AdSense

Tuesday, January 25, 2022

EVM

EVM

- Layout for this exercise:



1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine EVM, from the VulnHub pentesting platform.

-  EVM can be downloaded from here:

https://www.vulnhub.com/entry/evm-1,391/

- Once downloaded EVM and extracted with VirtualBox:






2 - ENUMERATION

- netdiscover helps to find EVM's IP 192.168.1.31:






- Scanning with Nmap:













- Browsing the web server there is a message about a wordpress vulnerable webapp:





















3 - EXPLOITATION

- WPScan discovers plugins and users at Wordpress, for instance user c0rrupt3d_brain:





- Again WPSCan, now in combination with wordlist rockyou.txt, discovers credentials c0rrupt3d_brain:24992499
















- Metasploit exploit wp_admin_shell_upload helps to trigger a shell, by setting c0rrupt3d_brain:24992499 as parameters:









- Running the exploit a Meterpreter session is opened:












4 - PRIVILEGE ESCALATION

- Looking for folders and files we find root3r:








- Inside root3r there is a text file .root_password_ssh.txt where we can find the password willy26:
















- However it is not valid to SSH as a root:



- Trying another way, to switch as a root from the Meterpreter session we need a shell:









- Improving the shell:






- Now a root shell is achieved:



5 - CAPTURING THE FLAG

- Finally, reading proof.txt: