A Walk-through on the RAGNAR LOTHBROK: 1 Box on Vulnhub

By Unbound3d

Box Info

Name

Ragnar Lothbrok: 1

Release date

4 Dec 2020

Author

Bjorn

Link

https://www.vulnhub.com/entry/ragnar-lothbrok-1,612/

Recon

sudo netdiscover -r 10.0.2.0/24

Netdiscover found our target box, Let's run an nmap scan on the target's IP

nmap -sC -sV 10.0.2.15 -v

Nmap found a couple of open ports

Among the open ports is port 80 and 443. Let's investigate those first.

The webpage that opens is a xampp installation dashboard page

Let's dig deeper by enumerating the URL's links using Gobuster

gobuster dir -u http://10.0.2.15 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Gobuster discovered a couple of URLs we can investigate. One particular one however caught my eye immediately: /secret. Let's investigate that one first

These look like a bunch of passwords we can use. Let's grab them and save them in a txt file. I saved mine as secrets.txt

Next, Let's investigate the /wordpress URL

As expected, it is a wordpress page. Let's investigate the wordpress URL further, using Gobuster

gobuster dir -u http://10.0.2.15/wordpress -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php, txt

Gobuster uncovered a couple of interesting URLs

Let's see what we have on the /wp-login.php page

A wordpress login page. I tried the old-school admin:admin combination but was unsuccessful.

Now since we found a wordlist that looked like passwords, let's try enumerating users on the wordpress page using wpscan so as to try a brute force attack.

wpscan --url http://armbjorn/wordpress/ --enumerate u

We found a user!

Now since we have a username and a passwords wordlist, let's try a brute force attack using wpscan

wpscan --url http://armbjorn/wordpress/wp-login.php -U ragnar -P secrets.txt

wpscan found a valid password for user ragnar

NextExploitation

Last updated 2 years ago