Basic Pentesting

Web App Testing, Linux Privilege Escalation

This is my first ever lab in THM! It was pretty interesting to apply the tools like nmap, LinPEAS, enum4linux, Hydra and more.

Lab: https://tryhackme.com/room/basicpentestingjt

Tasks

  1. Deploy the Machine and connect to our network Refer to the THM https://tryhackme.com/access webpage to set up the machine and VPN

  1. Find the services exposed by the machine Question Hint: use an nmap scan to look for the open ports This tests on the basics on network recon. I created a directory first, to store the output and used sublime text to read through the output better (rather than reading it off the CLI)

mkdir nmap
nmap -sC -sV -oN nmap/initial
subl nmap/initial
Break down of scan

-sC runs a set of default scripts against open ports to tdetermine if there are known vulnerabilities or misconfigurations that we can use

-sV probes all open ports it finds, determining if we are able to get the service version information. This allows us in identifying potential vulnerabilities associated with the version of that service

-oN just specifies the output format and file for scan results (initial will be the file within the directory "nmap" here)

From here, there are a few open ports: 22 running Ubuntu, 139 running Samba, 445 running Samba.

Hence, these are the services exposed by the machine.

  1. What is the name of the hidden directory on the webserver(enter name without /)? Question Hint: use dirsearch/dirbuster to find the hidden directories

While I didn't use dirbuster/dirsearch/gobuster for this question, I found out that you can use nmap and enum4linux directly to retreive the hidden directory.

Firstly, I went to the webserver to take a look which showed this (ctrl+u to view source)

Based on this, there should be a dev note section somewhere, so we have to use a domain enumeration tool. 

sudo nmap -p80 --script http-enum 10.10.38.122
enum4linux -a 10.10.38.122 | tee enum4linux.log
subl enum4linux.log
Break down of commands

sudo nmap -p80 http-enum 10.10.38.122

  • This command uses nmap with elevated privileges (sudo) to scan the target IP.

  • --script http-enum instructs nmap to use the http-enum script which is for information gathering for HTTP services

  • -p80 specifies port 80, which is for HTTP traffic.

enum4linux -a 10.10.38.122 | tee enum4linux.log

  • This utilises the enum4linux tool to perform enuneration on the target.

  • -a specifies "all", for a comprehensive scan to gather as much information as possible.

  • I used | tee enum4linux.log to redirect the output to console and saving it to the log file as it got pretty long and messy.

subl enum4linux.log

  • used sublime text to open the log file in it.

And that was the output! /development/ was the directory we were looking for. Entering the flag development gave us the correct answer. :)

Opening the site, I am faced with

in dev.txt:

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

in j.txt: 

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

  1. User brute-forcing to find the username & password

Going to the enum4linux script, I am able to get the usernames available, which...

... does answer question 5 and 9

Moving on to finding the password, I used hydra with the rockyou.txt file to bruteforce it.

hydra -l jan -P '/usr/share/wordlists/rockyou.txt' ssh://10.10.38.122
Command break down

hydra -l jan -P '/usr/share/wordlists/rockyou.txt' ssh://10.10.38.122

  • uses hydra (network login cracker) tool to brute-force a SSH server running on the IP address.

  • -l specifies user to be tested as "jan"

  • -P provides path to password list file which is a rockyou.txt wordlist that contains a collection of commonly used passwords.

  • ssh://10.10.38.122 - SSH is the target protocol and IP to attack is 10.10.38.122

And from there, I was able to retrieve the password to the user Jan, which was armando.

  1. What is the username? Question Hint: what about using SMB to find a username?

Refer to qn 4. Answer: Jan

  1. What is the password? Question Hint: What about using a tool like hydra to bruteforce?

Refer to qn 4. Answer: armando

  1. What service do you use to access the server(answer in abbreviation in all caps)? Question Hint: what command line utility is used for remote access?

To gain remote access:

ssh [email protected]
yes
armando
Break down of commands

ssh [email protected]

  • establishes an SSH connection to the IP address with the username Jan and establishes SSH session on remote system that provides access through the remote shell.

