LazySySAdmin-1 vulnhub walkthrough
LazySySAdmin vulnhub walkthrough
In this Challenge we will root the below box and escalate privileges and gain flag.
Download Virtual Box of Lazysysadmin -1
STEP-1: Information Gathering:
In the above output we are able to see that our host IP
address is “inet 192.168.0.152”.
Now the second step is to gather Gateway IP address of our Host machine so that we can perform an “ARP SCAN”
Command to gather Gateway IP Address is “route -n”
As the above output of the command mentions that our Gateway is
192.168.0.1
We need to perform an ARP SCAN to determine our virtual
machine IP address to do this the following command is “sudo arp-scan
192.168.0.1/24”
/24 is the CIDR value of class C IP Address.
So, the first step of Information gathering is done. We have found
Lazysysadmin-1 machine IP address.
STEP-2: Network Scanning:
In this step we are going to scan the above ipaddress that is
192.168.0.134 to find what are the services running on that vulnerable machine.
Command to scan is “sudo nmap -sV 192.168.0.134”
In the above output as we see there are 6 open ports and two important
findings are Samba SMB (Server Message Block) is open to port 139 &
445 and port 80 http port which means we have a website running on those port
and a port 22 which is SSH is there but is protected by a password.
We are going to see the website by opening chrome / Firefox and typing http://192.168.0.134 and a below image will be shown.
We found No vulnerabilities to exploit the webpage hence we
will be proceeding with our SMB finding.
STEP-3: ENUMARATION
We need to Enumerate SMB using a command “smbmap -H
192.168.0.134”
To access
that SMB directory the command is “smbclient //192.168.0.134/share$/”
The above command will prompt for “WORKGROUP\user's
password” hit enter and you are inside the smb:\>
In the above listing of files, we can see a directory “WordPress” and few other files and directory. Download all the important “.txt” files and visit http://192.168.0.134/wordpress as we now know that this website is built on WordPress platform.
As we can see the WordPress website by typing above URL in
the chrome / Firefox. We can see that the user is obsessed with his name so we
will assume as our user is “Username = togie”
In step-2 of Network scanning we came across a port 22
which is called SSH. We will now try to login in that by typing the
command “ssh togie@192.168.0.134” but
we cannot login because it is password protected.
STEP – 4: Password cracking:
In this step we will crack SSH password by using hydra tool.
Using the username which we have assumed and wordlist rockyot.txt. The command
to perform this is “hydra -l togie -P /usr/share/wordlists/rockyou.txt
ssh://192.168.0.134”
Now that we have his password that is
[22][ssh] host: 192.168.0.134 login: togie password: 12345
We will attempt to login !!!!
Type “ls” command to list out the directories, no
directories are listed….
Type “cd ..” to return to previous directory, but
there is an error after executing the command “-rbash: cd: restricted”
Type “sudo -l” to know what root privileges do we have.
This command will prompt you to type password and type password “12345”
As in the above image we can see we have permissions for ALL.
Which means we can access super user
by our password.
Type command “sudo su” and password “12345” to change to root user.
Now we will type a command “cd root” to escalate privileges.
After entering into the root user. We will see if we have and
directory listed by typing “ls” nope then we will try to come out of the
directory by typing “cd ..” twice to drop into root directory.
Now we will type a command “sudo root/” to escalate privileges.
After escalating root privileges, we will type “ls” command
to list out the files and we can see a file name “proof.txt”.
We will cat that file by typing command “cat proof.txt” and bingo we have the flag!!
Happy Hacking !!
Comments
Post a Comment