Basic Pentesting

Source: https://tryhackme.com/room/basicpentestingjt

. . .

Introduction

Introduction to the room suggests that we would learn

  • Brute-forcing
  • Hash Cracking
  • Service Enumeration
  • Linux Enumeration

Given that I have already solved a few boxes, I am pretty confident that this will be pretty easy. Without much ado, let’s dive in.

. . .

Scanning & Enumeration

> ------------------------Nmap Results-----------------------------<
--------------------------------------------------------------------
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-15 17:19 IST
Nmap scan report for 10.10.92.190
Host is up (0.42s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods:
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=8/15%OT=22%CT=1%CU=43402%PV=Y%DS=4%DC=T%G=Y%TM=5F37CBF
OS:8%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M508ST11NW6%O2=M508ST11NW6%O3=M508NNT11NW6%O4=M508ST11NW6%O5=M508ST1
OS:1NW6%O6=M508ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M508NNSNW6%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 4 hops
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m04s, deviation: 2h18m35s, median: 3s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2020-08-15T07:50:09-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-08-15T11:50:08
|_  start_date: N/A
TRACEROUTE (using port 554/tcp)
HOP RTT       ADDRESS
1   157.68 ms 10.4.0.1
2   ... 3
4   418.33 ms 10.10.92.190
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 65.70 seconds
--------------------------------------------------------------------

From the results above, let us populate our Service Version Enumeration Table.

Version Enumeration Table
Version Enumeration Table
. . .

Enumeration

HTTP Enumeration

Landing Page
Landing Page

Looking at the source code, we find that there is some dev note section.

Source Code Snippet
Source Code Snippet

We can try running gobuster now, but I have also seen other ports being open, so first I will try to see other ports have in store for us.

Tomcat on Port 8080
Tomcat on Port 8080

On port 8080 we find Apache Tomcat Page, where we have Manager App and Host Manager, I tried ‘admin: admin’, didn’ t work. So let’s run our gobuster first and see if we find something.

gobuster dir -u http://10.10.247.122/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
Found /development endpoint in gobuster results
Found /development endpoint in gobuster results

This endpoint had two files

  1. dev.txt
  2. j.txt
Contents of dev.txt
Contents of dev.txt

Observations, there are two people, J and K. Also we see a version 2.5.12, from our service enumeration table, none of the services use this version. Interesting. Let’s look at `j.txt`

Contents of j.txt
Contents of j.txt

Looks like we are going to crack J’s password. Let’s look at the SMB shares to see if we can find a way to access this file.

SMB Enumeration

Like it has always been, let’s run Enum4Linux on the target.

enum4linux output
enum4linux output

I am not sure why but I could not get the usernames on the server using Enum4Linux.

We saw that anonymous login was allowed, let’s see what we can get out there.

Files on the anonymous share
Files on the anonymous share
Contents of staff.txt
Contents of staff.txt

This gives us two usernames. Now we saw that J’s password was weak, so maybe we can try brute-forcing ssh with the user Jan.

SSH Enumeration

Now I was trying to find an online example so that I can brute-force on ssh. I came across this blog.

hydra -t 4 -l jan -P </path/to/rockyou.txt> ssh://$target

It takes some time, but we get the password

Cracked User - Jan's Password
Cracked User - Jan's Password

With this password, log in.

. . .

Vulnerability Analysis

In this scenario, the vulnerability that we leveraged was a weak password for an authenticated user, given that we found our initial foothold, it’s time to privesc.

Shell with User Privileges
Shell with User Privileges
. . .

Exploitation

We can insert the hydra part here, but I am not sure since we found it in the enum phase.

Let’s try privesc with the password.

. . .

Privesc

Basic Enumeration
Basic Enumeration after getting initial access

After this, I have a strong feeling that we need to get the content of pass.bak using some or the other way, anyways let’s upload and run LinPeas.sh. Once we have our server set up, we can get the file using wget. However, when we try to download it in the user’s directory, we see permission denied, hence I tried it in ‘/tmp’.

Found SSH Keys
Found SSH Keys
Contents of SSH Key
Contents of SSH Key

But I am not at all sure how could this be used. We also see the public and private keys.

On this website, we see that we can crack ssh private keys.

Knowledge Check
Knowledge Check

Let’s try this.

  1. Copy the private key to our local machine.
  2. # Create encrypted zip
    /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
    #The path to ssh2john is important
  3. #Let’s use John
    john — wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
Cracked password with john
Cracked password with john

We have the password.

With the cracked password, we can now log in to kay. On the home we saw that there was a backup of the password file. We can read that and get the password, and since this user is in the sudo group, we can get root.

Shell with Root Privileges
Shell with Root Privileges
. . .

Summary | TL;DR

  1. Scan ports using nmap
  2. Find the hidden directory using gobuster
  3. Enumerate the smb shares to get users, and it shows that one user has already cracked another user’s password.
  4. Bruteforce ssh
  5. Crack private ssh key of the user present in the sudo group.
  6. Read the password of the user and root. BOOM!
. . .

Parting Thoughts

In this machine, we learned the following:

  1. Cracking ssh private keys.
  2. Bruteforce ssh

Thank you for reading, please provide your feedback and share with people who are in need. :)

. . .