.png)
1 day ago
8 BOOK THIS SPACE FOR AD
ARTICLE ADThe Machine IP : 10.10.230.23
Information GatheringThe first step is to perform a scan using Nmap
I used the following command:
sudo nmap -sS -sC -sV 10.10.230.23
The result showed three important ports with corresponding services:
“SSH” with Port => “22”“HTTP” with Port => “80”“SMB” with Port => “445”When I opened the HTTP service, I found a web page:
I used the tool Dirb to check if there were any hidden files or directories.
I found a hidden file named ‘development’. When I opened it, I discovered two hidden files inside.
dev.txtj.txtWhen I opened the file dev.txt, I found the Apache version, which is 2.5.12.
I also discovered two usernames starting with 'j' and 'k'.
As for the j.txt file, I discovered that the password was weak.
Until now, I have gathered several hints, but the task with the http service is done. Now, I'll focus on the smb service.
There is a rule that says whenever there is an smb service, we should use the enum4linux tool.
When I ran enum4linux, the output revealed two usernames that matched the hints I had: kay and jan.
At this point, the only service left to exploit was the SSH service, which requires a password. To crack the password, I decided to use the Hydra tool, which is one of the best tools for password cracking. Since we’re focusing on password cracking, I chose the rockyou wordlist, as it's one of the most effective wordlists for this purpose.
After running Hydra with the rockyou wordlist, I successfully cracked the password, which turned out to be armando.
Now that I have the username jan and the password aramndo, I used them to log in to the SSH service.
When I first logged into the server and ran the ls command, I didn't find anything. So, I went back one directory using cd ... After running ls again, I found a folder named kay. I navigated into it with cd kay, and then ran ls -lah. Here's what I found:
After several attempts to navigate through the directories, I entered the .ssh folder and ran ls. Here are the files I found:
authorized_keysid_rsaid_rsa.pubI knew that I could use the id_rsa private key to gain access to the server. So, I copied its contents to my local machine. Then, I used the ssh2john tool to generate a hash and saved the output in a file called id_rsa.hash. After that, I ran the john tool with the rockyou wordlist to crack the hash. Finally, I successfully obtained the password, which was beeswax.
“Once I cracked the password beeswax, I used the following command to access the server via SSH with the user jan:
ssh -i /home/kay/.ssh/id_rsa kay@10.10.230.23
After entering the password beeswax, I successfully logged in. I then ran ls and found a file named pass.bak. I used the cat command to view its contents, and I discovered the flag:
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Here’s a summary of your answers:
What is the name of the hidden directory on the web server?developmentWhat is the username?
janWhat is the password?
armandoWhat service do you use to access the server?
SSHWhat is the name of the other user you found?
kayWhat is the final password you obtain?
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Finally, we were able to exploit the vulnerabilities present in the exposed services on the machine, following a methodical approach to discover the right tools such as nmap, enum4linux, hydra, and ssh2john to obtain the required information. By utilizing these tools and techniques, we successfully identified the username and password, ultimately obtaining the flag that signifies the success of the challenge. This experience helped me enhance my penetration testing skills and deepen my understanding of the tools commonly used in the field.
Bengali (Bangladesh) · 
English (United States) ·