Nmap scan of our victim machine:
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 64 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8009/tcp open ajp13 syn-ack ttl 64 Apache Jserv (Protocol v1.3)
8080/tcp open http syn-ack ttl 64 Apache Tomcat 9.0.7
MAC Address: 02:D8:47:37:19:4F (Unknown)
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernelExamining the website first, we use dirb to find directories and to map the network. We find a directory called /development which has two interesting files: dev.txt and j.txt
dev.txt:
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K2018-04-22: SMB has been configured. -K2018-04-21: I got Apache set up. Will put in our content later. -J
This file leads us to examine the SMB ports open on the machines. Ports 139 and 445
j.txt:
For J:I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.-K
This file leads us to try to find hashes to crack with John The Ripper.
Before attempting to bruteforce or cracking hashes, we try to get more information on the SMB service with enum4linux
enum4linux -A x.x.x.xInformation gives us information such as windows shares as well as users jan and kay. We can use these usernames to make our bruteforce task easier.
Continuing with the SMB front, we attempt to bruteforce the SSH service with hydra and our given username:
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.177.58We find a password and login via ssh. Once we login, we search for information on the server. We run linpeas to help us find possible privilege escalation routes and we find that the user kay has an SSH private key.
The SSH key has a password on it so we use JohnTheRipper to crack it
/usr/share/john/ssh2john.py id_rsa crackOnce we ssh with kay and the private key and put in the passwod we cracked we can read the pass.bak file and we find our flag.
