[Tut] How I used Enum4linux to Gain a Foothold Into the Target Machine (TryHackMe) - Printable Version +- Sick Gaming (https://www.sickgaming.net) +-- Forum: Programming (https://www.sickgaming.net/forum-76.html) +--- Forum: Python (https://www.sickgaming.net/forum-83.html) +--- Thread: [Tut] How I used Enum4linux to Gain a Foothold Into the Target Machine (TryHackMe) (/thread-100772.html) |
[Tut] How I used Enum4linux to Gain a Foothold Into the Target Machine (TryHackMe) - xSicKxBot - 02-19-2023 How I used Enum4linux to Gain a Foothold Into the Target Machine (TryHackMe) <div> <div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1146071","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'> <div class="kksr-stars"> <div class="kksr-stars-inactive"> <div class="kksr-star" data-star="1" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="2" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="3" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="4" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" data-star="5" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> <div class="kksr-stars-active" style="width: 142.5px;"> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> <div class="kksr-star" style="padding-right: 5px"> <div class="kksr-icon" style="width: 24px; height: 24px;"></div> </p></div> </p></div> </div> <div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div> </p></div> <p class="has-global-color-8-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f4a1.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Enum4linux</strong> is a software utility designed to extract information from both Windows and Samba systems. Its primary objective is to provide comparable functionality to the now-defunct enum.exe tool, which was previously accessible at www.bindview.com. Enum4linux is coded in PERL and essentially functions as an interface for the Samba toolset, including smbclient, rpclient, net, and nmblookup.</p> </p> <h2>CHALLENGE OVERVIEW</h2> </p> <ul> <li><strong>CTF Creator: </strong><a href="https://www.youtube.com/@_JohnHammond" target="_blank" rel="noreferrer noopener"><strong>John Hammond</strong></a></li> <li><strong>Link</strong>: <a href="https://tryhackme.com/room/basicpentestingjt" target="_blank" rel="noreferrer noopener">Basic Pentesting</a></li> <li><strong>Difficulty</strong>: Easy </li> <li><strong>Target</strong>: user flag and final flag</li> <li><strong>Highlight</strong>: extracting credentials from an SMB server with SMBmap</li> <li><strong>Tools used</strong>: <code>nmap</code>, <code>dirb</code>, <code>enum4linux</code>, <code>john</code>, <code>hydra</code>, <code>linpeas</code>, <code>ssh</code></li> <li><strong>Tags</strong>: <em>security, boot2root, cracking, webapp</em></li> </ul> <h2>BACKGROUND</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="684" height="453" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-267.png" alt="" class="wp-image-1146093" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-267.png 684w, https://blog.finxter.com/wp-content/uploads/2023/02/image-267-300x199.png 300w" sizes="(max-width: 684px) 100vw, 684px" /></figure> </div> <p>This is a pretty standard type of CTF challenge that involves some recon, gaining an initial foothold, lateral privilege escalation, and discovery of the flags. </p> <p>It was a great way to review how to use the standard pentesting tools (i.e., <code>nmap</code>, <code>dirb</code>, <code>smbmap</code>, <code>john</code>, <code>hydra</code>). </p> <p>If you are just starting with CTF challenges, you may find some of the tools and concepts to be a bit more technical. Please check out the video walkthrough if anything is unclear in this write-up! </p> <h2>ENUMERATION/RECON</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="622" height="928" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-268.png" alt="" class="wp-image-1146094" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-268.png 622w, https://blog.finxter.com/wp-content/uploads/2023/02/image-268-201x300.png 201w" sizes="(max-width: 622px) 100vw, 622px" /></figure> </div> <p><code>IP ADRESSES</code></p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export targetIP=10.10.192.10 export myIP=10.6.2.23 </pre> <h2>ENUMERATION</h2> <p><code>NMAP SCAN</code></p> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nmap -A -p- -T4 -oX nmap.txt $targetIP </pre> <ul> <li><code>-A</code> Enable OS detection, version detection, script scanning, and traceroute</li> <li><code>-p-</code> scan all ports</li> <li><code>-T4</code> speed 4 (1-5 with 5 being the fastest)</li> <li><code>-oX</code> output as an XML-type file</li> </ul> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="416" height="462" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-255.png" alt="" class="wp-image-1146077" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-255.png 416w, https://blog.finxter.com/wp-content/uploads/2023/02/image-255-270x300.png 