Basic pentesting 2 is a boot2root VM and is a continuation of the Basic Pentesting series by Josiah Pierce. This series is designed to help newcomers to penetration testing develop pentesting skills and have fun exploring part of the offensive side of security.
VirtualBox is the recommended platform for this challenge (though it should also work with VMware -- however, I haven’t tested that).
This VM is a moderate step up in difficulty from the first entry in this series. If you’ve solved the first entry and have tried a few other beginner-oriented challenges, this VM should be a good next step. Once again, this challenge contains multiple initial exploitation vectors and privilege escalation vulnerabilities.
Your goal is to remotely attack the VM, gain root privileges, and read the flag located at /root/flag.txt.
Penetrating
Methodologies
§ Port
scanning
§ Used
enum4linux to enumerate all the users
§ SSH
bruteforce for the user jan
§ Attained
SSH .pub file for user kay
§ Used
ssh2john to convert that pub key into crackable format
§ Used
john the ripper to crack key and attained a passphrase
§ Logged
into user kay using the passphrase
§ Attained
the file pass.bak
§ Got
root access to the lab using password in pass.bak
§ Captured
the flag
Let’s
start!!
So, let’s begin by first scanning the ports
open by using the most popular scanning tool called nmap.
nmap –A 192.168.1.139
Here, we can see that port 22 is open. But we
don’t have any users currently. Let’s use enum4linux
and try to find the users available.
Here, we have found 2 users jan and kay with us.
Let’s try brute-force for the user jan using
hydra tool which comes pre-installed in kali. We will be using the dictionary “rockyou.txt” to brute-force the login
of jan
hydra –l
jan –P /usr/share/wordlists/rockyou.txt 192.168.1.139 ssh
Amazing! We have found the login details of
jan!
Username:
jan
Password: armando
Now, let’s try and ssh login using the details
we just cracked.
Wow! We have successfully gained a shell here.
But jan don’t have sudo rights. Let’s check for any other users and the files
and folders in it.
cd
/home
ls
We found another folder called kay. Let’s go inside it and run ls –la command.
cd
.ssh
ls
–la
Hmmm… this id_rssa file looks fishy. Let’s read it using: cat id_rsa and copy paste it in the text file.
Now, we are going to use ssh2john to convert this SSH key into a crackable file for john the
ripper.
python
ssh2john key > ssh_login
john
ssh_login
Here, we
found the phrase “beeswax.” This
could either be a password or any other phrase to unlock something as we move
further.
Let’s try
and login to user kay using that
key.
ssh –i key kay@192.168.1.139
It is
asking for a passphrase now. Let’s try and enter “beeswax”
Voila!!
We have successfully gained the access to kay. Now let’s try and read that pass.bak file. It looks like it could
have something valuable!
cat
pass.bak
It gives us a phrase “heresareallystrongpasswordthatfollowsthepasswordpolicy$$”
Now Let’s check sudo rights for him and write sudo –l
It surely asks for a root password. Let us
type what we just got in pass.bak file. And you can observe kay has ALL
permissions.
sudo su
Voila! It gives us a root access. Let’s check
the /root directory by:
cd /root
ls
And we got a flag !!!
Hence, we were able to attain the flag in this
challenge. Happy hacking!
0 comments:
Post a Comment