulnhub Writeup

we successfully login with anonymous user and we already see the disk permissions I upload my local mahchine id_rsa.pub key as a authorized_key target smbdata disk

We already see nmap output target our target port 2121 is open running proftpd 1.3.5 service I found the mod_copy exploit

so I connect with port 2121 using the netcat and I move the authorized_key smbdata to /home/smbuser/.ssh directory

My Web Server: 1 Walkthrough Vulnhub | My Web Server: 1 Vulnhub Writeup

and I login with smbuser without any password

After enumeration the system i found system shadow file the file contain all user password hashes

I copy the all user hash and save a text our local machine and using the john hash cracking tool I found a password user bla

My Web Server: 1 Walkthrough Vulnhub | My Web Server: 1 Vulnhub Writeup
Change user smbuser to bla
  • username: bla
  • password itiseasy

Now we have a password bla user i run the simple switch user command

I run the sudo -l command and we see our current user the command with sudo permission setcap and capsh

setcap Privilege Escalation

using the setcap command I set the SUID or sudo permission on perl and exploit perl program to escalate the root privilege

and we found our final flag target root directory proof.txt

My Web Server: 1 Walkthrough Vulnhub | My Web Server: 1 Vulnhub Writeup
My Tomcat Host 1 Vulnhub Walkthrough link