This is my first ever lab in THM! It was pretty interesting to apply the tools like nmap, LinPEAS, enum4linux, Hydra and more.
Lab:
Tasks
Deploy the Machine and connect to our network
Refer to the THM webpage to set up the machine and VPN
Find the services exposed by the machine
Question Hint: use an nmap scan to look for the open ports
This tests on the basics on network recon. I created a directory first, to store the output and used sublime text to read through the output better (rather than reading it off the CLI)
-sC runs a set of default scripts against open ports to tdetermine if there are known vulnerabilities or misconfigurations that we can use
-sV probes all open ports it finds, determining if we are able to get the service version information. This allows us in identifying potential vulnerabilities associated with the version of that service
-oN just specifies the output format and file for scan results (initial will be the file within the directory "nmap" here)
From here, there are a few open ports: 22 running Ubuntu, 139 running Samba, 445 running Samba.
Hence, these are the services exposed by the machine.
What is the name of the hidden directory on the webserver(enter name without /)?
Question Hint: use dirsearch/dirbuster to find the hidden directories
While I didn't use dirbuster/dirsearch/gobuster for this question, I found out that you can use nmap and enum4linux directly to retreive the hidden directory.
Firstly, I went to the webserver to take a look which showed this (ctrl+u to view source)
Based on this, there should be a dev note section somewhere, so we have to use a domain enumeration tool.
sudo nmap -p80 --script http-enum 10.10.38.122
enum4linux -a 10.10.38.122 | tee enum4linux.log
subl enum4linux.log
Break down of commands
sudo nmap -p80 http-enum 10.10.38.122
This command uses nmap with elevated privileges (sudo) to scan the target IP.
--script http-enum instructs nmap to use the http-enum script which is for information gathering for HTTP services
-p80 specifies port 80, which is for HTTP traffic.
enum4linux -a 10.10.38.122 | tee enum4linux.log
This utilises the enum4linux tool to perform enuneration on the target.
-a specifies "all", for a comprehensive scan to gather as much information as possible.
I used | tee enum4linux.log to redirect the output to console and saving it to the log file as it got pretty long and messy.
subl enum4linux.log
used sublime text to open the log file in it.
And that was the output! /development/ was the directory we were looking for. Entering the flag development gave us the correct answer. :)
Opening the site, I am faced with
in dev.txt:
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
in j.txt:
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
User brute-forcing to find the username & password
Going to the enum4linux script, I am able to get the usernames available, which...
... does answer question 5 and 9
Moving on to finding the password, I used hydra with the rockyou.txt file to bruteforce it.
hydra -l jan -P '/usr/share/wordlists/rockyou.txt' ssh://10.10.38.122
Command break down
hydra -l jan -P '/usr/share/wordlists/rockyou.txt' ssh://10.10.38.122
uses hydra (network login cracker) tool to brute-force a SSH server running on the IP address.
-l specifies user to be tested as "jan"
-P provides path to password list file which is a rockyou.txt wordlist that contains a collection of commonly used passwords.
ssh://10.10.38.122 - SSH is the target protocol and IP to attack is 10.10.38.122
And from there, I was able to retrieve the password to the user Jan, which was armando.
What is the username?
Question Hint: what about using SMB to find a username?
Refer to qn 4. Answer: Jan
What is the password?
Question Hint: What about using a tool like hydra to bruteforce?
Refer to qn 4. Answer: armando
What service do you use to access the server(answer in abbreviation in all caps)?
Question Hint: what command line utility is used for remote access?
establishes an SSH connection to the IP address with the username Jan and establishes SSH session on remote system that provides access through the remote shell.
Hence, the answer is SSH.
Enumerate the machine to find any vectors for privilege escalation
Question Hint: use a privilege escalation checklist or tool like LinEnum
For the privilege escalation, I utilised LinPEAS, a popular tool which contains scripts for privilege escalation for Linux systems.
But before that, I wanted to take a look around in the files and directories itself.
[Although it didn't really work as there was not very high level of privileges granted to jan.]
ls -la
cat .lesshst
cat /etc/passwd
sudo -l
cd ..
ls
cd kay
Break down of commands
ls -la
This was to display all the files and directories, *including hidden ones*.
From here, I got .lesshst
cat .lesshst
I wanted to display the .lesshst file (which should show the SSH command history)
cat /etc/passwd
From here, I tried to view the user's account information but I couldn't due to privilege issues.
sudo -l
Listing the commands that the user can run with privileges, which unfortunately wasn't what we were looking for.
cd ..
I moved up one directory level in the file system to view the other things
ls
Viewing all files and directories in that directory and we see kay!
cd kay
I saw this directory and decided to change it to it and check it out.
ls -la
I then checked all the files and directories within this "kay" directory.
There wasn't much useful information here due to privilege issues, so I moved on to use LinPEAS.
Refer to qn 10 for continuation
What is the name of the other user you found(all lower case)?
Refer to qn 8. Answer: kay
If you have found another user, what can you do with this information?
Question Hint: apart from a password, how else can a user access a machine?
I first copied the linPEAS script that is already available on the THM machine into the target machine using SCP.
After which, I made the script into an executable and ran it, piping the output to both the console and linpeas.txt.
cd/dev/shm
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.txt
LinPEAS did identify that there is an id_rsa file which should have the SSH private key, so we can retrieve it back to the host, and now it gets more interesting!
cd /home/kay
ls
cd. ssh/
ls -la
cat id_rsa
nano kay_id_rsa
chmod 600 kay_id_rsa
ssh -i kay_id_rsa kay [email protected]
Break down of commands
cd /home/kay
ls
ls -la
cd. ssh/
Changed to home/kay directory and listed all files and directories in it, including hidden ones.
From there, I went to .ssh within it.
ls -la
I checked for the directories and files in the .ssh directory, and saw id_rsa (img below), which usually contains the SSH private key which is important for us :)
cat id_rsa
I then displayed the contents to see the private key
nano kay_id_rsa
This opened kay_id_rsa into the nano text editor for easier viewing.
