Capture the Flag: A walkthrough of EVM: 1

Introduction

Welcome to my write-up for the EVM: 1 machine from VulnHub. This is a beginner-level, intentionally vulnerable virtual machine created for the purposes of testing and strengthening one’s abilities. I hope you enjoy reading this as much as I enjoyed rooting and writing!

Setup

The download page is here. Always read the description to see if there’s anything the author shared that they think is important. Here, they recommend VirtualBox over VMWare, so that is what we will use this time. The machine also has DHCP enabled, rather than having a static IP address, which is good to know. 

We download the .ova file and import it into VirtualBox as usual. I then like to go in and ensure the network setting is set to “host-only” so that it is not exposed to anyone except my attacking machine.

With that taken care of, we are ready to start scanning this machine!

Scanning

I like to start off with an nmap ping scan to find the vulnerable host. If that doesn’t work, I’ll try netdiscover. 

My EVM machine appears to be at 192.168.1.5, so let’s find some open ports. I usually start off by running a quick scan of every port to find which ones are open, and then running a detailed scan with a more selective set of ports. Today, I thought I would switch it up and see how running one all-encompassing scan goes.

(scan output truncated)

Some quick research didn’t turn up anything interesting for the reported versions of SSH, DNS or the Dovecot mail services. SMB enumeration didn’t show anything available without credentials either, though if we get some creds later, we may be able to do something with the is_known_pipename module in Metasploit based on the SMBD version reported. 

(Read more...)