This is the next installment in our epic series about penetration testing and Kali Linux. If you are behind, please check out these posts about the OSCP certification, installing Kali Linux on any device, and some of our top Kali tools.
Today we will get to the meat of hacking and go into detail! This won’t likely get you arrested or extradited. We’ll be working on a target called a boot-to root machine. These virtual machines can be run in your network and are designed to look like a regular production box. They can run web servers, databases and FTP servers.
These machines are designed to be deliberately vulnerable by the author to allow you to practice pen test skills in a simulated environment.
It’s all about getting dirty, testing tools against a real target, and seeing what works and fails. We’ll be walking through the popular boot-to root machine Mr. Robot (like the TV series! This VM is a WordPress Server. We will brute force our way into admin console. Once we have a reverse shell, we will then escalate our privileges and become root user with full pwnage. Let’s go!
Learn how to become a security expert with SPOTO’s Cybersecurity Training
Start trainingSCARY LEGAL WARNING : As with any pen-testing exercise, you must ensure that you never run scans or tools against systems you don’t own without permission. Even if you’re just playing around with infosec training courses or certifications.
Start the Machine
Downloading and installing any boot-to root is the first step. Click here to download the image. The file will be saved in OVA format. This is a VMware machine-image. The file can be imported into any VMware product, or Virtual Box. To convert the file if you are using Parallels/Hyper-V, you will need to take a few extra steps. After it has been imported, check the network settings on it and your Kalibox to ensure they are on the same virtual network. Then, boot it up.
Next, find out what IP address it got. You can first find Kali’s IP address by running ifconfig. The address after eth0 will be what you are looking for:
[email protected]:~# Ifconfigeth0: flags=4163 mtu 1500inet 10.0.9.6 netmask 255.255.255.0 broadcast 10.0.9.255
Kali’s IP address is 10.0.9.6. Next, let’s use Nmap for pinging the entire subnet to find other live machines.
[email protected]:~# Nmap -Sn 10.0.9.0/24Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-14 11:25 EDTNmap Scan Report for 10.0.9.1Host Is Up (0.00019s Latency).MAC Address: 00:1C:42:00:00:18 (Parallels)Nmap Scan Report for 10.0.9.2Host Is Up (0.00014s Latency).MAC Address: 00:1C:42:00:00:08 (Parallels)Nmap Scan Report for 10.0.9.5Host Is Up (0.00048s Latency).MAC Address: 00:1C:42:70:D7:77 (Parallels)Nmap Scan Report for 10.0.9.6Host Is Up.Nmap done: 256 IP addresses (4 hosts up) scanned in 2.03 seconds
We know that Parallels uses 10.0.9.1 &.2 virtual network devices. Kali is.6 and Kali is.6. So.5 must be Mr. Robot!
Next, run a basic Nmap scan in order to locate open ports.
[email protected]:~# Nmap 10.0.9.5Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-14 11:26 EDTNmap Scan Report for 10.0.9.5Host Is Up (0.00046s Latency).Not Shown: 997 Filtered PortsPORT STATE SERVICE22/Tcp Closed Ssh80/Tcp Open Http443/Tcp Open HttpsMAC Address: 00:1C:42:70:D7:77 (Parallels)
Port 22 is reported closed. This means that the TCP request was explicitly answered with “go away, nobody’s answering here!” Instead of the non-reply from any other port, But 80 and 443 are still open! These ports are usually for HTTPS and HTTPS, as you may have learned in Network+ training. Let’s now try accessing the IP using Firefox