IP = 10.10.153.164*
Machine OS: Linux
Learning Platform: tryhackme.com
Finished on: Kali Linux VM
- Note: IP may vary.
- Added IP to
/etc/hostsfile and also stored as environment variable.
sudo vi /etc/hosts , then press i to enter insert mode.
Open Ports and Service Versions:
- SSH (Secure Shell)(22), Version: OpenSSH 7.2p2
- HTTP (HyperText Transfer Protocol)(80) Version: Apache 2.4.18
- SMB (Server Message Block)(139 & 445), Version: Samba smbd 4.3.11-Ubuntu
- AJP13 (Apache JServ Protocol)(8009)
- HTTP-Proxy(8080), Version: Apache Tomcat 9.0.7
Machine OS: Ubuntu Xenial
- Web Enumeration
- HTTP server shows that the developers has notes section on their web server. Found in source code (CTRL + U in web browser).
- Using gobuster, we found some interesting directory named
/developmentthat contains 2 files.
dev.txt (about web development ideas)
j.txt (about password policy)
2. SMB Enumeration
- SMB Server can be accessed anonymously. Via autorecon, we could see the shares the SMB server has. To login, enter the following syntax:
smbclient \\\\$IP\\[SHARE], then supply
Anonymousas a user in the command prompt and press ENTER as the password.
- SMB server also has a file named
staff.txtthat contains possible usernames for us to use.
- Knowing that the developers in this scenario has weak password policy (based on the .txt file), we can try to crack
- We have a possible user account with weak password but what service we should try to crack
- Looking back on our
nmapscan, we can see that
SSH (Secure Shell, port 22)port is open! We can try to bruteforce his credentials using hydra!
hydra -l [USERNAME] -P [PATH_TO_WORDLIST] ssh://$IP
- Explanation: we run
hydrawith our specified username (in this case
jan) and use a wordlist to crack
jan's password in SSH.
Credentials Found via Hydra
/home/directory, we can see that we can navigate through user
- We see some interesting folder on
kayuser home directory named
.ssh. Looking through that we see that we have read access to
id_rsafile which is the
kay's private key!
Horizontal Privilege Escalation
- Copy the encrypted
id_rsafile into your attacking machine and rename it as
kay_id_rsafor easy tracking.
- We can use a tool named
ssh2john.pyto convert it to hash that can be used against John.
/usr/share/john/ssh2john.py kay_id_rsa > kay_id_rsa_hash
Explanation: we use
ssh2john.py to convert kay_id_rsa file to a hash that can be used against
john and writes it to a file named
- Feed the
johnand try to crack it using
john kay_id_rsa_hash -w=[PATH_TO_WORDLIST]
- Explanation: Runs
kay_id_rsa_hashusing the specified wordlist.
Credentials Found by John
- We can now login as
kayuser! When prompted for password, type the password
kay_id_rsa_hash(in this case
ssh -i kay_id_rsa kay@$IP
- Explanation: Attempts to login via SSH using private key.
Vertical Privilege Escalation
- First thing I do when I get a shell access on a machine, I type
sudo -lwhich lists allowed commands that can be run as root.
- Running that, we can see that we dont have the password for
- Time for another enumeration!
Note: Enumeration is key!
- We can see that in
kay's home directory, we have a file named
passwd.bak, which turns out her password for her user account!
Credentials Found in Kay’s Home Directory
- I tried to find binaries that have SUID bit set on to get easy privesc.
find / -type f -perm -4000 2>/dev/null
- Explanation: Finds all files in
/directory with SUID bits set and redirects
permission deniedoutput to
- We found that
subinary has SUID bit set on it that we can run as root!
- Privilege Escalation:
The next two steps are not necessary for completion of the machine but it completes the 5 Phases of Penetration Testing.
Post Exploitation / Maintaining Access
- Copied the
/etc/shadowfile for user identification and their passwords.
- Added another root user for backdoor.
- Removed all logs and footprints to to prevent risk of exposure of breach to security administrator.
Feel free to reach out and if there is something wrong about the above post.
Not required but appreciated :D