Exercise 1 — Pentesting a Linux system
Hey, what's going on guys, c'est Zack et bienvenue dans cette nouvelle leçon dans laquelle je vais vous donner un exercice pratique à faire.
After studying our first challenge, Basic Pentesting 2, where we saw how to conduct a basic audit on a Linux system, I propose you to carry out this second challenge to test your skills.
This challenge is titled "Basic Pentesting 1".
You can find it on VulnHub (I'll put the link in the description) to download the virtual machine.
On the VulnHub page, you will find all the details of the challenge: its title, its release date, etc.
It is from the same creator as the previous machine, Josiah Pearce, who designed both boxes (Basic Pentesting 1 and 2).
Click on the download link to retrieve the virtual machine image, which is about 2.6 GB.
The goal is identical to the previous one: to root the machine, that is to say to penetrate the system and escalate your privileges until you obtain the root user.
The site also indicates the recommended hypervisor, which is VirtualBox.
The DHCP service is enabled on the virtual machine, which means that it will automatically retrieve an IP address on your network.
I have already downloaded the file and I am going to show you how to import it into VirtualBox.
It's very simple: right-click on the downloaded file, then select "Open with VirtualBox Manager".
If you use VMware, the procedure is similar and you can import it directly.
In the VirtualBox import window, you will see the machine details (it is an Ubuntu system).
By default, the import allocates 4 GB of RAM and 2 CPUs.
If you want to modify these resources, double-click on the corresponding lines.
For example, you can allocate 2 or 3 GB of RAM to it if your host machine is limited.
Once you are satisfied with the configuration, click on "Finish" to start the import.
A crucial step after importing consists of configuring the network card.
Let's take the example of another virtual machine under Parrot OS.
Select your virtual machine, click on "Settings" then on "Network", and configure the network access in "Bridged Adapter" mode.
This mode allows assigning to the virtual machine an IP address of your local network, shared with your host machine (Windows or macOS).
If I type `ifconfig` in the terminal of my virtual machine and `ipconfig` in the command prompt of my Windows machine, I find that both systems are now on the same subnet.
It is imperative that the victim machine of the challenge is on the same network so that your Kali Linux attack machine can communicate with it and successfully carry out the penetration testing.
To configure our victim machine, we therefore go into its network settings and select "Bridged Adapter".
If VirtualBox displays an error message like "Invalid Settings Detected" concerning the system or display parameters (Display/Screen), correct the configuration then click on "OK" and start the machine.
To succeed in this challenge, you will need two things: on the one hand, mobilize all the knowledge and concepts studied in this training, and on the other hand, know how to manipulate Metasploit if you want to use the fastest method.
However, the use of Metasploit is not mandatory, you can perfectly exploit the flaws manually by searching for public exploits on the Internet.
The machine starts on an Ubuntu login screen.
Your goal is now to perform the penetration testing on this machine and compromise it.
If you encounter difficulties, you can ask your questions in the comments, or contact me directly on my professional networks (LinkedIn, Discord) or by email.
Good luck for this challenge, and we'll meet in the next lesson.
Peace!