VulnHub: Basic Pentesting 1

4 min readMar 31, 2023

Today we are going to look at Basic Pentesting 1 on VulnHub found here:

Basic Pentesting: 1

Please remember that VulnHub is a free community resource so we are unable to check the machines that are provided to…

www.vulnhub.com

Starting off with an NMAP or RustScan we can see the following ports, I used the — to call for NMAP commands, and -Pn means do not ping:

Looking deeper into port 21 and 80 with NMAP we see the following:

Checking the services on searchsploit we can see that 1.3.3c may be vulnerable to a backdoor:

Heading over to github we find the following exploit:

https://github.com/yonko999/ProFTPD-1.3.3c

From here if you go to the raw format of the python script you can utilize wget:

wget https://raw.githubusercontent.com/yonko999/ProFTPD-1.3.3c/master/ProFTPD_133c.py

The first time I ran it, it did not work, looking at the exploit we can see that is trying to strip our IP address. Lets change this to just utilize our IP address and not strip anything:

As noticed we also need to have a listener running on port 4444. With all of this done, we do get a root shell back once we run the exploit:

Even though we are root, there is another way up. Utilizing a directory buster, such as feroxbuster or gobuster we can see that there is a /secret page.

From here, we also see that /secret is holding a wordpress page. Utilizing WPScan we can enumerate users:

Alright so we have the user admin, now lets brute force that user:

Awesome we have admin:admin, lets login:

We can now do a 404.php attack:

Shown above we are going to appearance, editor then clicking on 404 template. From here we will change the contents to a reverse shell from pentest monkey found here https://github.com/pentestmonkey/php-reverse-shell. However, if you are on Kali then you can do the below: