THM Basic Pen-Testing Machine

Target IP Address

10.10.142.239

Nmap Scan Report

Open Ports and services
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy

So there are lots of open Ports so we can enumerate one by one some of these are used to gain an initial foothold.

Web server Enumeration

Hidden Directory Scan

$ ffuf -w /usr/share/wordlist/dirbuster/directory-list-2.3-small.txt -u https://$IP/FUZZ

/development

This hidden directory has some text that gives us clue that there are two users one name starts with j and the other user's name starts with k also they give us a clue one of the users has a weak password.

SMB Enumeration

Using Nmap smb enumeration scripts we found the following shares

$ nmap --script=smb-enum $IP

| smb-enum-shares: 
|   account_used: guest
|   \10.10.142.239\Anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\anonymous
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \10.10.142.239\IPC$: 
|     Type: STYPE_IPCHIDDEN
|     Comment: IPC Service (Samba Server 4.3.11-Ubuntu)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|    Current user access: READ/WRITE

The above Result shows that we have guest user share with anonymous access.

by Enumerating the smb with the Nmap smb-users-enum script or metasploit module or some other techniques we found these valid users.

Using Smb we found Two user

1. Jan

2. kay

Now we have valid users so we can use brute forcing to try to get these users' ssh passwords as they have ssh service open. In the web server enumeration stage, we know one of them has a weak password so we can use hydra to bruteforce the user's password

Hydra Bruteforce Result

Using Brute force we found a valid user password

userName: jan
password: armando

Now we have the jan user password so we ssh to the machine to get the foothold using the command

$ ssh jan@10.10.142.239
password armando

Now we have initial access to the system so now we use the other post-exploitation techniques to get more privileges. We can use the linpeas script to find privilege escalation vectors. The linpeas shows that the kay user has an ssh private key that is readable to the Jan user so we can read it and copy all the content of that key to our attacking machine change the permission of that key so that only you can read it with the following command

$ chmod -600 kay_rsa

This will change the permission of the key to read/write only for you so now you can ssh to the kay user with that key using the following command

$ ssh -i kay_rsa kay@10.10.142.239

This command is used to ssh to that target machine with the private key of the kay user. So by running the above command we have found that this key is protected by a password so which means we also need a password to login.

So digging for the password we can use the sshtojohn script to get that private key password hash that is understandable to John the Ripper tool.

$ python ssh2john.py kay_rsa > kay_rsa.hash

This will create the hash file of the key and store it in the kay_rsa.hash file now we use John to crack the hash or to get the password

$ john kay_rsa.hash --wordlist=rockyou.txt

This will crack the password using the wordlist rockyou.txt

Using Bruteforce with John we found the user kay ssh key password

Username: kay
Password: beeswax

So now we have the ssh key password so we can use it to get access to the kay user

$ ssh -i kay_rsa kay@10.10.142.239
password beeswax

And this is the final password we found after successful login

heresareallystrongpasswordthatfollowsthepasswordpolicy$$