Goatse Write-Up

Leave a Comment by dmcxblue Uncategorized

Let me start very simple so I kinda wanted to sharpen more my skill in pentesting and decided to do as many vulnhub boxes that I can on my free time, as it seems some of these old school hacks are still very reliable as they still show to appear in the wild so for me to stay sharp and get some practice, I will put most of my time into these boxes. Let me start with an Easy one!

Scanning

Start with a simple nmap scan , just by being so used to this, I used unnecessary options on a vuln box but still hey you never know!

nmap -sC -sV -f --mtu=16 [TARGET IP] -oA goatse

We visit port 80 to check the first web page

Usernames we can probably use for some brute force attack or some simple login guessing with weak creds or so but continuing with out nmap scan we will notice something that stands out immediately a MiniServ (Webmin) page

Visiting port 10000 we see a login page! I followed up with common attacks SQL, Weak credentials, [admin:admin admin:password] but nothing so next I continue with a little bit of more enumeration

Enumeration

Fire up Metasploit and did a search for webmin and found a LFI exploit a simple query for the /etc/passwd and /etc/passwd and voila!

Exploit
/etc/passwd
/etc/shadow

Next you might notice these hashes are very simple to identify but just in case we can utilize john to identify the hash and let it do everything on its own!

Hashes cracked by john

As we may see john has already cracked the hashes a simple command will show us the cracked passwords!

Cracked hashes

To follow up we can remember the SSH port located on the nmap scan, I continued with an ssh login but came with a small issue as it seems by now [2019] ssh has been updated from this VM ,so it uses weak encryption. I had to modify my ssh_config file so it can force to use the same encryption required to Login, some more info in here. I continued down the list of my hashes and login first with guest

But its permission are of no use for us and sudo -l shows nothing of interest so we continue with another user [goatse]

We login successfully, we check its permissions, looks like he can root anything! so we use sudo su and immediately after that we got root!

Categories: Uncategorized

dmcxblue

Infosec Hobbyist, Wanna be Red-Teamer, Pentester Dreamer
OSCP | OSWP
GED- In Progress

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s