In this set of tasks we’ll be using:
- Brute forcing
- Hash cracking
- Service enumeration
- Linux Enumeration
The first task is to find the services exposed by the machine. We need to use nmap:
┌──(kali㉿kali)-[~/Documents] └─$nmap -sC -sV ip-address
Results:
Port Number Service Name 22 SSH 80 HTTP 139 SAMBA 445 SAMBA 8009 APACHE Jserv 8080 APACHE Tomcat
Then we are asked for the name of the hidden directory on the web server. To look for hidden directories we use dirbuster or gobuster:
┌──(kali㉿kali)-[~/Documents] └─$gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u ip-address
This will give us the hidden dir.
After thar we need to find our way to User to find the username & password. Back in nmap we find out that samba services are running, so we use enum4linux to find the usernames.
┌──(kali㉿kali)-[~/Documents] └─$enum4linux -a ip-address
As a result we gain the usernames. To find the password we run Hydra with rockyou.txt as a password list.
┌──(kali㉿kali)-[~/Documents] └─$hydra -l username -P /usr/share/wordlists/rockyou.txt ssh://ip-address
With these credentials we’ll be able to log-in via ssh.
To enumerate vulnerabilities and privilege escalations we can use linPEAS.
We can use the scp command to copy files between a local and a remote system, so we’ll be using that to copy linPeas to the target machine.
┌──(kali㉿kali)-[~/Documents] └─$scp localFileDir user@ip-address:remoteFileDir
This will find the Private SSH RSA key found for Kay. We cat this private key file. However, the private key is password protected. We can use JohnTheRipper to brute force the password. First we run ssh2john.py and then we run john. Using JohnTheRipper and rockyou.txt will give us the other user’s password, and this user we have access to the flag to terminate the ctf.