Brute It
Task 2: Reconnaissance
Initial nmap scan to find open ports , using the flag "treat all hosts as alive" (-Pn)
We have 2 open ports.
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80
(-oN nmap): Saving it into a file called nmap
We have the version of SSH running: OpenSSH 7.6p1
The version of Apache running is 2.4.29
The Linux distribution running is Ubuntu
.
Lets visit the website
It a default apache2 webpage. Lets look for hidden directories on the web server using gobuster.
We found a directory called /admin
.
Task 3: Getting a Shell
Lets visit the directory we found.
Its a login page. As this is a admin login page, the username is most probably admin, we can also confirm this when we look at the source code of this page.
Lets use hydra to brute force and find the password. Before that we need the syntax of how the username and password are submitted. We can do this by using Burpsuite. Lets attempt a login and capture the request with burp.
The format is user=<username>&pass=<password>
, which we will supply to burp, we also see a PHPSESSID
cookie, which we need to include in the hydra command. The other thing we need is what the website response is when there is a failed login attempt. Lets forward the request and we can see this.
Now we have all the information we need, so lets run Hydra to crack the password.
Hydra command breakdown:
-l admin: Specifying the username as admin
-P /usr/share/wordlists/rockyou.txt: Specifying the password list.
10.10.254.237: Target IP
http-post-form
: Type of attack protocol. We are using this as we are attacking a HTTP website form./admin/: The directory we are attacking which has the login form
user=^USER^&pass=^PASS^
: Login response from Burpsuite,Username or password invalid
: Response when there is failed login.H=Cookie: security=low; PHPSESSID=srir42se2cdt5roedi45msdgr0
: Cookie from the response.
After running this we find the password xavier
. Lets login.
We found the first flag, and we also have a rsa private key. Lets copy it to our machine and name the file id_rsa
and then lets find the password using ssh2john
and then crack the password using john
.
Lets now use ssh2john
.
Now lets crack this hash using john
.
And we have the password, lets login through ssh. This password might be the user John
password as it was the only other username we found. But before that we need to change the permissions of the id_rsa
file so that we can login with right permissions.
Now lets login
We are logged in. We can read the user.txt
file.
We can now answer all the questions in this section.
Task 4: Privilege Escalation
Lets run sudo -l
to see what we can run as root.
Looks like we can run /bin/cat
as root. Looking on GTFOBins we can see that we can set a parameter to a file and we can read that file.
The /etc/shadow
file stores passwords of all users on the machine, so we can find the root hash and then crack it using johntheripper. Lets first set the LFILE
parameter to /etc/shadow
and then read it.
We have the root hash, lets copy it to our machine and store it in a file called hash and then crack it using john.
Now lets crack it and then show it.
We have the password for root. Lets switch users.
We can now read the root flag and also answer all the questions in this section
Last updated