Vulnhub : Pwned 1 Walkthrough
VulnHub offers offline virtual machines, allowing users to practice without competing with other learners. There’s no need to worry about consistent internet access, high pings, or latency. Users can set up their own private labs to practice and learn new skills.
This Vulnerability Assessment & Penetration Testing (VAPT) was performed during my winter vacation. The detailed report and our findings are described below.
Network security is not only concerned about the security of the computers at each end of the communication chain; however, it aims to ensure that the entire network is secure.
Network security entails protecting the usability, reliability, integrity, and safety of network and data. Effective network security defeats a variety of threats from entering or spreading on a network.
The primary goal of network security are Confidentiality, Integrity, and Availability. These three pillar of Network Security are often represented as CIA triangle.
My Lab Setup
I am running a Windows OS with VirtualBox installed. For this specific exercise, I have 2 virtual machines. The first is a Kali linux VM. The second is the virtual machine for Pwned 1. Both VM are on Bridged mode.
This VM has three flags hidden in different locations. Goal is to find all three. Each key is progressively difficult to find.
Searching First Flag
sudo arp-scan –l : To find out the pwned IP Address
Arp-scan is a low-level network discovery tool used to associate physical (MAC) addresses to logical (IP) addresses. It’s used to identify network assets which may not normally be captured by network scanning devices.
After Knowing the the Pwned IP will try to scan which port is open on target machine
sudo nmap –sV –A –sS –T4 192.168.0.104
It will show which port is open& version with full detail
Here I found port 21,22,80 is open so i opened it on browser the interface look like this
When I tried to view source page I found this hidden message
I have used Gobuster with a medium directory dictionary
Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.
I had find the following result I had tried the robots.txt directory on browser but there is nothing which is helpful so I tried the /hidden_text on the browser
And found secret.dic file in it . In secret.dic I had found the following result
I had tried each directory finally find login page interface with some message in the /pwned.vuln .
I just saw the source of this login interface and find this
Now trying to login as ftpuser with B0ss_B!TcH as a password and get successfully logged in
I had tried ls command I found there is a share directory so I changed the directory and do ls I found 2 file id_rsa & note.txt
So I downloaded both file by get command To copy a single file, we use the get command
After getting those file I tried to view it by cat command and I get the following result
Now we get to know there is a user with name of ariana with note text and we have this id_rsa will give permission to id_rsa by sudo chmod 400 id_rsa and after that will try to login from ssh(22) port.
After successful login through ssh as ariana I do ls and found 2 file and in user1.txt here is our flag 1 finally captured.
Searching Second Flag
After successful login as ariana there are 2 files user 1.txt and the second one is ariana-personal.diary
So I viewed the second file ariana-personal.diary by cat command and found this result
So I started few commands that can be run as a root user, just like sudo –l and get this following result
The output of the sudo -l command shows that Ariana user can run the messenger.sh file as a Selena user.
I ran the command sudo –u selena /home/messenger.sh and get the following result
After that I had tried to get interactive terminal by python3 –c after getting interactive terminal I had found out that we are selena user and we are in /home/ariana directory so I changed the directory to selena and TADAAA we have found the second flag in user2.txt file.
Searching Flag 3
During the enumeration, we identified that Docker is being used on the target machine. We observe this in the id command output.
So I check the docker images that we have available and execute the command that will allow us to escalate privileges with a shell as root and find the following result
Finally, we have the root access of the target machine with the following command docker run –v /:/mnt –rm –it privesc chroot /mnt sh
Now getting interactive terminal with the help of python3 –c and getting the final flag
We’ve successfully exploited this VM.
Thank you for reading this write-up.