BasicPentesting

nmap results:

• nmap -p- -Pn -A -T4 10.10.173.112 > Ascan.txt:

Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-08 16:58 EDT
Stats: 0:09:57 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 71.18% done; ETC: 17:12 (0:04:02 remaining)
Nmap scan report for 10.10.173.112
Host is up (0.17s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-title: Apache Tomcat/9.0.7
|_http-favicon: Apache Tomcat
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.4
OS details: Linux 4.4
Network Distance: 2 hops
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
Host script results:
|_clock-skew: mean: 1h19m58s, deviation: 2h18m33s, median: -1s
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2025-04-08T17:13:26-04:00
| smb2-time: 
|   date: 2025-04-08T21:13:26
|_  start_date: N/A
 
TRACEROUTE (using port 5900/tcp)
HOP RTT       ADDRESS
1   179.35 ms 10.21.0.1
2   179.41 ms 10.10.173.112
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 898.63 seconds

• nmap --script=*smb* 10.10.173.112 > smbScan.txt:

Starting Nmap 7.95 ( https://nmap.org ) at 2025-04-08 17:51 EDT
Nmap scan report for 10.10.173.112
Host is up (0.19s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy
 
Host script results:
| smb-ls: Volume \\10.10.173.112\Anonymous
| SIZE   TIME                 FILENAME
| <DIR>  2018-04-19T17:31:20  .
| <DIR>  2018-04-19T17:13:06  ..
| 173    2018-04-19T17:29:55  staff.txt
|_
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
| smb-vuln-regsvc-dos: 
|   VULNERABLE:
|   Service regsvc in Microsoft Windows systems vulnerable to denial of service
|     State: VULNERABLE
|       The service regsvc in Microsoft Windows 2000 systems is vulnerable to denial of service caused by a null deference
|       pointer. This script will crash the service if it is vulnerable. This vulnerability was discovered by Ron Bowes
|       while working on smb-enum-sessions.
|_          
|_smb-system-info: ERROR: Script execution failed (use -d to debug)
| smb2-capabilities: 
|   2:0:2: 
|     Distributed File System
|   2:1:0: 
|     Distributed File System
|     Multi-credit operations
|   3:0:0: 
|     Distributed File System
|     Multi-credit operations
|   3:0:2: 
|     Distributed File System
|     Multi-credit operations
|   3:1:1: 
|     Distributed File System
|_    Multi-credit operations
| smb-mbenum: 
|   DFS Root
|     BASIC2  0.0  Samba Server 4.3.11-Ubuntu
|   Master Browser
|     BASIC2  0.0  Samba Server 4.3.11-Ubuntu
|   Print server
|     BASIC2  0.0  Samba Server 4.3.11-Ubuntu
|   Server
|     BASIC2  0.0  Samba Server 4.3.11-Ubuntu
|   Server service
|     BASIC2  0.0  Samba Server 4.3.11-Ubuntu
|   Unix server
|     BASIC2  0.0  Samba Server 4.3.11-Ubuntu
|   Windows NT/2000/XP/2003 server
|     BASIC2  0.0  Samba Server 4.3.11-Ubuntu
|   Workstation
|_    BASIC2  0.0  Samba Server 4.3.11-Ubuntu
| smb2-time: 
|   date: 2025-04-08T21:51:59
|_  start_date: N/A
|_smb-vuln-ms10-054: false
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
|_smb-flood: ERROR: Script execution failed (use -d to debug)
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.173.112\Anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\anonymous
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.173.112\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Samba Server 4.3.11-Ubuntu)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE
| smb-enum-domains: 
|   Builtin
|     Groups: n/a
|     Users: n/a
|     Creation time: unknown
|     Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
|     Account lockout disabled
|   BASIC2
|     Groups: n/a
|     Users: n/a
|     Creation time: unknown
|     Passwords: min length: 5; min age: n/a days; max age: n/a days; history: n/a passwords
|_    Account lockout disabled
| smb-brute: 
|_  No accounts found
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2025-04-08T17:57:03-04:00
| smb-enum-sessions: 
|_  <nobody>
| smb-protocols: 
|   dialects: 
|     NT LM 0.12 (SMBv1) [dangerous, but default]
|     2:0:2
|     2:1:0
|     3:0:0
|     3:0:2
|_    3:1:1
|_smb-print-text: false
|_smb-vuln-ms10-061: false
 
Nmap done: 1 IP address (1 host up) scanned in 387.76 seconds

http enum:

port 80 dirbusting results:

200      GET       10l       24w      158c http://10.10.173.112/
301      GET        9l       28w      320c http://10.10.173.112/development => http://10.10.173.112/development/
200      GET        9l       89w      483c http://10.10.173.112/development/dev.txt
200      GET        7l       42w      235c http://10.10.173.112/development/j.txt

• dev.txt:

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

• j.txt:

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

port 8080 dirbusting results:

