Web Application Penetration Testing and Privilege Escalation
This machine deals with the basic parts of the penetration testing like bruteforcing ,enumeration, hash cracking.
Machine include different questions like what are the different hidden directories, services running, usernames, their passes,etc.
So i got the IP for the machine: 10.10.125.79
Let’s start with the basic information gathering and enumeration process:
As we know NMAP is our best friend, so take help from it🤞🤞
nmap -A -T4 -p- -v 10.10.125.79
( -A → Aggressive scan)
(-T4 → Optimal Speed)
(-p- → for all ports/ — all-ports)
(-v → verbose: Tells us about ongoing process)
For hidden files and folders, there are many tools like dirbuster ,gobuster ,dirsearch ,etc.
But this time I will go with “dirsearch”
You can install it through github:https://github.com/maurosoria/dirsearch
dirsearch gives us the hidden directory: “development”.
Lets have a look on what’s inside ‘dev.txt’ and ‘j.txt’.
‘j.txt’ doesn’t have much interesting facts in it about the machine but it tells that some “user” is having the weak password!!!
By seeing “dev.txt” i started reading about “struts” which is apache project and found an exploit written in python.
But every time i run it, it closes with some weird error statement.
So i started to look forward on further content on “dev.txt” and “j.txt”
“SMB has been configured” on ‘dev.txt’ may take us to some smb username enumeration part.
Let’s dive into it.
For this I’m gonna use metasploit-framework.
>set rhosts 10.10.125.79
>run or exploit
It also didn’t work!!
I forgot about nmap🙌🙌. Lets have a look on the results:
So its Linux machine first of all..
Lets go with “enum4linux”, which is inbuilt in kali and parrot OS.
— > enum4linux 10.10.125.79
Wow, we got the usernames → “kay” and “jan”
From nmap result we know port 22 is open(SSH)
So i tried:
→ ssh email@example.com
(because I thought “j.txt” and “jan” have something in common)
But i don’t have password for the user “jan”.
As “j.txt” says that it has weak password so will use “hydra” for bruteforcing.
You can read about any command or tool by:
→ man <command or tool>
→ hydra -l jan -P /usr/wordlists/rockyou.txt ssh://10.10.125.79
Wow! we have the user “jan’s” password: “armando”
Now I can ssh to the machine
→ ssh firstname.lastname@example.org
Now during traversing through the directories i found: /home/kay/pass.bak
to which I didn’t have any permissions to read or access. So for time being I left that out!!
Now its time for “linpeas.sh” for further enumeration and information gathering.
But i need to upload the file to the machine.
So we can use “scp” to upload.
I tried to upload it into the /home/jan and /home/kay, but it didn’t worked as it says permission denied.
So i googled that where should i upload my file or shell if i have ssh connection.
I came across many write-ups and all of them told to upload the file in
(shm → shared memory)
So i uploaded the file in /dev/shm.
→ scp linpeas.sh email@example.com
Now its time to rev the engine!!
(Don’t forget to give the executable permissions to the file)
Analyzing the result of the script i found only this thing interesting!!
So I ‘cat’ out the private key!
It is the key for the user “kay”.
Copy the key to “kay_id_rsa” file.
Now I can ssh to the machine with this key as user “kay”.
But I need to crack the key to get the password!!
And we know “John:The Ripper” is our best friend!!
Before this, we need to change the format of the key to the one accepted by “john”.
“John” gives us the script to do the same: ssh2john.py .
→ python2 /usr/share/john/ssh2john.py kay_id_rsa > key.txt
“key.txt” will be accepted by “John”.
Retrieve the pass:
→ john ~~wordlist=/usr/share/wordlists/rockyou.txt key.txt
(please treat ‘~’ as ‘-’)
Here, we have “kay’s” password!!! → “beeswax”.
Now i can ssh to the machine as user “kay” but ran into the problem!!
The key is ignored because we cant give 777 permission to private key!!
It is now acceptable as it thinks that it is public or would have been compromised.
So set the permission to 600 as:
→ chmod kay_id_rsa 600
So now i can get into the machine!!
And we can read “pass.bak” file which only “kay” has access to!!
This way I get into the machine and captured the passwords.
Thank You for reading!!
Will come up with new walkthroughs supersoon!!