on this night, I was told to have the privilege escalation using exploitdb and jhon the ripper.
First thing to disipkan OS is already installed ubuntu in virtualbox to make an exploitation.
immediately turn virtualbox already filled with ubuntu.

do auto scan so we know ip target. here I use the connection from vmnet8 and do autoscan as follows:

 after that we look for Gathering Information and Service Enumeration, using nmap tool. how to enter:

root @ bt: ~ # nmap-v-A-sV-p 1-65535 172.16.227.129
find a vulnerability from the Service Enumeration, ranging from open ports to services running. here I use Nessus and exploitdb.


Second, do the Nessus scanning to find vulnerabilities. Open your account and click on "add" and then fill out the form provided and continue. wait until the process is complete. in Nessus there are levels of "Critical" to the best possible, "Medium" for current and "Info" are only interrelated.

Here I use webmin, because the step was difficult to exploit than discovered exploit. and here we will associate with each other to Information Gathering, whether from the results that there is a sevice running Webmin on time.
Third, look for exploits that are available in exploitdb. as below. type:

root @ bt :/ pentest / exploits / exploitdb #. / searchsploit webmin
select this exploit,
Webmin <1290 / Usermin <1220 Arbitrary File Disclosure Exploit (perl) / multiple/remote/2017.pl
Webmin is using port 10000.

Third, do Exploit by:

root @ bt :/ pentest / exploits / perl exploitdb platforms/multiple/remote/2017.pl 172.16.227.129 # 10000 / etc / passwd 0

and the results are as follows:

yupzzzz already exploited ubuntu target, there are 3 pieces username: obama, osama, yomama. for Privilege Escalation. type:

root @ bt :/ pentest / exploits / perl exploitdb platforms/multiple/remote/2017.pl 172.16.227.129 # 10000 / etc / shadow 0

Here we see the encrypted password. keep on how to crack the password?
do with how offline with the help of john the ripper tool available in previlege escalation

before that see in the picture above, block encrypted result of exploitation. open jhon the ripper and type:

root @ bt :/ pentest / passwords / john # gedit
and will appear gedit editor, enter and save the results of earlier block with the name without the extension. fixed sample.
then run the following manner:
"fixed" here is the name of the file that I save
root @ bt :/ pentest / passwords / john # john fixed

wait until the search is complete crack