Hence, the answer is SSH.

  1. Enumerate the machine to find any vectors for privilege escalation Question Hint: use a privilege escalation checklist or tool like LinEnum

For the privilege escalation, I utilised LinPEAS, a popular tool which contains scripts for privilege escalation for Linux systems.

But before that, I wanted to take a look around in the files and directories itself.

[Although it didn't really work as there was not very high level of privileges granted to jan.]

ls -la
cat .lesshst
cat /etc/passwd

sudo -l
cd ..
ls
cd kay
Break down of commands

ls -la

  • This was to display all the files and directories, *including hidden ones*.

  • From here, I got .lesshst

cat .lesshst

  • I wanted to display the .lesshst file (which should show the SSH command history)

cat /etc/passwd

  • From here, I tried to view the user's account information but I couldn't due to privilege issues.

sudo -l

  • Listing the commands that the user can run with privileges, which unfortunately wasn't what we were looking for.

cd ..

  • I moved up one directory level in the file system to view the other things

ls

  • Viewing all files and directories in that directory and we see kay!

cd kay

  • I saw this directory and decided to change it to it and check it out.

ls -la

  • I then checked all the files and directories within this "kay" directory.

There wasn't much useful information here due to privilege issues, so I moved on to use LinPEAS.

Refer to qn 10 for continuation

  1. What is the name of the other user you found(all lower case)? Refer to qn 8. Answer: kay

  1. If you have found another user, what can you do with this information? Question Hint: apart from a password, how else can a user access a machine?

I first copied the linPEAS script that is already available on the THM machine into the target machine using SCP.

scp /opt/PEAS/linPEAS/linpeas.sh [email protected]:/dev/shm
armando

After which, I made the script into an executable and ran it, piping the output to both the console and linpeas.txt.

cd/dev/shm
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.txt

LinPEAS did identify that there is an id_rsa file which should have the SSH private key, so we can retrieve it back to the host, and now it gets more interesting!

cd /home/kay
ls
cd. ssh/

ls -la
cat id_rsa

nano kay_id_rsa
chmod 600 kay_id_rsa
ssh -i kay_id_rsa kay [email protected]
Break down of commands

cd /home/kay

ls

ls -la

cd. ssh/

  • Changed to home/kay directory and listed all files and directories in it, including hidden ones.

  • From there, I went to .ssh within it.

ls -la

  • I checked for the directories and files in the .ssh directory, and saw id_rsa (img below), which usually contains the SSH private key which is important for us :)

cat id_rsa

  • I then displayed the contents to see the private key

nano kay_id_rsa

  • This opened kay_id_rsa into the nano text editor for easier viewing.

chmod 600 kay_id_rsa

  • Setting the permission to read and write

ssh -i kay_id_rsa kay [email protected]

  • Establishing SSH connection to target IP address using private key file and username "Kay"

  1. What is the final password you obtain? Question Hint: use john the ripper to bruteforce the passphrase

Because we know from the note left on the webserver earlier, Kay has set an easy-to-crack password. So, the tool John The Ripper comes in handy.

Firstly, I had to convert the rsa file into a format suitable for cracking.

Then, I used a popular wordlist, rockyou.txt which was also preinstalled into the THM machine.

/opt/JohnTheRipper/run/ssh2john.py kay_id_rsa > kay_id_rsa.hash
/opt/JohnTheRipper/run/john kay_id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

And we got the password beeswax, which is the SSH private key passphrase.

Now that we have the passphrase, we can login.

ssh -i kay_id_rsa kay [email protected]
beeswax
ls -la

cat pass.bak
Explanations for commands

ssh -i kay_id_rsa kay [email protected]

beeswax

ls -la

  • Listed the files and directories in the the current directory, in which I saw the pass.bak again.

cat pass.bak

  • To display the contents of the file

While I completely forgot to take a screenshot of the password obtained:

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Here is the full writeup of this lab done and dusted!

Previous$ echo "TryHackMe"NextOhSINT

Last updated