This Try Hack Me room guided users through the basics of web application pentesting. I learned about SMB enumeration and bruteforcing domains. This walkthrough also introduces bruteforcing logins with
hydra and once the machine is compromised, elevating user privileges.
First things first let’s scan the box. I used the command
nmap -sV -sS $IP and redirected the output to the file
nmap/nmap.txt. It looks like there is an http server on this box. Let’s try and connect to it to see if it is actually accessible. Doesn’t look like we can access it. Let’s run a gobuster scan on the domain to just see if we can access any other pages. After running the command
gobuster dir -u http://$IP:80 -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt, we can see that there is a directory called
development. Let’s go to it in the browser and take a look.
This is a great find because it indexes what we have in the directory. It looks like theses are internal notes.
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K 2018-04-22: SMB has been configured. -K 2018-04-21: I got Apache set up. Will put in our content later. -J
For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP. -K
To sum up the notes, it sounds like the user J has a weak password. Our nmap scan showed that then ssh port was open we we might be able to try and brute force some credentials with hydra. After doing some research it looks like hydra might not be the first step. To figure out the users we need to enumerate the SMB port with the tool
enum4linux. Use the command
enum4linux -a $IP to enumerate the SMB configuration. I outputted this to a file called
smb_enum.txt it found two users, jan and kay. Now that we have these usernames we can use hydra to bruteforce jan’s ssh password since we know she has a weak password. Use the command
hydra -l jan -P /usr/share/wordlists/rockyou.txt $IP so start the attack. Once the attack has been completed we can see that jan’s password is
username: jan password: armando
Next I enumerated the possible exploits on our target machine. I used this article to learn how to use LinEnum to scan for vulnerabilities on the target machine. First I sshed into the machine then navigated to
/var/tmp so that I could copy the LinEnum script onto the machine. Then I ran the script. It looks like kay might had misconfigured her ssh files. If we copy her private key and has it we should be able to find out her password with John. First exfiltrate the private key. Next, use the command
python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash. Now we can use JtR to break this hash against the RockYou wordlist. Use the command
/usr/sbin/john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash against the has to crack it. And soon enough the password pops out as
username: kay password: beeswax
Now if we try to connect to the server with user kay we can use her passphase to use the private key. Use the command
ssh -i id_rsa kay@$IP then enter
beeswax when prompted for the private key password. If you get errors saying that the private key has bad permissions you can use the command
chmod 600 id_rsa to fix that. Now we have access to the user kay. Cat out the
password.bak file to get the final password and we are done! Congratulations!
After some more investigating, it also looks like we may even be able to become the root user from kay. If we run the command
sudo -l and put in the password we just got we can see that kay can run sudo commands. So if we try to use the command
sudo su we should be able to switch our user to root. And what do you know it works! There is also a flag in
/root/flag.txt check it out.