Professional Documents
Culture Documents
172.16.17.0/24 NETWORK
ENUMERATION 6
VULNERABILITY EXPLOITATION 9
HACKING CREDENTIALS 19
RECOMMENDATION AND
CONCLUSION 19
REFERENCE 20
Technical Report
Test Methodology
For a step-by-step report of the procedures and outcomes of each test, please keep scrolling.
ENUMERATION
Upon further enumeration on the discovered host, ports 21, 22 and 80 were discovered open
amongst other details like OS detection as displayed below
WEB VULNERABILITY SCANNING
First vulnerability
I used Nessus to scan for vulnerability in the Case Study machine and found the highest
vulnerability in the version of the ftp service used in the host
Second vulnerability
Also, after finding out that port 80 had a secret directory from the nikto results and navigating to
that directory, it was identified that the webpage was designed using wordpress which further
made me run a wpscan on the webpage to find out the version that was running and users of
the website.
Third vulnerability
Further research on the web page of this machine, after discovering the machine ran on php
showed a few themes on the webpage that looked like another way to break in to the system
through a payload found through this link https://github.com/pentestmonkey/php-reverse-
shell/blob/master/php-reverse-shell.php
VULNERABILITY EXPLOITATION
Exploiting the first vulnerability
Metasploit is the tool that was used to exploit the vulnerability found in the ProFTPD version
used in the ftp service in the identified host.
In the image above, the user seen is root@casestudy and the content of the flag.file found is
displayed below
Using this exploit, I set the following values, LHOST, RHOST, TARGETURI
And this gave me meterpreter reverse-shell connection access to the 172.16.17.96 host
In this state, I downloaded the /etc/passwd and /etc/shadow file to be cracked offline later on
by JohntheRipper.
Then typing the shell command to gain access to the shell CLI of the machine, this gives room to
confirm the active user which displays www-data
Because a root access is needed, further research was done and a CVE-2021-4034-rust
vulnerability was found on wordpress websites for privilege escalation. This package was also
found in the tmp folder for this user and I installed it. Installation gave me root access to the
machine.
After gaining root access and running the python module to get an interactive shell. In the root
directory, the flag.file can be found.