Vengeance Walkthrough: A Comprehensive Guide to OSCP Preparation

Vengeance is a notable entry in the digital world.local series, designed to simulate vulnerable environments akin to those found in OSCP labs. This box presents numerous services, offering multiple avenues for exploitation. In this guide, we will explore the steps to successfully navigate the Vengeance box, providing insights, tips, and techniques that can enhance your penetration testing skills.

Before diving into the walkthrough, ensure you have the following prerequisites:

• Kali Linux VM: This is essential for running penetration testing tools.
• Download Vengeance: You can obtain the Vengeance box from VulnHub.
• Patience: Exploiting vulnerabilities can be time-consuming and requires a methodical approach.

For those new to setting up a lab environment, I have previously written an article detailing how to create your own hacking lab using VirtualBox or VMware. You can find it here.

Finding the IP Address of Your Target Machine

To begin your journey with Vengeance, the first step is to identify the IP address of your vulnerable machine within your network. You can use the following command:

$ netdiscover

For additional methods to find the IP address, refer to my previous articles:

• Finding the IP Address in VMware
• General IP Address Discovery Techniques

Scanning for Open Ports

Once you have the IP address (for example, 172.16.37.138), the next step is to scan for open ports. This can be accomplished using tools like Nmap or Netcat. In this case, I focused on the following ports:

• Port 80: A web server is running here.
• Port 110: Potentially used for email services.
• Port 139 and 445: Commonly associated with SMB (Server Message Block).
• Port 22222: An unusual port that may host additional services.

Upon accessing port 80, I discovered a WordPress blog. However, the site was not loading correctly due to links referencing a local domain, “vengeance.goodtech.inc.” To resolve this, you need to add an entry to your /etc/resolv.conf file:

127.0.0.1 vengeance.goodtech.inc

After making this change, the website should function properly, allowing you to explore its contents.

Exploring WordPress for Vulnerabilities

While navigating the WordPress site, I attempted various fuzzing techniques to locate the wp-login page and identify potential vulnerabilities using WPScan. Unfortunately, these efforts did not yield fruitful results, prompting me to shift my focus to another service: SMB.

Understanding SMB and Its Exploitation

SMB, or Server Message Block, is a network file sharing protocol that allows applications to read and write to files and request services from server programs. The newer versions of SMB operate on port 445. To gather information about the SMB shares available on the target host, I utilized the smbmap command:

$ smbmap -H 172.16.37.138

This command revealed that I had “READ ONLY” access to the print$ and sarapublic$ directories. To retrieve files from these shares, I employed the smbclient command:

$ smbclient //172.16.37.138/sarapublic$

Within the retrieved files, I found a bash script named eaurouge. I attempted to upload my modified version of this script using the put command, but it was unsuccessful.

Extracting Information from ZIP Files

Among the files obtained from the sarapublic$ share was a ZIP file named gio.zip, which contained a file called pass_reminder.txt. To crack the password for this ZIP file, I used the zip2john tool to generate a hash:

$ zip2john gio.zip > gio_hash

Next, I fed the generated hash to John the Ripper, a popular password cracking tool, using a wordlist:

$ john gio_hash --wordlist=/usr/share/wordlists/rockyou.txt

Unfortunately, the rockyou.txt wordlist did not yield results. I then experimented with various other password lists, but none proved effective. Ultimately, I decided to create a custom script to generate a wordlist from the text files I had collected from the SMB share:

import argparse
import re

parser = argparse.ArgumentParser()
parser.add_argument("-tf", help="Text File location", type=str)
parser.add_argument("-o", help="Name of the output file after converted into wordlist", type=str)

args = parser.parse_args()
filename = args.tf
outfile = args.o

def read_convert(filename, outfile):
    wordlist = []
    with open(filename, "r") as f:
        for line in f:
            if line != "":
                for word in line.split():
                    w = "".join(re.sub("[^a-zA-Z]*", "", word))
                    if w != "":
                        wordlist.append(w)

    with open(outfile, "w") as f1:
        for l in wordlist:
            f1.write(l + "\n")

read_convert(filename, outfile)

Running this script successfully generated a comprehensive wordlist from the text files. After executing John the Ripper on this new wordlist, I finally cracked the password for the ZIP file.

Uncovering the Password

Inside the ZIP file, I discovered a PowerPoint presentation titled ted_talk.ppt, which contained the actual password:

• Name: circuit
• Corner: 130R

By combining these elements in the password reminder format, I derived the complete password:

giovanni_130R_Suzuka

With this password, I attempted to SSH into the machine using the usernames sara, Qin, and Qinyi, which I had gathered from the WordPress comments and text files. I successfully logged in as qinyi.

Gaining Further Access

Upon accessing the home directory of the qinyi user, I found a hint in the reminder file:

“Push config file to sara via private channel.”

This indicated the existence of another communication channel that needed to be explored. Running the command sudo -l revealed that I had limited permissions, and attempts to execute certain services, such as Nginx, prompted for a password.

To gather more information, I checked the network configuration using ifconfig and examined open ports with netstat -a. This investigation led me to discover a TFTP service running on port 69, which was serving files from the /home/sara/private directory.

To exploit this, I connected to the TFTP server from my Kali machine and uploaded a modified bash script that included a reverse shell command:

$ tftp 172.16.37.138
tftp> put my_script.sh

After successfully uploading the script, I set up a listener on my Kali machine:

$ nc -lp 1337

Finally, I executed the script under the qinyi user, which granted me root access to the Vengeance box.

Conclusion

The Vengeance box offers an excellent opportunity for penetration testers to hone their skills in a controlled environment. By following the steps outlined in this guide, you can gain valuable experience in exploiting vulnerabilities, navigating SMB shares, and leveraging various tools to achieve your objectives. Remember, patience and persistence are key in the world of cybersecurity.

Frequently Asked Questions (FAQ)

What is Vengeance in the context of penetration testing?

Vengeance is a vulnerable machine designed to simulate real-world scenarios for penetration testing practice, particularly useful for OSCP preparation.

How do I find the IP address of my target machine?

You can use tools like netdiscover or nmap to identify the IP address of your target machine within your network.

What tools are essential for exploiting vulnerabilities in Vengeance?

Key tools include Kali Linux, WPScan for WordPress vulnerabilities, SMBMap for SMB shares, and John the Ripper for password cracking.

How can I gain root access in the Vengeance box?

By exploiting various services, gathering credentials, and utilizing reverse shells, you can achieve root access in the Vengeance box.

Where can I download the Vengeance box?

The Vengeance box can be downloaded from VulnHub.