Let me start very simple so I kinda wanted to sharpen more my skill in pentesting and decided to do as many vulnhub boxes that I can on my free time, as it seems some of these old school hacks are still very reliable as they still show to appear in the wild so for me to stay sharp and get some practice, I will put most of my time into these boxes. Let me start with an Easy one!
Scanning
Start with a simple nmap scan , just by being so used to this, I used unnecessary options on a vuln box but still hey you never know!
nmap -sC -sV -f --mtu=16 [TARGET IP] -oA goatse
We visit port 80 to check the first web page
Usernames we can probably use for some brute force attack or some simple login guessing with weak creds or so but continuing with out nmap scan we will notice something that stands out immediately a MiniServ (Webmin) page
Visiting port 10000 we see a login page! I followed up with common attacks SQL, Weak credentials, [admin:admin admin:password] but nothing so next I continue with a little bit of more enumeration
Enumeration
Fire up Metasploit and did a search for webmin and found a LFI exploit a simple query for the /etc/passwd and /etc/passwd and voila!
Next you might notice these hashes are very simple to identify but just in case we can utilize john
As we may see john has already cracked the hashes a simple command will show us the cracked passwords!
To follow up we can remember the SSH port located on the nmap scan, I continued with an ssh login but came with a small issue as it seems by now [2019] ssh has been updated from this VM ,so it uses weak encryption. I had to modify my ssh_config file so it can force to use the same encryption required to Login, some more info in here. I continued down the list of my hashes and login first with guest
But its permission are of no use for us and sudo -l shows nothing of interest so we continue with another user [goatse]
We login successfully, we check its permissions, looks like he can root anything! so we use sudo su and immediately after that we got root!
