@TryHackMe – Basic Pentesting Room

Another day, another challenge.

Today’s blog post – I will give a walk-through on a boot-to-root room called, “Basic Pentesting Room”. This boot to root is perfect to get practice in preparation for the OSCP.

Let’s get started.

Logging into TryHackMe with your credentials and heading into the room we see the following:

TryHackMe1

OK, we have tasks to complete and we will learn the following skills – brute forcing, hash cracking, service enumeration, and Linux enumeration.

The first question is:

TryHackMe2

Clicking the deploy button at the top we get the following:

tryhackme

Second question is:

TryHackMe3

OK, we need to find the services exposed. What can we do?

One solution is to use nmap -sV (TCP scan) <IP address>

In this case it would be nmap -sV 10.0.0.204. Doing this we see the following screenshot:

tryhackme_nmap

Success! We now have the services.

TryHackMe4

Let’s use dirb to find the hidden directories. See the following screenshot:

tryhackme_dirb

Our hidden directory is development.

TryHackMe5

Reviewing our enumeration we see that ports 139 and 445 are open. These ports are used for SMB (Server Message Blocks) which are HIGHLY vulnerable. Let’s run the command enum4linux and see what we find.

tryhackme_smbtryhackme_smb2

We found two users: kay and jan

Question #5!

TryHackMe6

First, entering kay, I received an error. Let’s try entering jan. Success!

TryHackMe7

Let’s fire up Hydra which is password cracking tool with the password list of rockyou (this password list is used a lot in Kali and even in the OSCP… hint, hint!)

tryhackme_hydra

TryHackMe8

The service we use to access the server is SSH.

TryHackMe9

tryhackme_jantryhackme_jan2

TryHackMe10

kay

TryHackMe11

Since we have a new user (kay) and we have a ssh folder that lists the public key we can try to get the password.

TryHackMe12

From question #10 we have the user (kay) and a public key how can we go about cracking the key?

Doing a quick Google search, I was presented with the following link.

Scrolling down we see the following:

ssh_command

Let’s see if we can recreate this to find the passphrase. Using the ssh2john we created the hash.

tryhackme_ssh2johntryhackme_zip

Next we’ll use John The Ripper with the famous rockyou wordlist to see if we can crack the passphrase.tryhackme_kay1We were successful! The passphrase is beeswax. Let’s try to ssh with kay’s private key and see if we can get in.

tryhackme_kay2

Entering the passphrase we see that we were able to successfully log into the kay account! Just to be sure I issued the command of whoami (don’t mind the fat fingering!)

tryhackme_kay_listing

tryhackme_kay_passwordNext, we run the list command to see what we’re working with. We see a pass.bak file, let’s see if this lists the password. Opening the file we see the password. Score!

Let’s run sudo -l, which will show us what commands kay can run as root. We’re prompted with the password and we entered the password that we just acquired. We’re presented with all of the commands that kay can run, and we see that kay can execute all commands as root. Great, this will be helpful for us.

There’s another file that is important in the directory – bash_history. Bash_history is useful because it shows all the commands the user executed before logging off. Let’s open the file.

tryhackme_bash_historytryhackme_listing_2

After opening the file we see a lot of commands. There is one that is very useful – sudo su. If working correctly, running this command we will change from the kay user to root. In other words we would do privilege escalation – where we start as a non-admin user and through improper configuration change to a root user. Let’s try the command and see if it works.

tryhackme_sudo_su

Running the sudo su command, and typing whoami, we see that we’re now root! We do another directory  listing which shows the files from before, so no change. Let’s see if we can get into the root directory.tryhackme_kay6

Changing to the root directory we see that there is a flag.txt file. Opening this file we presented with the verbiage above. We solved the challenge!

Advertisements

OSCP Series: Kioptrix Level 2

Another day, another challenge.

In today’s post we’re going to solve Kioptrix Level 2.

Let’s get started.

After booting the machine, we see the following:

Kioptrix_Level2

This screen is very similar to level 1 click HERE if you missed that.

Let’s begin.

First, let’s enumerate using nmap, with the command nmap -sV <IP_ADDRESS>. In my case it will be nmap -sV 192.168.0.14

Below is the screenshot I have:

Kioptrix_nmap_Level2

We have a number of ports open. Let’s look at port 80 (http) and see what we can find.

