Skip to main content

Basic Pentesting

Box Description

This is a machine that allows you to practice Web-App Hacking and Privilege Escalation.

NMAP

  • [SSH: 22] [SMB: 139-445] [HTTP: 8080]
Nmap scan report for 10.10.243.127
Host is up (0.086s latency).

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13?
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http-proxy
|_http-favicon: Apache Tomcat
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_clock-skew: mean: 1h19m56s, deviation: 2h18m34s, median: -3s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2022-10-06T03:42:39-04:00
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2022-10-06T07:42:40
|_ start_date: N/A

FFUF

  • Hidden Folder: [IP:8080/development]
        /'___\  /'___\           /'___\       
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/

________________________________________________

:: Method : GET
:: URL : https://10.10.243.127/FUZZ
:: Wordlist : FUZZ: Dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

development [Status: 301, Size: 316, Words: 20, Lines: 10, Duration: 130ms]


Content Discovery

  • Page [IP:8080] hints at a Possible Hidden Note.
<html>
<h1>Undergoing maintenance</h1>
<h4>Please check back later</h4>

<!-- Check our dev note section if you need to know what to work on. -->
</html>
  • [IP:8080/development]
  • Developer Notes: Name Initials K - J
   [ICO]          Name        Last modified   Size Description
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
[PARENTDIR] Parent Directory -
[TXT] dev.txt 2018-04-23 14:52 483
[TXT] j.txt 2018-04-23 13:10 235
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
  • Note: dev.txt
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!).
Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J
  • Note: j.txt
For J:

Ive been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K


ENUM4LINUX

  • Found Usernames: Kay - Jan
 ===================================================================
| Users, Groups and Machines on 10.10.243.127 via RID Cycling |
===================================================================
[*] Trying to enumerate SIDs
[*] Found 2 SID(s)
[*] Trying SID S-1-22-1
[*] Found User 'Unix User\kay' (RID 1000)
[*] Found User 'Unix User\jan' (RID 1000)

SMBMAP

  • We have Read Only Access on the Share: Anonymous
[+] Guest session   	IP: 10.10.243.127:445	Name: 10.10.243.127                                     
Disk Permissions Comment
---- ----------- -------
Anonymous READ ONLY
IPC$ NO ACCESS IPC Service (Samba Server 4.3.11-Ubuntu

SMBCLIENT

  • We can Login as Anonymous
  • There are two Usernames inside the file [staff.txt]: Kay - Jan
smb: \> ls
. D 0 Thu Apr 19 19:31:20 2018
.. D 0 Thu Apr 19 19:13:06 2018
staff.txt N 173 Thu Apr 19 19:29:55 2018
smb: \> get staff.txt -
Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, 'Jan'!)

-'Kay'