This machine was rated as an “Easy” level machine and required the attacker to exploit a vulnerable web application to gain access to the machine.
The first step in any penetration testing exercise is reconnaissance. In this step, we gather as much information about the target machine as possible. We can start by running a port scan using nmap:
$ nmap -sC -sV -oN nmap.txt 10.10.10.138
This command will perform a port scan and service enumeration on the target machine and save the results to a file named
nmap.txt. We can then review the file to see what ports and services are running on the target machine.
The output of the nmap scan showed that the target machine was running a web server on port 80 and a SSH server on port 22.
Nmap scan report for 10.10.10.138
Host is up (0.055s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| 2048 56:ea:2e:ab:20:55:2e:90:f9:f1:ba:39:49:17:13:f1 (RSA)
| 256 5e:89:df:7c:9e:4a:4c:2e:e4:f7:f1:1a:00:1f:8f:7b (ECDSA)
|_ 256 c6:21:a6:a3:6f:02:1e:8c:32:ca:67:50:8c:25:2a:3b (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can visit the web server on port 80 to see if there are any interesting web applications running.
Visiting the web server on port 80 showed a default Apache web page. We ran a
gobuster scan to find any hidden directories or files on the web server:
$ gobuster dir -u http://10.10.10.138 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x php,txt,html -o gobuster.txt
This command will perform a directory bruteforce attack using a wordlist of common directories and files found in web applications.
The output of the
gobuster scan revealed a
/index.html (Status: 200)
/writeup (Status: 301)
/writeup directory showed a web application that allowed users to…