In our Basic Pentesting CTF, we’re going to get right down to it. If you’ve walked-through our other CTFs, A Simple CTF and the Pickle Rick CTF, you know the drill: Begin with an nmap scan, find that port 80 is active, and search for common web pages and directories. Look for framework clues and any applicable CVEs. In the Basic Pentesting CTF, cracking is finally going to work!
nmap -p- --min-rate 1000 -T4 targetIP
Reveals:
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
New to us in our CTF journey are ports 139 and 445, which handle SMB: a Microsoft file sharing protocol. 139 is commonly used for printers which can introduce some gnarly vulnerabilities. As per usual port 80 is open and so we go to the targetIP. We see the message “Undergoing maintenance,” which give us hope because it likely means configurations are in a state of disarray. Inspecting the html reveals a semi-hidden developer to developer message, “Check our dev note section if you need to know what to work on.” We can build a list of dev conjugations and run Gobuster against it, but it’s probably already in common.txt.
gobuster dir -u targetIP -w /usr/share/wordlists/dirb/common.txt
…reveals the directory development. Visiting gives us two text files, dev.txt and j.txt which say the following, respectively:
2018-04-23: I’ve been messing with that struts stuff, and it’s pretty cool! I think it might be neat
to host that on this server too. Haven’t made any real web apps yet, but I have tried that example
you get to show off how it works (and it’s the REST version of the example!). Oh, and right now I’m
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
For J:
I’ve been auditing the contents of /etc/shadow to make sure we don’t have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
These two messages essentially give us to paths to follow. The first message gives us enough info about the framework to pursue CVE-2017-9805, likely using Metasploit. This might be the fastest and easiest way forward, but since I’ve used Metasploit in CTFs before I’m going to pursue the latter: Cracking J’s password.
The THM answer fields suggest we can brute force both the username and password. But what if that’s not necessary? We’re already suspicious that configurations are in disarray, so let’s try to log into SMB anonymously:smbclient -L targetIP -N
Reveals:
| Sharename | Type | Comment |
|---|---|---|
| Anonymous | Disk | |
| IPC$ | IPC | IPC Service (Samba Server 4.15.13-Ubuntu) |
Meaning that we can log in anonymously! And there’s a share to explore!
smbclient //targetIP/Anonymous -N
We see staff.txt. Let’s “get” it. Get it? At the smb prompt:
get staff.txt
Reading it locally, we see:
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it’s all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
We now have usernames Jan and Kay and from our earlier reading, can assume that Jan has a weak password and Kay’s is robust. If SSH doesn’t throttle us, we can ty to brute force Jan’s password using Hydra.
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://targetIP
Rockyou.txt is a famous, real world password dump from the ‘oughts. As such, most of the passwords have something to do with iCarly. Always keep in mind the lesson regarding rockyou.txt from the A Simple CTF Walkthrough. This time, cracking works and we get the password “armando.”
Logging in as Jan via SSH we see that she has no sudo privileges via id and sudo -l commands. Navigating to Kay’s home directory and ls -la‘ing, we see that we were right about her using robust credentialing; she uses ssh keys. Changing into the .ssh directories we see id_rsa. Let’s get, er, SCP it. SCP runs on SSH. Here’s the command (if it doesn’t work, try the IP instead of the alias):
scp jan@targetIP:/home/kay/.ssh/id_rsa ./kay_id_rsa
This copies id_rsa into whatever directory our Kali machine is already in, ideally the folder you’ve set up specifically for this CTF. It also renames it to kay_id_rsa. To login as Kay, we have to host her private key (id_rsa/kay_id_rsa) locally and then use a special login command to force the use of keys instead of passwords, AND enter in a password (passphrase). Lucky for us, the passphrase can be determined from the key itself! But first, let’s change its permissions:
chmod 600 kay_id_rsa
Now, to crack it, first we have to turn the key into a hash we can crack:
ssh2john kay_id_rsa > kay_key.hash
Now we run the hash against rockyou.txt:
john kay_key.hash --wordlist=/usr/share/wordlists/rockyou.txt
And we get the passphrase: beeswax
Now we log into SSH, forcing the use of Kay’s no-longer private keys and enter in the passphrase when prompted:
ssh -i kay_id_rsa -o PubkeyAuthentication=yes -o PasswordAuthentication=no kay@targetIP
If we cat pass.bak we get the finally flag: heresareallystrongpasswordthatfollowsthepasswordpolicy$$
And that’s it! The primary lesson of this CTF is that enumeration wins boxes. The more thoroughly you enumerate users, shares, and services, the fewer “guesses” you need later. If you’re new to TryHackMe or trying to build confidence before harder rooms, this one earns its place on the lit of Top 10 TryHackMe CTFs for Beginners. Join us in the https:tiny.url/csmmDiscord Friday Nights 8PM EST and help us tackle more CTFs! Or, check out the Livestreaming Schedule on the homepage and follow along during our live walkthroughs!