TryHackMe: Basic Pentesting

[Task 1] Web App Testing and Privilege Escalation

1.Deploy the machine and connect to our network

2. Find the services exposed by the machine

Port scan

nmap -Pn <ip>

Port scan for no.1000 to 65535

nmap -Pn -p1000- <ip>

There’re 6 open ports: 22, 80, 139, 445,8009, and 8080

Scan for services and OS

nmap -A -p 22,80,139,445,8009,8080 <ip>

There’re 6 services:
22 (OpenSSH7.2p2), 80 (Apache HTTP), 139 (Samba), 445 (Samba), 8009 (Apache Jserv), and 8080 (Apache Tomcat)

OS: Linux Ubuntu

Samba Scan

nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse <ip>

There’s Anonymous account

Vulnerable scan

nmap --script vuln -p 22,80,139,445,8009,8080 <ip>

Access HTTP port 80, no useful information

View source, the source may show some hint.

Inspect element shows nothing

Access site port no.8009

Nothing useful

Access site port no.8080

It’s tomcat manager version 9.0.7.

Click Host Manager

Input default credentials, tomcat:tomcat.

Failed!!!

3. What is the name of the hidden directory on the web server(enter name without /)?

Let’s get back to HTTP site port 80.

Fuzzing directory

dirb http://<ip>/

Access dev.txt

There’re interesting informations:
- Since port no. 8009 doesn’t show anything. I suspect that this port is Apache Struts version 2.5.12
- SMB may mean something
- There’re at least 2 usernames start with K and J.

Access j.txt
There’s interesting information:
- /etc/shadow is easily cracked.

Let’s fuzzing directory on port 8009

dirb http://<ip>:8009/

Let’s access SMB.

From enumeration steps, I can access Anonymous directory.

smbclient //<ip>/Anonymous
ls

Download staff.txt

get staff.txt

Exit and read staff.txt

cat staff.txt

Now I know that 2 usernames are Kay and Jan.

Let’s create list of usernames and save as Username.txt

Without any more useful information and attack surfaces, I’ll have to do the brute-forcing.

4. User brute-forcing to find the username & password

There’re 2 services I can do, SSH and Tomcat.
Let’s start with SSH

hydra -L Username.txt -P ~/Desktop/rockyou.txt <ip> ssh -t 4 -V -u -F

5. What is the username?

ANS: It’s in #4.

6.What is the password?

ANS: It’s in #4.

7. What service do you use to access the server(answer in abbreviation in all caps)?

ANS: S**

8. Enumerate the machine to find any vectors for privilege escalation

Login with Jan’s credential

ssh jan@<ip>

Verify If I can run any sudo commands. Seems like I can’t.

Verify kernel version. I can’t do anything with this version.

Search for SUID

find / -perm -u=s -type f 2>/dev/null

Seems like I can’t do anything with user “jan”. Using other user’s credentials to exploit may has better chance.

9. What is the name of the other user you found(all lower case)?

Let’s read passwd file to check for other users

cat /etc/passwd

There’re 3 users: root, kay, jan.

10. If you have found another user, what can you do with this information?

Let’s check kay’s home directory.

cd /home/kaylscat pass.bak

I can’t read this file.

Check for hidden files.

ls -la

I have .ssh and I also have access to this directory.

cd .ssh

Read authorized_keys and id_rsa and copy to our machine.

cat authorized_keyscat id_rsa

Change permission

chmod 600 id_rsa authorized_keys

Try to login with kay using id_rsa file.

ssh -i id_rsa kay@<ip>

I stuck with passphrase

Crack with john

python /usr/share/john/ssh2john id_rsa > id_rsa.hashjohn --wordlist=rockyou.txt id_rsa.hash

Lucky enough, I can crack the passphrase.

Login to ssh again with kay’s id_rsa file and cracked passphrase. Success!!!

11. What is the final password you obtain?

Read cat pass.bak

cat pass.bak

Bonus

Verify if kay can run sudo command

sudo -l

Enter password from pass.bak. Kay can run any sudo commands.

Change to root with sudo

sudo su -

Now I’m root.