270w" sizes="(max-width: 416px) 100vw, 416px" /></figure> </div> <h2>DIRB SCAN</h2> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">dirb http://$targetIP -o dirb.txt</pre> <ul> <li><code>-o</code> output as <code><filename></code></li> </ul> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="399" height="433" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-256.png" alt="" class="wp-image-1146078" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-256.png 399w, https://blog.finxter.com/wp-content/uploads/2023/02/image-256-276x300.png 276w" sizes="(max-width: 399px) 100vw, 399px" /></figure> </div> <h2>WALK THE WEBSITE</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="686" height="545" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-269.png" alt="" class="wp-image-1146095" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-269.png 686w, https://blog.finxter.com/wp-content/uploads/2023/02/image-269-300x238.png 300w" sizes="(max-width: 686px) 100vw, 686px" /></figure> </div> <p>Check our dev note section if you need to know what to work on. (I found a hint in sourcecode)</p> <p><code><em>http://10.10.192.10/development/</em></code></p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="502" height="303" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-257.png" alt="" class="wp-image-1146079" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-257.png 502w, https://blog.finxter.com/wp-content/uploads/2023/02/image-257-300x181.png 300w" sizes="(max-width: 502px) 100vw, 502px" /></figure> </div> <p>Reading through these two documents, we learn the following interesting things:</p> <ul> <li>User “J” has a weak password hash in /etc/shadow that can be cracked easily!</li> <li>We may be able to find an exploit for REST version 2.5.12 </li> </ul> <p>Searching through <code>exploit-db</code> we find two possibilities:</p> <ol> <li><a href="https://www.exploit-db.com/exploits/45068" target="_blank" rel="noreferrer noopener">https://www.exploit-db.com/exploits/45068</a></li> <li><a href="https://www.exploit-db.com/exploits/42627" target="_blank" rel="noreferrer noopener">https://www.exploit-db.com/exploits/42627</a> (this one is probably it!)</li> </ol> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="773" height="898" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-258.png" alt="" class="wp-image-1146081" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-258.png 773w, https://blog.finxter.com/wp-content/uploads/2023/02/image-258-258x300.png 258w, https://blog.finxter.com/wp-content/uploads/2023/02/image-258-768x892.png 768w" sizes="(max-width: 773px) 100vw, 773px" /></figure> </div> <p>I tried out this python exploit, but didn’t have any luck. Let’s move forward for now and enumerate the SMB server.</p> <h2>ENUMERATING SMB </h2> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">smbmap -a $targetIP</pre> <p>We see a listing for an anonymous login in our results. However, we aren’t able to log in as <code>anonymous</code>.</p> <h2>USING ENUM4LINUX TO EXTRACT SSH LOGIN CREDENTIALS</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="681" height="838" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-270.png" alt="" class="wp-image-1146097" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-270.png 681w, https://blog.finxter.com/wp-content/uploads/2023/02/image-270-244x300.png 244w" sizes="(max-width: 681px) 100vw, 681px" /></figure> </div> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">enum4linux -a 10.10.192.10</pre> <p><code>-a</code> Do all simple enumeration (<code>-U -S -G -P -r -o -n -i</code>)</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="674" height="364" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-259.png" alt="" class="wp-image-1146083" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-259.png 674w, https://blog.finxter.com/wp-content/uploads/2023/02/image-259-300x162.png 300w" sizes="(max-width: 674px) 100vw, 674px" /></figure> </div> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="698" height="255" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-260.png" alt="" class="wp-image-1146084" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-260.png 698w, https://blog.finxter.com/wp-content/uploads/2023/02/image-260-300x110.png 300w" sizes="(max-width: 698px) 100vw, 698px" /></figure> </div> <p>found users: <code>kay</code> and <code>jan</code></p> <p>My guess is that our first user credential with the easy hash will be for user <code>jan</code> because the hidden file <code>j.txt</code> in the <code>/development</code> folder was written to “<code>J</code>”.