Have you ever wanted to test your penetration testing skills in a safe environment? Look no further than Vulnhub’s Basic Pentesting 1 machine! This virtual machine is designed specifically for beginners like me, offering a controlled space to learn the ropes of exploiting vulnerabilities and gaining access.
In this guide, I’ll walk you through the thrilling journey of taking down Basic Pentesting 1, step-by-step. So, grab your tools and get ready to unleash your inner hacker (for good, of course)!
Finding the Target: Local and Target IP Addresses
Before I launch my attack, I need to pinpoint the target machine’s location on the network. This is akin to finding a pirate ship on the high seas (except way less swashbuckling).
Step 1: Find Your Local IP Address
First things first, I’ll identify my local IP address. This serves as my starting point for finding the target’s IP. I can usually find this in my network settings.
kali@kali:~$ ifconfig
Local IP Address: 192.168.100.9
Step 2: Scan for Active Devices
Next, I’ll use a tool called netdiscover to scan for active devices on the network. Think of it as a hi-tech radar that helps me spot my target ship.
kali@kali:~$ sudo netdiscover -i eth0 -r 192.168.100.9/24
Target IP Address: 192.168.100.8
Now I have the target’s IP address! High fives all around!
Scanning for Open Ports
With my target in sight, it’s time to gather some intel. I’ll use a powerful tool called nmap to scan the target machine and identify any open ports. These ports act like doorways into the system, and I’ll be looking for any that might be vulnerable.
kali@kali:~$ nmap -p- -A 192.168.100.8
The scan might reveal something like this:
| Port | Service | Version |
|---|---|---|
| 21 | FTP | ProFTPD 1.3.3c |
| 22 | SSH | OpenSSH 7.2p2 Ubuntu |
| 80 | HTTP | Apache httpd 2.4.18 |
This information is like a treasure map, guiding me towards potential weaknesses!
Exploring the Web Server (Port 80)
My scan revealed an open port 80, which usually indicates a web server. Let’s set my sights on this port and see what I can find.
Step 1: Visit the Target IP
I visit the target’s IP address in my browser, but the website doesn’t reveal much.
Step 2: Check for Hidden Files
I check the page source and robots.txt file (a file that tells search engines which parts of the website to crawl) for any hidden clues, but come up empty-handed.
Hold on, don’t despair! This is just the beginning.
Discovering Hidden Directories with dirb
Since the website itself isn’t giving anything away, I’ll use a tool called dirb. Think of it as a metal detector that helps me unearth hidden directories and files on the website.
dirb scans the website and reveals some intriguing URLs that warrant further investigation.
Step 1: Run dirb
kali@kali:~$ dirb http://192.168.100.8 /usr/share/wordlists/dirb/common.txt -o dirb.txt
Step 2: Find Interesting URLs
One of the URLs dirb found leads me to a path called “secret.” Sounds promising, right? I navigate to this path, but the page seems broken and the links don’t work.
Upon closer inspection, I notice that the links use a domain name ("vtcsec") instead of the IP address. This is a small hurdle, but I can fix it!
Fixing Domain Issues with the Hosts File
To make those links work properly, I need to create a little map. I’ll edit a file called “hosts” on my machine, which tells my computer how to translate domain names into IP addresses.
Step 1: Edit the Hosts File
kali@kali:~$ sudo nano /etc/hosts
Step 2: Add a line for the domain name
In this file, I’ll add a new line that associates the domain name “vtcsec” with the target machine’s IP address.
Now, when I try those links again, they should work like a charm!
Cracking the WordPress Login Panel
After fixing the domain issue, the “secret” page finally displays properly. But here’s the twist: it leads me to a familiar sight – a WordPress login panel!
This is a golden opportunity! WordPress can sometimes be vulnerable, and I can use a tool called WPScan to exploit those vulnerabilities.
Step 1: Use WPScan
With WPScan in hand, I’ll conduct user enumeration to uncover potential usernames on the WordPress login panel. This step is crucial as it helps me identify accounts I can potentially exploit.
I’ll fire up WPScan with the following command:
kali@kali:~$ wpscan --url https://192.168.100.8/secret/ enumerate -u
This command instructs WPScan to enumerate usernames on the specified URL. I’ll keep my eyes peeled for any usernames that might come up! Using WPScan, I might be able to find a username like “admin”.
Step 2: Crack Passwords
Now that I have some potential usernames, it’s time to crack some passwords! I’ll use WPScan again, this time with a wordlist to brute-force my way into the system.
Here’s the command I’ll use:
kali@kali:~$ wpscan --url http://vtcsec/secret/ --username admin --passwords /path/to/wordlist.txt --force
I’ll replace “/path/to/wordlist.txt” with the path to my chosen wordlist. WPScan will then attempt to crack the password for the “admin” user.
Success! I’ve managed to breach the WordPress login panel using the credentials I uncovered. Now, I’m inside the system, ready to explore and exploit further.
But wait, there’s more!
Gaining Access: Upload a PHP Shell
Now that I have access to the WordPress panel, it’s time to take things up a notch. I’ll inject a malicious PHP script to establish a reverse shell connection from the target machine to my attacker machine.
Step 1: Prepare the PHP Shell
I’ll use a popular PHP reverse shell script, such as the one found at GitHub.
Step 2: Inject the Script
I’ll head over to the Appearance section in the WordPress panel and select the Editor. From there, I’ll navigate to the Theme Header (header.php) file.
I’ll delete any existing code in the file and replace it with the malicious PHP script code I obtained earlier. Don’t forget to update the IP address to your attacker machine’s IP and choose a port that isn’t in use.
Save the changes, and now the trap is set!
Step 3: Set Up Netcat Listener
With the malicious PHP script in place, all that’s left to do is wait. I’ll fire up netcat on my attacker machine to listen for incoming connections:
kali@kali:~$ nc -lvnp <chosen_port>Step 4: Trigger the PHP Shell
Now, I’ll simply revisit the target URL where I injected the script, and voila! I’ll receive a connection on my netcat listener, confirming that I’ve successfully established a reverse shell connection.
And there you have it – from reconnaissance to exploitation, I’ve conquered Vulnhub’s Basic Pentesting 1 like a true penetration testing pro!
What’s Next?
As I continue my cybersecurity journey, I’ll keep learning, exploring, and expanding my skillset. There’s always more to discover in this ever-evolving field. Whether I’m a beginner or an experienced professional, there’s always room to grow and improve.
So, I’ll take what I’ve learned here and apply it wisely. I’ll use my newfound knowledge to protect systems, strengthen defenses, and make the digital world a safer place for all.
Happy hacking, and may my exploits always be in the service of good!
Until next time, stay curious, stay vigilant, and keep hacking responsibly.