Difficulty level: Easy
Aim: capture two flags (user and root)
The IP address of the target can be obtained via arp-scan:
sudo arp-scan --interface=eth1 192.168.56.100/24
We can then scan the target with nmap to determine open ports and services:
nmap -sC -sV -vv 192.168.56.109
The output from nmap shows the following open ports and services:
- port 21/tcp - FTP - vsftpd 3.0.3
- port 22/tcp - SSH - OpenSSH 7.9p1
- port 80/tcp - HTTP - Apache httpd server 2.4.38
- port 139/tcp - SMB - Samba
- port 445/tcp - SMB - Samba
Let's take a look at the HTTP service running on port 80:
I initially ran a scan with gobuster to brute-force hidden files and directories, but this did not return anything of use:
gobuster dir -u http://192.168.56.109 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
From here, I decided to create a custom wordlist based on the content of the above webpage:
cewl -w wordlist.txt http://192.168.56.109
At this stage, the only other option to explore was the SMB service.
enum4linux can be used to enumerate SMB on Linux and Windows systems to discover shares on a device, password policies, user listings etc:
This reveals a user called 'johannes' which can be used with our custom wordlist to potentially brute-force the FTP and/or SSH login.
I decided to try brute-forcing the SSH service first, using the above information:
hydra -l johannes -P wordlist.txt 192.168.56.109 ssh
Success! We have a password for johannes.
(N.B. this username and password combination also works for the FTP service)
We can now login to the SSH service:
The user.txt flag can be found in the home directory of johannes:
Within the /Desktop directory of the current user there is a file named .creds which contains a Base64 encoded string:
This can be decoded by running:
echo "MjBLbDdpUzFLQ2FuaU84RFdNemg6dG9vcg==" | base64 -d
The output from this reveals the root credentials in reverse.
To reverse this string into the correct format we can run:
echo "20Kl7iS1KCaniO8DWMzh:toor" | rev
From here we can su to the root user and obtain the root.txt flag from the /root directory:
Please feel free to contact me via Twitter and thanks for reading.