Basic Pentesting

Box Description

This is a machine that allows you to practice Web-App Hacking and Privilege Escalation.

NMAP

• [SSH: 22] [SMB: 139-445] [HTTP: 8080]

Nmap scan report for 10.10.243.127
Host is up (0.086s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13?
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open  http-proxy
|_http-favicon: Apache Tomcat
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h19m56s, deviation: 2h18m34s, median: -3s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2022-10-06T03:42:39-04:00
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2022-10-06T07:42:40
|_  start_date: N/A                                                                          

FFUF

• Hidden Folder: [IP:8080/development]

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

________________________________________________

 :: Method           : GET
 :: URL              : https://10.10.243.127/FUZZ
 :: Wordlist         : FUZZ: Dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

development               [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 130ms]

---

Content Discovery

• Page [IP:8080] hints at a Possible Hidden Note.

<html>
<h1>Undergoing maintenance</h1>
<h4>Please check back later</h4>

<!-- Check our dev note section if you need to know what to work on. -->
</html>

• [IP:8080/development]
• Developer Notes: Name Initials K - J

   [ICO]          Name        Last modified   Size Description
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[PARENTDIR] Parent Directory                     -  
[TXT]       dev.txt          2018-04-23 14:52  483  
[TXT]       j.txt            2018-04-23 13:10  235  
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

• Note: dev.txt

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). 
Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

• Note: j.txt

For J:

Ive been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

---

ENUM4LINUX

• Found Usernames: Kay - Jan

 ===================================================================
|    Users, Groups and Machines on 10.10.243.127 via RID Cycling    |
 ===================================================================
[*] Trying to enumerate SIDs
[*] Found 2 SID(s)
[*] Trying SID S-1-22-1
[*] Found User 'Unix User\kay' (RID 1000)
[*] Found User 'Unix User\jan' (RID 1000)

SMBMAP

• We have Read Only Access on the Share: Anonymous

[+] Guest session       IP: 10.10.243.127:445   Name: 10.10.243.127                                     
        Disk                                                    Permissions Comment
    ----                                                    ----------- -------
    Anonymous                                           READ ONLY   
    IPC$                                                NO ACCESS   IPC Service (Samba Server 4.3.11-Ubuntu

SMBCLIENT

• We can Login as Anonymous
• There are two Usernames inside the file [staff.txt]: Kay - Jan

smb: \> ls
  .                                   D        0  Thu Apr 19 19:31:20 2018
  ..                                  D        0  Thu Apr 19 19:13:06 2018
  staff.txt                           N      173  Thu Apr 19 19:29:55 2018
smb: \> get staff.txt -
Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, 'Jan'!)

-'Kay'