Hello, in this article I will show you step by step how to solve Basic Pentesting 2. The purpose of this CTF will be to become root. Click to get more information about CTF.
LEVEL : Easy
Steps
- Learning the target’s IP address with Netdiscover tool
- Detection of open ports with Nmap tool
- Collecting information via port 80 with Dirb tool
- Collecting information over SMB with enum4linux tool
- Login brute force over SSH with Hydra tool
- Passphrase brute force on id_rsa with ssh2john and John the Ripper
Based on the IP information of the Kali machine, the IP address used by the target machine was determined with the following command.
netdiscover -r 192.168.1.0/24
The detection of open ports on the target machine was done as follows.
nmap -A -Pn -n -sV --reason -p- 192.168.1.10
To obtain more information specifically for port 80, a tool called dirb tool was used.
dirb -h 192.168.1.10/
Paths on the results obtained were checked one by one with a browser and the following part attracted attention. The files under the relevant Path have been downloaded and saved for later use.
Checks on open ports continue. At this stage, the tool named enum4linux was used as follows to collect more information about port 445.
enum4linux 192.168.1.10
When the results were checked, 2 valid users were detected on the target host. This user information is recorded for later use.
Similar checks were made for the other open ports 8009 and 8080 and no useful data was obtained. At this stage, checks were continued on port 80 and the user information obtained via SMB was used for SSH Brute force.
medusa -U users.txt -P /usr/share/wordlists/rockyou.txt -h 192.168.1.10 -M ssh
The SSH Brute process running in the background was checked from time to time and the “username: jan, password: armando” information was detected.
The relevant user was logged in via SSH and “linenum.sh” was used to collect information for Privilege Escalation. The most striking information obtained was the sudo right of the “kay” user.
In order to collect more information about the Kay user, it has been determined that the id_rsa file under the “.ssh” folder can be read by going to the /home/kay directory. This file was intended to be downloaded directly to the Kali machine and used for SSH, but it was determined that it required a passphrase to use the relevant file.
In order to learn the passphrase of the id_rsa file, the id_rsa file was brought to a format that the John the Ripper tool can attack with ssh2json, which comes with the tool named John the Ripper. After this stage, id_rsa password information was accessed by a brute force attack with John the Ripper.
ssh2john id_rsa > new
john --wordlist=/usr/share/wordlists/rockyou.txt new
The obtained passphrase information was used with id_rsa over SSH and logged in successfully.
After SSH, controls are provided to perform Privilige Escalation. A few attempts were made because the user had sudo privileges, but no results were obtained because the user Kay only had no password information.
In such cases, it may be useful to reuse passwords detected everywhere. A password information detected/used in the early stages of CTF may also be valid in other places.
While the checks were continuing, a file named pass.bak was found in Kay’s home directory. Its content was used as a password and a successful result was obtained. In the last case, root privileges were obtained through the sudo right with the kay user.
ls -la
cat pass.bak
sudo su
Summary
- I think it is a CTF that shows how useful the John the Ripper tool can be, especially for the passphrase set for id_rsa, and how efficient the information received from other ports can be in the brute force phase.
Click here to see my other articles about OSCP Walkthrough. Link
