A not-so-basic challenge

 The challenge is available here.

As always let’s start with connecting to OpenVPN and launching the room. When we get an IP address run Nmap to see what ports are open.

nmap 10.10.120.204 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-13 14:32 EST
Nmap scan report for 10.10.120.204
Host is up (0.044s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 0.85 seconds

As you can see, there are a lot of open ports but for now, focus on port 80. Paste the IP address to a browser and see what the index page looks like.

We can’t really see much here and there is only one clue in the source stating we should check out the dev notes. Since we don’t know where that is, let’s enumerate the directories of the application with dirsearch.

It found a not-so-hidden directory called /development/. The name of this directory is our 1st answer. Low we should go and check out what it contains.

It seems like we found the dev notes the comment was talking about 😀 . Now it’s time to check out the contents of these files.

As you can see there are a few key elements here that we can learn:

• There are 2 users J and K.
• There is an SMB running on the host.
• J has a very weak password.

The other information listed there are so-called rabbit holes and we don’t need them. As our next step, we should start enumerating the SMB running on the server. I have found a few ways to do it like nmblookup, nbtscan and smbmap however, these tools yielded results that did not move solving the challenge further. Fortunately, I found a tool called enum4linux (it is by default on Kali machines) that does what all of the above-mentioned tools can and much more. So let’s run it. For the sake of clarity, I only included the results interesting for us.

From this we can see that our two users are jan as J and kay as K thus we have answers for two more questions.

Now for the next step, we know that jan has a very weak password and from the Nmap scan we also know that the server has SSH enabled. With this information, we can try brute-force the used password to log in via SSH. To do this I found 2 very easy-to-use tools, hydra and xhydra. They are basically the same tools but Hydra is CLI only while xHydra is a GUI app so let’s run whichever u like better.

hydra -l jan -P /path/to/pwlist -t <number_of_threads> <target_ip> <target_protocol>

As we can see it cracked jan’s password which is armando. With that, we have another answer. Now let’s go and log in via SSH. When we start looking around we notice that we are able to see most of the files inside /home/kay/. Since we used SSH let’s check out the /.ssh/ directory where we find that we can read a file called id_rsa. Try and cat the file since it is the most commonly used name for an SSH private key.

As we can see this is indeed the RSA private key however we can also notice that it is encrypted. It means that even if we copy the file we would have to use a password to be able to use it for SSH. We have to crack it and for that, we are going to use john. To be able to do that we need to convert the whole file into a format john can understand. For this task, I found ssh2john that can convert the content of a file into a hash john can use.

So first we save the whole content of id_rsa into a file on our computer like kay.hash. Then we run ssh2john and redirect the output to another file like 4john.txt. Now the only thing left is to run john and crack the password.

john 4john.txt --wordlist=/path/to/wordlist

It managed to crack the password for the SSH key. Our next step is to use it to log in as kay.

ssh -i kay.hash kay@10.10.120.204

After supplying the password it lets us in. If we look around in the home directory we can see a file named pass.bak, let’s cat it.

cat pass.bak

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

With this, we gained our last flag and completed the challenge.

I am planning on writing a post about the vulnerabilities in this challenge and how to deal with these in a real-world pentest.

Thank you for reading!
Sincerely,
B4D4M.