CTF - Basic Pentesting 2

Home Blog


The Authors from Basic Pentesting:1 has recently created a new Vulnerable Machine for us to play with. I decided to try this one out as I really enjoyed the previous one.

NMAP

To see what ports are open, I typed in nmap -sV -p- 192.168.56.101 -T4. The results are above. As you can see there are a lot of ports that are opened. A couple that I haven’t done before as well.

SAMBA

As I saw Samba, I immediately tried the previous exploit to see if it works.

Above Screenshot:

PORT 80

Lets have a look at the web page to see if there is anything interesting

Nothing really to see, so I right click and checked the source code to see if there is anything interesting

It states that there is something in the dev section. I immediately started up a dirb web scanner to see if there are any directories that correlate to dev

DIRB

I typed in dirb http://192.168.56.101 > dirb.txt. I then cat the results.

From the results, I can see that there is a directory called /development. Lets peak into that directory to see what the contents are.

192.168.56.101/development

I point my web browser to /development and can see 2 files.

Lets look!

Dev.txt

j.txt

Thoughts:

I think that K would be the admin of the site or something, and J is a normal user.

APACHE TOMCAT

My next train of thought was to prod the other ports which were open. I haven’t had a look at Tomcat before so lets point our browser to 192.168.56.101:8080

I spend a couple of hours on this page stuck and not knowing what to do. I clicked on everything and found a couple of things which were interesting. Clicking on Manager app has prompted for a username and password.

I tried different passwords and also brute force this with a Metasploit exploit and it didnt work. There were a couple of other web applications examples that I found while prodding this site, But it all lead me to a dead end and countless of hours wasted..

I thought I could do something with these web applications like injecting code or something along the lines of that. However there was nothing I could do.

I went exhausted all my options by trying out most of the metasploit exploits on this tomcat service with no successful results

The above image are the search results for tomcat in metasploit. None of these worked. Its safe to say I was really frustrated.

Going back to the clues in the .txt files. K stated that J password was weak. But what who is J?

ENUM4LINUX

This is a new command that I learned in my last CTF so I thought I would give this a try again. I typed in enum4linx 192.168.56.101 > enum.txt. I then cat enum.txt to see the results

Firstly we can see that password Complexity of the Password Policy

Also we can see that there are a couple of shared drives that I can look at.

And we have the usernames for K and J. Kay and Jan respectively!

Before I bruteforce Jan, I want to have a look at the shares.

I typed in smbclient //192.168.56.101/Anonymous. I typed ls to list the files. I can see that there is a staff.txt. I cat staff.txt however I couldn’t do it. I decided to download it on my Kali box by typing in get staff.txt.

Nothing really interesting except for an Announcement from Kay. Lol looks like Jan does whatever she wants.

HYDRA

I typed in hydra -l jan -P /usr/share/wordlists/rockyou.txt 192.168.56.101 ssh

YASS WE SLAYINN. Got her password! jan:armando

SSH — JAN

Now that I have her password, lets ssh into the box with the credentials that we have obtained

Sweet. Lets look around. Took awhile to look around to see if there is anything interesting.

In the above screenshot, I can see that there is a directory called .ssh.

Looking into this folder I can see some ssh keys. These actually look like the ones I have at work lol.

I decided to cat the authorized_keys and the id_rsa.pub public keys to see the content. This is not what I want.

I cat the id_rsa. This seems like the private key.

I copy the contents of this key and created a file called id_rsa on my kali box. I paste the contents in the new file. To confirm this is correct, I head -n 30 id_rsa to confirm the first 30 lines of the contents.

SSH2JOHN / JOHN

After doing a couple of hours researching, I used both these tools to achieve the goal. It was my first time using these. So I had to do a lot of testing. John is a password cracking tool. Where as SSH2JOHN converts the SSH key to a crackable file.

I typed in ssh2john id_rsa > test.hash

In the above screenshot, I opened the Johnny GUI on kali, pointed to my test.hash file and voiaaaaaaaa-lahhhhhhhhhhhhh. Kays password is beeswax.

SSH — KAY

Lets SSH as Kay now into the box

I typed in ssh kay@192.168.56.101 -i id_rsa. I typed in beeswax and I’m in!!

Quickly did an id and whoami to see the permissions and groups.

I went back into /home/kay. I cat pass.bak and can see a really long password. This must be the root password! Also in my previous screenshot, I can see that I am also able to sudo

I typed in sudo -i and entered the new password for root. I cat /root/flag.txt

FEELIN GUUDDDD

George Costanza Happy Dance GIF - Find & Share on GIPHY

LESSONS LEARNED