Vulnhub - EVM: 1
This is super friendly box intended for Beginner’s
This may work better with VirtualBox than VMware
– note: some of the spelling and punctuation errors on this blog are mine; but if I quoted something (like above), I tend to quote it verbatim, even if I know it’s incorrect.
This box is on the NetSecFocus Admin list of OSCP-like machines. It’s EVM: 1 from vulnhub.
I run my Kali as a VM on a Windows host, in Bridged mode. And that’s how I like it. This machine (and - I’m now realising, some others) don’t like it. It’s set up for Host Only. But if I run Host Only, then Kali can’t see it, unless I reconfigure Kali, which I don’t want to do. Ugh.
Anyway, this one has SMB, POP3, HTTP, SSH. This won’t be a very detailed writeup; I’m tired and mildly frustrated. Full disclosure; I’m currently roadblocked on two other boxes.
The webserver is running wordpress at /wordpress and we can get some creds:
root@kali:/opt/vulnhub/evm# wpscan --url http://192.168.1.105/wordpress --ignore-main-redirect -U 'c0rrupt3d_brain' -P /usr/share/wordlists/rockyou.txt
See the redirect? That’s because I did this in Bridged mode but it keeps trying to go back to the Host Only IP it’s been set up with - 192.168.56.103. Also I ran -e first to get the username. Anyway:
Using these credentials we should be able to log in to Wordpress, but it just would not in Bridged mode - just constant redirects. Grrr.
I switched the VM to Host Only and went over to Windows to see if I could continue without too much bother.
Visiting wp-admin I could log in easily, so that’s a start. I decided to try the theme code editing for once - it worked like a charm and in fact had been set up for this attack. I put
and had RCE at:
Lol, no. I’ve got Ubuntu running on WSL (version 1, not the apparently better version 2) with netcat installed but I couldn’t get it to catch a reverse shell and I couldn’t be bothered mucking about too much. Simple manual enumeration was enough:
For some reason I couldn’t SSH in from Windows, either from Powershell OR from Ubuntu WSL. F***.
So I just went and put the creds straight into the login on the running VM:
I guess that was that. Man, that would have been so much easier without the network issues. I’m assuming there are probably multiple ways to do this box. I might try it again later with a Host Only Kali. But probably not.
In the meantime I’m going to give it one of these:
rm -rf / --no-preserve-root