</p> <h2>USING HYDRA TO BRUTEFORCE A PASSWORD FOR JAN/KAY</h2> <pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group=""> hydra -l jan -t 4 -P /home/kalisurfer/hacking-tools/rockyou.txt ssh://10.10.192.10 hydra -l kay -P /home/kalisurfer/hacking-tools/rockyou.txt ssh://10.10.192.10 discovered password for jan: armando</pre> <h2>LOCAL RECON – LOG IN AS JAN VIA SSH</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="681" height="456" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-271.png" alt="" class="wp-image-1146099" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-271.png 681w, https://blog.finxter.com/wp-content/uploads/2023/02/image-271-300x201.png 300w" sizes="(max-width: 681px) 100vw, 681px" /></figure> </div> <p>We’ll automate our local recon with <code>linpeas.sh</code></p> <p>To get the script on our target system, we spin up a simple <a rel="noreferrer noopener" href="https://blog.finxter.com/how-to-check-your-python-version/" data-type="post" data-id="1371" target="_blank">python3</a> HTTP server on our attack box and use <code>wget</code> to copy it to the <code>/tmp</code> directory of our target system.</p> <p>After running <code>linpeas.sh</code> we review our results and found a hidden ssh key for user kay. Our next step is to prep and crack the hash to discover the hash password needed for logging in as user kay.</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="556" height="232" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-261.png" alt="" class="wp-image-1146085" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-261.png 556w, https://blog.finxter.com/wp-content/uploads/2023/02/image-261-300x125.png 300w" sizes="(max-width: 556px) 100vw, 556px" /></figure> </div> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="493" height="124" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-262.png" alt="" class="wp-image-1146086" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-262.png 493w, https://blog.finxter.com/wp-content/uploads/2023/02/image-262-300x75.png 300w" sizes="(max-width: 493px) 100vw, 493px" /></figure> </div> <h2>LATERAL PRIVILEGE ESCALATION TO USER KAY</h2> <p>First we’ll use <code>ssh2john</code> to prep the hash to use with John the RIpper. </p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="494" height="321" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-263.png" alt="" class="wp-image-1146087" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-263.png 494w, https://blog.finxter.com/wp-content/uploads/2023/02/image-263-300x195.png 300w" sizes="(max-width: 494px) 100vw, 494px" /></figure> </div> <p>Next, we’ll crack the password for the hash with john. </p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="726" height="252" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-264.png" alt="" class="wp-image-1146088" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-264.png 726w, https://blog.finxter.com/wp-content/uploads/2023/02/image-264-300x104.png 300w" sizes="(max-width: 726px) 100vw, 726px" /></figure> </div> <p>Now that we’ve brute-forced the password with hashes of the wordlist <code>rockyou.txt</code>, we can go ahead and switch users to kay with the password <code>beeswax</code>.</p> <h2>POST-EXPLOITATION</h2> <p>Locate <code>pass.bak</code> file</p> <p>Cat to find “final password”</p> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="412" height="93" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-265.png" alt="" class="wp-image-1146089" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-265.png 412w, https://blog.finxter.com/wp-content/uploads/2023/02/image-265-300x68.png 300w" sizes="(max-width: 412px) 100vw, 412px" /></figure> </div> <h2>FINAL THOUGHTS</h2> <div class="wp-block-image"> <figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="684" height="454" src="https://blog.finxter.com/wp-content/uploads/2023/02/image-272.png" alt="" class="wp-image-1146100" srcset="https://blog.finxter.com/wp-content/uploads/2023/02/image-272.png 684w, https://blog.finxter.com/wp-content/uploads/2023/02/image-272-300x199.png 300w" sizes="(max-width: 684px) 100vw, 684px" /></figure> </div> <p>This box showed the power of <code>enum4linux</code> for enumerating Linux machines. We were able to extract two usernames that helped us to brute force our way into the server and gain our initial foothold. </p> <p>Linpeas also can do similar things, but the big difference between the two is that Linpeas is for local enumeration, and <code>enum4linux</code> is for initial enumeration before gaining a foothold. </p> <p class="has-base-background-color has-background"><img src="https://s.w.org/images/core/emoji/14.0.0/72x72/1f449.png" alt="?" class="wp-smiley" style="height: 1em; max-height: 1em;" /> <strong>Recommended</strong>: <a href="https://blog.finxter.com/web-hacking-101-tryhackme-pickle-rick-capture-the-flag-challenge/" data-type="URL" data-id="https://blog.finxter.com/web-hacking-101-tryhackme-pickle-rick-capture-the-flag-challenge/" target="_blank" rel="noreferrer noopener">Web Hacking 101: Solving the TryHackMe Pickle Rick “Capture The Flag” Challenge</a></p> </div> https://www.sickgaming.net/blog/2023/02/18/how-i-used-enum4linux-to-gain-a-foothold-into-the-target-machine-tryhackme/ |