[Task 1] Web App Testing and Privilege Escalation
1.Deploy the machine and connect to our network
2. Find the services exposed by the machine
nmap -Pn <ip>
Port scan for no.1000 to 65535
nmap -Pn -p1000- <ip>
There’re 6 open ports: 22, 80, 139, 445,8009, and 8080
Scan for services and OS
nmap -A -p 22,80,139,445,8009,8080 <ip>
There’re 6 services:
22 (OpenSSH7.2p2), 80 (Apache HTTP), 139 (Samba), 445 (Samba), 8009 (Apache Jserv), and 8080 (Apache Tomcat)
OS: Linux Ubuntu
nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>
There’s Anonymous account
nmap --script vuln -p 22,80,139,445,8009,8080 <ip>
Access HTTP port 80, no useful information
View source, the source may show some hint.
Inspect element shows nothing
Access site port no.8009
Access site port no.8080
It’s tomcat manager version 9.0.7.
Click Host Manager
Input default credentials, tomcat:tomcat.
3. What is the name of the hidden directory on the web server(enter name without /)?
Let’s get back to HTTP site port 80.
There’re interesting informations:
- Since port no. 8009 doesn’t show anything. I suspect that this port is Apache Struts version 2.5.12
- SMB may mean something
- There’re at least 2 usernames start with K and J.
There’s interesting information:
- /etc/shadow is easily cracked.
Let’s fuzzing directory on port 8009
Let’s access SMB.
From enumeration steps, I can access Anonymous directory.
Exit and read staff.txt
Now I know that 2 usernames are Kay and Jan.
Let’s create list of usernames and save as Username.txt
Without any more useful information and attack surfaces, I’ll have to do the brute-forcing.
4. User brute-forcing to find the username & password
There’re 2 services I can do, SSH and Tomcat.
Let’s start with SSH
hydra -L Username.txt -P ~/Desktop/rockyou.txt <ip> ssh -t 4 -V -u -F
5. What is the username?
ANS: It’s in #4.
6.What is the password?
ANS: It’s in #4.
7. What service do you use to access the server(answer in abbreviation in all caps)?
8. Enumerate the machine to find any vectors for privilege escalation
Login with Jan’s credential
Verify If I can run any sudo commands. Seems like I can’t.
Verify kernel version. I can’t do anything with this version.
Search for SUID
find / -perm -u=s -type f 2>/dev/null
Seems like I can’t do anything with user “jan”. Using other user’s credentials to exploit may has better chance.
9. What is the name of the other user you found(all lower case)?
Let’s read passwd file to check for other users
There’re 3 users: root, kay, jan.
10. If you have found another user, what can you do with this information?
Let’s check kay’s home directory.
cd /home/kaylscat pass.bak
I can’t read this file.
Check for hidden files.
I have .ssh and I also have access to this directory.
Read authorized_keys and id_rsa and copy to our machine.
cat authorized_keyscat id_rsa
chmod 600 id_rsa authorized_keys
Try to login with kay using id_rsa file.
ssh -i id_rsa kay@<ip>
I stuck with passphrase
Crack with john
python /usr/share/john/ssh2john id_rsa > id_rsa.hashjohn --wordlist=rockyou.txt id_rsa.hash
Lucky enough, I can crack the passphrase.
Login to ssh again with kay’s id_rsa file and cracked passphrase. Success!!!
11. What is the final password you obtain?
Read cat pass.bak
Verify if kay can run sudo command
Enter password from pass.bak. Kay can run any sudo commands.
Change to root with sudo
sudo su -
Now I’m root.