Here's walkthrough of vulhub machine. This machine is for complete beginners. We need to find flag root.txt.
nmap -p- 192.168.122.130
nmap -sV -A 192.168.122.130 (Service version scan)
nmap -sV -A --script vuln 192.168.122.130 (Vulnerability scanning)
root@kali:~# nmap -sV -A --script vuln 192.168.122.130
Starting Nmap 7.80SVN ( https://nmap.org ) at 2020-08-19 01:15 EDT
Nmap scan report for 192.168.122.130
Host is up (0.00039s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /admin/: Possible admin folder
| /admin/admin.php: Possible admin folder
| /login.php: Possible admin folder
| /robots.txt: Robots file
| /image/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
| /img/: Potentially interesting directory w/ listing on 'apache/2.4.38 (debian)'
|_ /manual/: Potentially interesting folder
|_http-server-header: Apache/2.4.38 (Debian)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| vulners:
| cpe:/a:apache:http_server:2.4.38:
| CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984
| CVE-2019-0211 7.2 https://vulners.com/cve/CVE-2019-0211
| CVE-2019-10082 6.4 https://vulners.com/cve/CVE-2019-10082
| CVE-2019-10097 6.0 https://vulners.com/cve/CVE-2019-10097
| CVE-2019-0217 6.0 https://vulners.com/cve/CVE-2019-0217
| CVE-2019-0215 6.0 https://vulners.com/cve/CVE-2019-0215
| CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927
| CVE-2019-10098 5.8 https://vulners.com/cve/CVE-2019-10098
| CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490
| CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934
| CVE-2019-10081 5.0 https://vulners.com/cve/CVE-2019-10081
| CVE-2019-0220 5.0 https://vulners.com/cve/CVE-2019-0220
| CVE-2019-0196 5.0 https://vulners.com/cve/CVE-2019-0196
| CVE-2019-0197 4.9 https://vulners.com/cve/CVE-2019-0197
| CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993
|_ CVE-2019-10092 4.3 https://vulners.com/cve/CVE-2019-10092
MAC Address: 00:0C:29:08:B4:25 (VMware)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.39 ms 192.168.122.130
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 77.93 seconds
root@kali:~#whatweb http://192.168.122.130 (to identify cms)
nikto -h http://192.168.122.130/
gobuster -u http://192.168.122.130 -w /usr/share/wordlists/rockyou.txt
Found some directories
Open url in browser
Found directory find_me in robots.txt
Accessing find_me
Checking view-source
Found base64 string in comment
Decoding string using base64 decoder and found another base64 string
Now decoding base64 to image and we found QR code
After reading qr code we found some password topshellv
Accessing directory /bulmu
It contains an audio file. I listen to the wave file and it sounds like Morse code.
Decoding morse audio into text
And we found another user and password
Login using ssh
**Successfully connected
Checking permission of /etc/passwd
ls -al /etc/passwd
User trunks have permission to write in /etc/passwd
Lets change password of root and login
su - root
ls
*** Successfully Found flag root.txt
cat root.txt
