This machine allows you to practice web app hacking and privilege escalation. During the walkthrough of this room, you will learn and use brute-forcing, hash cracking, service enumeration, and Linux Enumeration.
NOTE: All passwords listed there are fake. Run listed commands to find real ones
Let’s start.
Enumeration
To determine what ports are open and what services are running we will use nmap with this options:
T4 {T<0-5>: Set timing template (higher is faster)}
p - {-p : Only scan specified ports, but in this case -p- will scan all ports (1-65535)}
A - Enable OS detection, version detection, script scanning, and traceroute (to use this option run with sudo)
oN - save result in the file
Now we have some points where to move next:
Web-site (Apache) - port 80;
Samba - ports 139, 445;
SSH - port 22.
Let’s look what we got on web-page.
Seems nothing interesting here.
Let’s check if there are other directories. Load up gobuster / dirbuster / dirb. Whatever you prefer more.
dir - for directory bruteforce
w - wordlist (there are a lot wordlists in /usr/share/wordlists directory)
u - url
There is development directory, which has also two .txt files:
I prefer collect all possible docs for future use, so I downloaded these files and opened them on my machine:
Now we add to the notes:
REST v 2.5.12
There two users with names starting on K and J
User J has a weak password
For now we done with this web-site.
Samba
Let’s enumerate smb:
Now we have full usernames. Let’s see if we can use Jan with their weak password.
Gaining initial shell
Let’s try to bruteforce ssh for user Jan with Hydra
t - run TASKS number of connects in parallel, for SSH 4 is suggested
l - login, use only one username or a list
P - password wordlist
Thanks, Jan. Now we can access machine via ssh with credentials jan:fakepass1
Jan
After some enumeration, You can do it manually or with LinEnum script, there is not much we can do with Jan’s privileges.
But in Kay’s directory there are intersting pass.bak file, but we don’t have permissions to read it, and .ssh directory with ssh keys. Let’s try to move to Kay’s account.
Kay
Download id_rsa file by hosting HTTP Server via python and downloading using wget
Now we need to change permissions on downloaded file on our machine. And then try to connect, but we need passphrase to use this.
It can be cracked with john. But firstly we need to change its format with ssh2john.
NOTE: it may be not preinstalled on Kali. Run command *locate ssh2john to find it.*
And now we can find passphrase with john
Passphrase is fakepass2. Now connect to machine.
Now we can access that pass.bak file:
So, it is a finish of the room, but we can move forward and try to get root.
Privilege escallation
Let’s check if kay can run something with sudo:
That’s a jackpot. The easiest privilege escalation.
That’s it for this machine. Thank you for sticking up with me. Stay safe and happy hacking!