Writeup for Basic Pentesting room on TryHackMe.com
URL for this room is https://tryhackme.com/room/basicpentestingjt
- Basic Pentesting
- Service Enumeration
- Directory Enumeration
- Web Application
- Brute Force SSH Login
- Privillege Escalation
- Gaining Access
For this I have run nmap SYN scan to check for open ports. Following is the output that I have got.
# Nmap 7.60 scan initiated Tue Nov 9 07:39:39 2021 as: nmap -vv -sS -oN enum.txt -p- 10.10.3.241
Increasing send delay for 10.10.3.241 from 5 to 10 due to 11 out of 30 dropped probes since last increase.
Increasing send delay for 10.10.3.241 from 10 to 20 due to 11 out of 28 dropped probes since last increase.
Increasing send delay for 10.10.3.241 from 20 to 40 due to 11 out of 26 dropped probes since last increase.
Increasing send delay for 10.10.3.241 from 40 to 80 due to 11 out of 32 dropped probes since last increase.
Nmap scan report for ip-10-10-3-241.eu-west-1.compute.internal (10.10.3.241)
Host is up, received arp-response (0.00046s latency).
Scanned at 2021-11-09 07:39:39 GMT for 5154s
Not shown: 65529 closed ports
Reason: 65529 resets
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
139/tcp open netbios-ssn syn-ack ttl 64
445/tcp open microsoft-ds syn-ack ttl 64
8009/tcp open ajp13 syn-ack ttl 64
8080/tcp open http-proxy syn-ack ttl 64
MAC Address: 02:1F:91:CB:53:C5 (Unknown)
Read data files from: /usr/bin/../share/nmap
# Nmap done at Tue Nov 9 09:05:33 2021 -- 1 IP address (1 host up) scanned in 5153.66 seconds
So the scan found ports 22, 80, 139, 445,8009 and 8080 open. Next I have concluded a more throughout nmap scan on these open ports. The results were as follows.
# Nmap 7.60 scan initiated Tue Nov 9 07:47:41 2021 as: nmap -sS -sV -sC -O -oN open_ports.txt -p 22,80,139,445,8009,8080 10.10.3.241
Nmap scan report for ip-10-10-3-241.eu-west-1.compute.internal (10.10.3.241)
Host is up (0.00030s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
MAC Address: 02:1F:91:CB:53:C5 (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3.13
OS details: Linux 3.13
Network Distance: 1 hop
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: -1s, deviation: 0s, median: -1s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2021-11-09T02:47:54-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-11-09 07:47:54
|_ start_date: 1600-12-31 23:58:45
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov 9 07:47:55 2021 -- 1 IP address (1 host up) scanned in 14.47 seconds
For enumerating directories, I have used gobuster with directory-list-2.3-medium.txt provided.
It finds an accessible development directory.
Opening a web application gives a message that the app is undergoing maintenance.
Checking the page source gives a hint to check dev note section for more information.
Now going to the previously found development directory and it displays a couple of text files - dev.txt and j.txt.
dev.txt has this message:
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
Most interesting thing here is that the server is running Apache struts 2.5.12, which has a documented RCE vulnerability.
I will get back to this later. For now let's read the message on j.txt.
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
This implies that there is an user (referred as J here) has a weak credentials that could brute forced.
Since the webserver has Samba (SMB) service running, I have used enum4linux with -a flag set to gather all available information about running service. It generated a long output, although under Users on $IP via RID cycling header a couple of usernames were found - jan and kay.
Now it is time to brute force SSH login password!
A message in j.txt refers to the user as "J" and one of the found user names - jan - also starts with a J.
For bruteforcing SSH login passwords, hydra tool is used in this writeup. I provided the username, a rockyou.txt word list and set some parameters for the attack.
Hydra was able to guess the password for this user jan - it is armando.
Navigating to the kay user's home directory shows a .ssh directory of the user kay. This folder contains private ssh key for the user kay. One thing is that the user jan, which I am logged in as, can also access this key!
So, I copy the private key and place it on the attack box as a kay_rsa file. If I connected to the kay user via SSH, I could provide this file instead of an actual SSH password.
Again, there is one particular problem with this file - it is protected by a passphrase, which means, in order to connect to the box with user kay, I have to figure out the passphrase for unlocking the key itself.
For getting the kay's SSH passphrase, I used John the Ripper utility.
First I needed to use ssh2john for converting the private SSH key to something John the Ripper could actually understand.
Next I provided John the Ripper utility with rockyou.txt wordlist to brute force the SSH passphrase. And it was found quite quickly.
Providing the RSA key and the previously found passphrase allowed to connect to the webserver as the user kay. Now it is possible to read the pass.bak file and retrieve the final password.
Challenge solved!