Going to http://<IP_ADDRESS> (substitute IP_ADDRESS with your IP address)

We see the following screen:

Kioptrix_webpage_Level2

A login screen… let’s see if we can do an authentication bypass by doing a SQL injection.

Kioptrix_webpage_login_Level2

Entering the username of admin and password of ‘ OR ‘1’=’1′–

Success! We were able to complete an authentication bypass. Now we’re presented with a web console to ping a machine. So let’s ping.Kioptrix_webpage_console_Level2

Entering our IP address and pressing the submit button we see that the web page pings our machine.

Kioptrix_webpage_ping_Level2

Kioptrix_webpage_ping_results_Level2

Let’s see if we can complete one or more commands in succession. This vulnerability is called command injection, as the attacker can enter arbitrary commands to read and write to the server.

Kioptrix_webpage_command_injection_Level2

Kioptrix_webpage_command_injection_results_Level2

We see this application is vulnerable to command injection as we were able to ping our machine and list the contents on the server.

Let’s see if we can use the command injection vulnerability to get a remote shell.

Going to Google and typing in “remote shell commands” the following screenshot is from the first result.

Kioptrix_remote_shell_command_Level2

As you can see this web page lists different ways to gain a remote shell a server. Let’s use the first command, and see this will be successful for us.

First we need to get our IP address.

Entering the command in a terminal ifconfig we will get our IP address, which is what we need for our remote shell.

The below screenshot is mine:

Kioptrix_webpage_ipconfig_Level2

The next two steps need to be completed at the same time.

Going back to the web console, we’re going to enter the above remote shell command, changing our IP address, to the IP address from our ifconfig command. As well as change our port to the port listed in our netcat command (note the port can be anything, I just picked 4444 as it’s easier for me. It could be 1234, 2222, etc.)

Kioptrix_remote_shell_command_webpage_Level2

Now we need to start a listener, the below screenshot is used with netcat

Kioptrix_remote_shell_Level2

After pressing the submit button from the web console, we have the following screenshot – our remote shell worked! we see that we’re connected (192.168.0.14 is the Kioptrix machine and 192.168.0.12 is my machine). You’ll notice that when we list the directory it matches the above screenshot from the command injection inside the web console.

Continuing on let’s see the server version we’re running. See screenshot below.Kioptrix_webpage_uname_Level2

Opening a new terminal, let’s go to searchsploit and see how many exploits we can find for this version.Kioptrix_webpage_searchsploit_1_Level2Kioptrix_webpage_searchsploit_2_Level2Kioptrix_webpage_searchsploit_3_Level2Kioptrix_webpage_searchsploit_4_Level2Kioptrix_webpage_searchsploit_5_Level2Kioptrix_webpage_searchsploit_6_Level2

There are A LOT of exploits, as I was pretty lax on the search results. Let’s use exploit 9545.c as it lists the version number and it also use CentOS (which we saw during the enumeration phase) exploit.

Let’s copy the exploit to the current directory – see screenshot below.

Kioptrix_copy_exploit_Level2

Since we’re working with a web server, we need to move our exploit to the Apache folder and start Apache. See screenshots below.

Kioptrix_apache_exploit_in_folder_Level2Kioptrix_apache_start_Level2

Now let’s try to download our exploit. The first time doesn’t work as one we didn’t specify the file, and we get a permission denied – screenshot below.

Kioptrix_download_file_failure_Level2

Let’s try to change the directory to the /tmp folder and see if we can download our exploit.Kioptrix_download_file_success_Level2

We were successful! Our exploit was downloaded.

Let’s compile our exploit, and give it the name of exploit. See screenshot below.Kioptrix_compiling_exploit_Level2

Running the exploit and entering the whoami command we’re now root. W00t! Kioptrix_whoami_root_Level2

Let’s see if we’re truly root – let’s read the /etc/shadow by entering the following command cat /etc/shadowKioptrix_etc_shadow_Level2Kioptrix_etc_shadow_2_Level2

We’re able to view the /etc/shadow file, which means we’re truly root.