By attacking this box we’ll learn:
- Brute forcing
- Hash cracking
- Service enumeration
- Linux enumeration
Let’s start by scanning the target and see what services are running.
From the port scan, we see that the SMB is running, also a website might be up on port 80 and there is also an apache tomcat on port 8080. There is also some additional info we get from the scan about the SMB, such as the computer name, the OS that is running on the machine, the local time, NetBIOS machine name.
We can try connecting to SMB with no user(null session).
There is a folder called Anonymous with read only permissions. We can take a look and see what we find.
We can retrieve the staff.txt and see what’s inside.
Jan and Kay might be usernames, so let’s keep that in mind. Now, let’s move on and check what’s on port 80.
We run gobuster and it’s found a folder named development.
There are two text files there. Let’s check them out.
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K 2018-04-22: SMB has been configured. -K 2018-04-21: I got Apache set up. Will put in our content later. -J
For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP. -K
Because it says that he could crack Jans password, we can try bruteforcing the ssh using the user jan. And we just found the users password by bruteforcing the port.
We can go on an login as the user jan. ssh [email protected] using the password armando. Taking a look in the home directory, we can access the .ssh folder from the other user, kay. We can copy the private key and crack it using john. To do so, we’ll use ssh2john, and then start the password cracking process.
Now that we have the cracked password, we can use it to login as kay.
We can see what is inside the pass.bak file. Also, running a sudo -l command and providing that password, we see that the user kay can run any sudo command. We’ll use sudo -s to spawn a root shell.