KB-VULN: 1 ~ VulnHub – Walk through

Name: KB-VULN: 1
URL: https://www.vulnhub.com/entry/kb-vuln-1,540/
Release Date: 29 Aug 2020
Author: MachineBoy
Difficulty Stated: Medium
Difficulty I found: Beginner to Intermediate
OS used: KaliLinux 2020.2
Things you can learn from this VM: Enumeration, FTP anonymous login, SSH dictionary attack, Privilege Escalation via message of the day, Reverse shell

First step is always going to be NMAP. We found 21, 22 and 80 opened. FTP had anonymous login enabled.

Logged in as anonymous user for FTP service and downloaded the bash history file which contained following data.

Ran gobuster, nikto but didn’t find anything fruitful. So, looked at the source of webpage and found username “sysadmin

Used Medusa to run a dictionary attack for SSH and found valid password = password1.

Logged in and read the user flag.

During enumeration we found that message of the day can be read/write by anyone. So, added python reverse shell to the file “/etc/update.motd.d/00-header

Next, logged out of the machine and again logged in and we got a root user reverse shell; read the root flag.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: