SYN Stealth Scan Timing: About 89.91% done; ETC: 05:28 (0:00:03 remaining) Nmap scan report for 10.10.158.194 Host is up (0.047s latency). Not shown: 65529 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA) | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA) |_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: | Supported methods: GET HEAD POST OPTIONS 8080/tcp open http Apache Tomcat 9.0.7 |_http-favicon: Apache Tomcat |_http-title: Apache Tomcat/9.0.7
So we see there are 6 ports open
We can do directory busting by using dirbuster& which will open a gui we just define the ip address like its shown in the menu and then we increase the speed of our busting by using the checkbox called gofaster after doing that we define a wordlist which in my case is usr/share/wordlist/dirb/common.txt .
We find the path called development which has two text files in there for us and we can see it says that the passwords are weakly hashed and thats a hint that we brute force and crack the hashes if we get access to them.
To Enummerate on the smb port we can use a tool called Enum4Linux to basically get information about the users using the SMB .What we find after we run the command:
enum4linux 10.10.191.146
we get results this takes a lot of time btw and its huge report stuff maybe you can transfer it to a file or so if you dont want it to be verbosive.
So we get to know that there are two users that we can access on the SSH to brute force our way in .
To Enummerate when we are inside the system we can use something like LinPeas which will gives us greaat information about everything and tell us possibile ways we can exploit stuff and basically all the neccesary information you will need.
We can use it by either cloning the repo and then hosting a server on our local machine using Python and then using wget to get the file on thetarget machine and running it there.
After we ennumerate we find out that there is private key for SSH stored in the kay\.ssh and with that what we can do is basically gain access to ssh so we first copy that key.Take it to our desktop and then we basically use it login into SSH with it .But we see that it still asks us for a passphrase and to bypass this we can use John the ripper to get a pass phrase and how we do that is by just using first this tool called ssh2john which you can find in →
/opt/JohnTheRipper/run/ssh2john.py kay_id_rsa and this produces a hash which john the ripper can understand so we wanna output it to a file and then basically use John the ripper with this hash and a wordlist to hash it out .
The syntax is gonna be johntheripper johnhash.txt —wordlist=/usr/share/wordlists/rockyou.txt
And boom it cracks it for us and gives the answer of beeswax and now we can just use this and the id_rsa to login to ssh and cat out the pass.bak file and get the password we wanted .