[Linux] Basic Pentesting
Reconnaissance
As usual, we start our penetration testing journey with classical reconnaissance using Nmap.
sudo nmap 10.10.81.18
Enumeration
HTTP
Generally, starting the enumeration process on HTTP is easier and more practical. Let’s see what is hidden on the website.
It seems that the website is under maintenance. However, we may find interesting pages for the maintainers. We will enumerate web pages using a wordlist with Dirb.
dirb http://10.10.81.18/ /usr/share/wordlists/dirb/common.txt
We found a web page called /development. There are some interesting files we can examine.
SMB
As indicated in dev.txt, SMB has been configured. Let’s see if we can gather some information there. First, we will use enum4linux to obtain potential information on the host system.
enum4linux -a 10.10.81.18
We discovered two Unix users: kay and jan. According to j.txt, the user j (which matches Jan's initials) has a weak password on the system. We will conduct a dictionary attack on the SSH service, as this protocol enables remote connections to a machine.
Initial Access
SSH
We will perform our dictionary attack with Hydra. This allows us to discover Jan's password.
hydra -s 22 -l jan -P rockyou.txt 10.10.81.18 ssh -V
Escalation
Jan can access the SSH private key of Kay, who is a sudoer.
We download the private key to our local machine, but we cannot use it to connect via SSH because it is protected with a passphrase.
scp jan@10.10.81.18:/home/kay/.ssh/id_rsa .
Don't worry, John will help us obtain the password.
cp "$(locate ssh2john.py)" .
cp "$(locate rockyou.txt)" .
python3 ssh2john.py id_rsa > id_rsa.hash
john id_rsa.hash -wordlist=rockyou.txt
We can use this passphrase to unlock the private key file. The hidden word is in the file pass.bak.
Remediation
Last updated