KB-Vuln3 Walkthrough - Vulnhub - Security

It is an easy machine with great opportunities to practice how to exploit several vulnerabilities. It can be downloaded here https://www.vulnhub.com/entry/kb-vuln-3,579/

Reconnaissance

Netdiscover helped me to find the IP address of the victim machine Via Nmap it was possible to find the services and ports open

I checked the port 80 (web server) and I did not find anything interesting. Also, I checked if the site is vulnerable to null SMB connections and it is worked. There are several ways to get this file. Here you can see one way: Using the "get" command I downloaded the file (website.zip)

Exploiting

This file is zip password protected so, I used zip2john to get the zip password hash. And using John and rockyou.txt wordlist found the password After unzipping the archive I searched for interesting files and found config.xml.php which contains a username and password; it should be for the web server I found Sitemagic CMS in the server and this CMS is vulnerable to arbitrary file upload. More info ( https://www.exploit-db.com/exploits/48788 ) Here you can see that it was possible to upload a shell When we look in the directory, we find that our webshell has been successfully uploaded. We run a netcat in the port 443 and we've gained access to the system.

Privilege Escalation

We use the "find" command to get a list of binaries that we have permission to run after evaluating the contents of the user's home page and finding nothing helpful. /bin/systemctl was found within this user.

I did some research on the web and found this script to get a Root shell. I created this file on my kali machine and moved it to the victim machine. I had to create a link file to the script and after that execute it. I started our service by connecting a netcat to the listening port (2233). In the following image you will see the root shell

Enjoy.....