hydra

All posts tagged hydra

TryHackMe – Net Sec Challenge

Posted by d3nni5 on 24/04/2023
Posted in: Red, Windows. Tagged: , , , , , .

Walkthrough of an inital enumeration of a Windows machine.

Challenge Questions

We can answer most of the questions after a bit more sophisticated Nmap scan but I’ll present other routes as well.

What is the highest port number being open less than 10,000?

There is an open port outside the common 1000 ports; it is above 10,000. What is it?

How many TCP ports are open?

What is the flag hidden in the HTTP server header?

What is the version of the FTP server listening on a non-standard port?

Optionally we could get the HTTP server header using the Telnet tool.

We could get it with the use of Curl as well as a last resort.

The next question shall be answered using the Hydra password cracker specifying the special FTP port in use.

We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

The final question to be completed by browsing to the machine in the browser and initiating an Nmap TCP Null scan. This is the least obtrusive type of Nmap scan with no TCP flags included in the packet. The target will be puzzled with it so will not reply and it is the clear indication of being the port open. If the target responds with a reset (RST) packet that means the port is closed on the device.

What is the flag?

Thanks for reading and as always, any feedback is most welcome.

TryHackMe – Internal Walkthrough

Posted by d3nni5 on 24/01/2023
Posted in: Linux, Red. Tagged: , , , , , , , .

Walkthrough of a Linux machine exploitation attacking WordPress then privilege escalation via abuse of Jenkins.

Deployment and preparation

As per the pre-engagement briefing to avoid any hiccups during the testing the IP-address allocated for us should be added to the host file of our attacker machine. This way we eliminate the domain name translation having our machine directly reaching out to the victim machine.

Initial enumeration

Our usual Nmap scan shows only 2 open ports, 22 and 80. 

HTTP enumeration

Let’s take a closer look of this service on port 80 with another Nmap scan which shows us that there might be some interesting directories available.

This has been confirmed by the Ffuf tool as well.

If we navigate to the link we could not only confirm that it is indeed a WordPress site but there is a user called admin who posted an entry and he is probably an administrator.

Let us try to find the password of that admin with a WPScan bruteforce attack. Success. 

HTTP exploitation

We manage to login to WordPress with the credentials gathered.

During the WPScan attack above, the tool provided us with a spin-off info namely that the TwentySeventeen WP theme is out of date. This might help us to get a shell on the machine. Let’s get a copy of a php-reverse-shell from our Kali shared folder, modify the IP-address to ours and copy-paste it into the 404.php template in the WordPress editor.

Then after saving the modified 404 template all we need to do is just go to the URL on which the template is accessible.

We should receive a low-level non-interactive “sh” reverse-shell on our Netcat listener. Let us upgrade it straightaway with spawning an interactive “bash” pty shell just to make our life a bit easier.

Lateral movement

First of all let’s check the users on the machine. We can see that there is a user called “aubreanna”, let’s check all the files which have this name in them. Yes, there is a text file called “wp-save” in which his/her password is mentioned.

Now all we need to do is just taking over the shell for the user aubreanna and find the user flag. Let’s do that.

What is the user.txt flag?

Privilege escalation

Now we should go for the root flag, but we do not have the rights for that. Luckily there is another text file in the same directory in which the user flag was. It says there is an internal Jenkins service on 172.17.0.2 port 8080. This is confirmed, we can see a /16 range for a Docker container.

The easiest way to reach the Jenkins server considering what is available on the machine is to setup a local SSH port forward. The reason for this is that it is only for internal use and as such not available remotely, but if we tunnel out its port 8080 to an arbitrary port of our attacker machine it will be reachable for us. So, essentially what happens in this case is that we login to the machine via port 22 (SSH), then using the SSH service of the victim computer we mirror the internally available Jenkins service on 172.17.0.2:8080 onto port 5000.

We are able to get to the login page in this way using the same port number on 127.0.0.1.

Now we need some credentials to the server. Let’s fire up BurpSuite to catch its post request first.

Let’s feed the post request obtained into Hydra and bruteforce the login password using the user “admin” as it’s been in use for WordPress as well. Success.

Let’s login using the credentials gathered and then navigate to the Script Console in Jenkins (Nodes-> Master). There are several reverse shells available against Jenkins, I have decided to try out one from the Pentesteracademy blog. All we have to do with it is just changing the IP-address to our attacker machine and obviously the preferred port number to be added too.

Upon saving the script in the console, we should get back a non-interactive reverse shell on our Netcat listener which we update with our python pty script as usual. Next let’s check the “opt” directory again in which we found the wp-save.txt note above. We are lucky, fortunately admins stick to their habits nowadays, lol.. 🙂

Ok, nice one, we’ve got the root password. Let’s check it out via SSH and try to find the root flag.

What is the root.txt flag?

Thanks for reading and as always, any feedback is most welcome.

TryHackMe – HackPark Walkthrough

Posted by d3nni5 on 15/01/2023
Posted in: Red, Windows. Tagged: , , , , , .

Walkthrough of a Windows machine exploitation with account credential bruteforce.

Deploying the machine

After deploying the VM a quick Google Lens reverse image search comes up with the origin of the clown.

Using Hydra to brute-force the login page

First of all let’s start Burp to check the response from the login page.

What request type is the Windows website login form using?

We could use the default Hydra http-post-form bruteforce method, but that would take way too long, around 90 hours in my case and obviously success is also not guaranteed.

Instead we can further adjust the command with the response from BurpSuite which delivers the result much faster.

Compromising the machine

Now, that we know the password we are able to login to the website as admin and do some further information gathering.

What is the version of the BlogEngine?

Let’s check the local exploit database for any potential options for this version, copy the first one from the top and open it.

What is the CVE?

As mentioned in the exploit code first we need to change the IP-address and the port number to the ones of our attacker machine and then also have to rename the file to “PostView.ascx”.

The modified and renamed file to be uploaded via modifying the existing “Welcome to Hackpark” post.

After that all we have to do is just setting up our usual Netcat listener on the same IP-address and port which we configured in the exploit and then visit the link where the file is located on the webserver.

We should receive a reverse shell on our listener.

Who is the webserver running as?

Windows Privilege Escalation

For privesc purposes an upgraded shell is needed which should be achieved by generating an msfvenom reverse shell payload first and then pivoting from the existing Netcat session to a Meterpreter session.

Let’s place the created Metasploit venom payload into the same directory from which we are running our  simple HTTP webserver and download it from via our existing low-level shell. First let’s navigate to the temp directory of the Windows machine to have writing permissions and then download the executable. All we need to do afterwards just running the file.

Then receiving a Meterpreter shell on our previously set up listener.

We can gather the necessary information for the privesc process by uploading a winPEAS executable to do the enumeration for us.

What is the OS version of this windows machine?

What is the name of the abnormal service running?

What is the name of the binary you’re supposed to exploit?

Due to the fact that the “WindowsScheduler” service runs periodically and it calls the “Message.exe” with root privileges all we have to do is to create another msfvenom reverse shell payload, rename it to “Message.exe” and upload it to the machine.

Let’s upload the file to our working directory on the Windows machine, then copy it from there to our target directory overwriting the original file. Then exit from the shell, background the Meterpreter session and setting up another reverse_tcp listener using the port with which the msfvenom payload was configured. All we have to do afterwards is just waiting for our system shell.

What is the user flag on Jeffs Desktop?

What is the root flag?

Thanks for reading and as always, any feedback is most welcome.