My first ever blog on becoming a Cyber Security Professional. I am on a learning journey and would appreciate positive feedback.
This is a machine for practicing web app hacking and privilege escalation. It is included as part of the Complete Beginner Path.
First thing to do is to start and connect to the machine, either using the attackbox from TryhackMe or connecting through vpn and utilizing our own machine, which in my case was Kali.
A phase in penetration testing is scanning and enumeration, which is sometimes a separate phase or a subsection of information gathering. Scanning and enumeration is where information on the target machine are identified. Services running, ports open, OS, or vulnerabilities are just some of the info needed to be identified.
I started with nmap for enumeration and found the following:
From the initial nmap scan, it was able to identify smb (Server Message Block) running on ports 139 & 445. I run another nmap script to identify the shares operating.
As a result, two shares were identified with their corresponding drive, the number of users, path, and permissions. These are just some of the information I needed to try and connect to the system.
There are other tools as well in enumerating samba hosts. This time I used enum4linux and found two local users using no username and password at all.
Null session is a vulnerability which allows a user to login with no username or password or being anonymous at all. I tested it and it allows anonymous access on the network. From here, I was able to read a communication message between two users.
smbclient is a tool for accessing smb resources on the server. “Anonymous” was the disk location identified in the nmap scan for smb shares.
Another port identified was port 80. This means that the machine is hosting a web server running on http. A great tool for enumerating, using brute-force, directories, files, hidden objects, or subdomains is gobuster.
It found a hidden directory. Accessing it on the web, I was able to get info on the following, which could prove useful later on:
- Apache version
- J was able to audit the contents of /etc/shadow which would mean that he is an Administrator or the file is misconfigured to be writable
- J’s password’s hash was easily cracked
- A version of the web app they were working on
Port 22 was also identified. SSH protocol uses this port to connect remotely on a secure channel to a machine. Since connecting, depending on the configuration, would require credentials, I would need to crack one of the passwords of one of the two users. Hydra is a great online tool for this task.
Now that I was able to crack jan’s password, I will use his credentials to connect to the network.
Rummaging through the folders and files of Jan, I found a file which could be a confidential info. I tried to print the contents but user jan does not have the permission. Since the file belongs to the folder of kay, I need now to escalate my privileges.
What I am trying to do is a horizontal privilege escalation. This is a type of privesc when a user is trying to access the rights of another user who has the same level of access as he/she has. I was able to access the network as jan, but now I need to have the privileges of kan to be able to read the contents of that file.
So how do I do that? I need to enumerate the local machine for any vulnerabilities that may offer a solution for this. LinPeas is a tool for this and it looks for possible paths for local privilege escalation.
But for it to be running on the local machine, I have to upload the file from my machine. I needed to know what tools I can use to do that.
Identifying if “wget”, or any other tool, is installed is a first step. After running a command, wget is confirmed to be installed in the local machine.
Start a local server to be able to transfer the script. It is important to note to start the server where the file is located.
The first attempt did not allow for a file transfer. As I found out, the directory in the local machine I was trying to upload the file does not allow such action.
Searching from the internet, the following are commonly writeable directories which would allow files upload.
/var/tmp
/tmp
/dev/shm
/var/lock
/run/lock
In this instance, I changed directory to /var/tmp and was able to transfer the file.
Now I just have to run the script and let it look for any possible path for privilege escalation.
From the result, private SSH key were found. I can use this to login at port 22 as user kay.
I copied the keys from the local machine and copied it into my machine. For this to work, I edited the file to look something like the second image below. I figured that just copying the keys did not work and only worked when I edited it.
Upon logging in using ssh, it asked for the passphrase for the key. No info was gathered by linpeas so I have to crack the passphrase.
A tool for offline cracking is John the ripper. The key has to be converted first into a hash format to be cracked. Fortunately, john the ripper can also do that. I saved the output as a text file.
Now just use john to crack the passphrase.
If I try to log in again and enter the cracked passphrase, it was a success. With kay as the user, I was able to read the file.
Thanks for reading and hope this blog helps you in any way. If there are other ways for improvements, please reach out to me.
Igor_sec's Blog 
Leave a comment