EVM
- Layout for this exercise:
1 - INTRODUCTION
- The goal of this exercise is to develop a hacking process for the vulnerable machine EVM, from the VulnHub pentesting platform.
- EVM can be downloaded from here:
https://www.vulnhub.com/entry/evm-1,391/
- Once downloaded EVM and extracted with VirtualBox:
2 - ENUMERATION
- netdiscover helps to find EVM's IP 192.168.1.31:
- Scanning with Nmap:
- Browsing the web server there is a message about a wordpress vulnerable webapp:
3 - EXPLOITATION
- WPScan discovers plugins and users at Wordpress, for instance user c0rrupt3d_brain:
- Again WPSCan, now in combination with wordlist rockyou.txt, discovers credentials c0rrupt3d_brain:24992499
- Metasploit exploit wp_admin_shell_upload helps to trigger a shell, by setting c0rrupt3d_brain:24992499 as parameters:
- Running the exploit a Meterpreter session is opened:
4 - PRIVILEGE ESCALATION
- Looking for folders and files we find root3r:
- Inside root3r there is a text file .root_password_ssh.txt where we can find the password willy26:
- However it is not valid to SSH as a root:
- Trying another way, to switch as a root from the Meterpreter session we need a shell:
- Improving the shell:
- Now a root shell is achieved:
5 - CAPTURING THE FLAG
- Finally, reading proof.txt:
