HackerNote – Try Hack me

Hi everyone! I know it’s been a while since my last post, and now as i have more time i’ll try to post more often.

This room is aimed to learn newcomers/beginners how to enumerate a target.

The first step after passive recon would be the active recon. Let’s do a NMap Scan of our target. What i usually do is scan the target for the usual ports then i do another scan, but which is a full port scan.

I do this because you never know what you can come across.

NMap Scan

Just by doing this we can see the programming language used by the web application and the open ports.

Time to investigate the web app. By accessing the website we notice a Login button. Clicking it we are allowed to also register an account.

Account creation

I’ll use Burp to better explain how you can enumerate users.

I’ll login with my account first. You can see the time it took to login (bottom right corner of the Burp tab).

Let’s try now with an invalid account.

Invalid account logging in

And finally let’s try with a valid account but with a wrong password.

Valid username, wrong password

To enumerate the users lets send the request to the intruder, mark only the user parameter and configure the payload tab. In this scope i used /usr/share/seclists/Usernames/Names/names.txt and Request Timer.

As we can see, besides my username there is another valid username.

Note: Don’t go full berzerk on the application (don’t use too many threads or your results are going to be messed up).

Request timer results

Time to bruteforce the password now! We can download the wordlist created by the creator, use combinator to generate the wordlist and use Burp Intruder again.

Now we should look for a different length.

Password bruteforce

Now we can login. Lets see what we find when we login. By logging in we can find the SSH password of the user and now we can ssh into the box.

The user flag is in the home directory of the user.

User flag

Doing some enumeration i found out that the system is vulnerable to CVE-2019-18634. You can find the exploit on github here. Download it compile it and transfer it to the target machine.

Compiling the exploit

Now, just run it and you should be root!

Hope you enjoyed and learned something new.