200      GET       34l      158w     1155c http://10.10.173.112:8080/docs/api/index.html
401      GET       63l      289w     2473c http://10.10.173.112:8080/manager/html
200      GET      351l      786w     5581c http://10.10.173.112:8080/tomcat.css
302      GET        0l        0w        0c http://10.10.173.112:8080/docs => http://10.10.173.112:8080/docs/
302      GET        0l        0w        0c http://10.10.173.112:8080/host-manager/ => http://10.10.173.112:8080/host-manager/html
401      GET       54l      241w     2044c http://10.10.173.112:8080/host-manager/html
302      GET        0l        0w        0c http://10.10.173.112:8080/manager => http://10.10.173.112:8080/manager/
200      GET       18l      126w     9193c http://10.10.173.112:8080/tomcat.png
302      GET        0l        0w        0c http://10.10.173.112:8080/examples => http://10.10.173.112:8080/examples/
200      GET     1470l     7944w    75833c http://10.10.173.112:8080/docs/manager-howto.html
200      GET       22l       93w    42556c http://10.10.173.112:8080/favicon.ico
200      GET      351l     2079w    22748c http://10.10.173.112:8080/docs/deployer-howto.html
302      GET        0l        0w        0c http://10.10.173.112:8080/docs/config => http://10.10.173.112:8080/docs/config/
200      GET      680l     4165w    44204c http://10.10.173.112:8080/docs/cluster-howto.html
200      GET     1223l     6951w    63205c http://10.10.173.112:8080/docs/realm-howto.html
200      GET        0l        0w    14459c http://10.10.173.112:8080/docs/setup.html
200      GET        0l        0w    35639c http://10.10.173.112:8080/docs/security-howto.html
200      GET        0l        0w     6851c http://10.10.173.112:8080/docs/RELEASE-NOTES.txt
200      GET        0l        0w   300136c http://10.10.173.112:8080/docs/changelog.html
200      GET      202l      498w    11228c http://10.10.173.112:8080/
302      GET        0l        0w        0c http://10.10.173.112:8080/docs/api => http://10.10.173.112:8080/docs/api/
302      GET        0l        0w        0c http://10.10.173.112:8080/docs/appdev => http://10.10.173.112:8080/docs/appdev/
200      GET       34l      158w     1155c http://10.10.173.112:8080/docs/api/
302      GET        0l        0w        0c http://10.10.173.112:8080/docs/appdev/sample => http://10.10.173.112:8080/docs/appdev/sample/
302      GET        0l        0w        0c http://10.10.173.112:8080/examples/servlets => http://10.10.173.112:8080/examples/servlets/
404      GET        0l        0w     1091c http://10.10.173.112:8080/docs/installer
404      GET        0l        0w     1084c http://10.10.173.112:8080/docs/v3
302      GET        0l        0w        0c http://10.10.173.112:8080/docs/appdev/sample/docs => http://10.10.173.112:8080/docs/appdev/sample/docs/
302      GET        0l        0w        0c http://10.10.173.112:8080/examples/servlets/images => http://10.10.173.112:8080/examples/servlets/images/
302      GET        0l        0w        0c http://10.10.173.112:8080/docs/appdev/sample/web => http://10.10.173.112:8080/docs/appdev/sample/web/
302      GET        0l        0w        0c http://10.10.173.112:8080/docs/appdev/sample/src => http://10.10.173.112:8080/docs/appdev/sample/src/
200      GET       10l       19w      221c http://10.10.173.112:8080/examples/servlets/images/j_security_check
302      GET        0l        0w        0c http://10.10.173.112:8080/docs/architecture/startup => http://10.10.173.112:8080/docs/architecture/startup/

• http://10.10.173.112:8080/examples/index.jsp;jsessionid=21B248D255AB9B9F7739E0133913EF0E:
  

jsessionid=21B248D255AB9B9F7739E0133913EF0E

• hash-identifier 21B248D255AB9B9F7739E0133913EF0E

Possible Hashs:
[+] MD5
[+] Domain Cached Credentials - MD4(MD4(($pass)).(strtolower($username)))

• couldnt crack it with hashcat. will probably have to use it like a session cookie and log in that way somehow

SMB enum:

• smbmap -H 10.10.173.112

[+] IP: 10.10.173.112:445       Name: 10.10.173.112             Status: NULL Session
        Disk                                                    Permissions     Comment
        ----                                                    -----------     -------
        Anonymous                                               READ ONLY
        IPC$                                                    NO ACCESS       IPC Service (Samba Server 4.3.11-Ubuntu)

• smbclient //10.10.173.112/Anonymous
• ls

  .                                   D        0  Thu Apr 19 13:31:20 2018
  ..                                  D        0  Thu Apr 19 13:13:06 2018
  staff.txt                           N      173  Thu Apr 19 13:29:55 2018

• get staff.txt
• staff.txt:

Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)

-Kay

• possible unames:

Jan
Kay

ssh bruteforcing:

• brute forced with the two unames against ssh with rockyou and found one valid creds:

jan:armando

• found another user called kay
• ran peass and found the id_rsa
• id_rsa:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75

IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ
LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7
bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb
RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy
VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe
B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0
ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG
oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl
VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1
GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK
QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL
4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG
VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk
oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3
z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S
baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19
l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P
nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI
fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI
I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw
X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL
OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX
oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx
CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731
DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj
Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r
sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu
Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q
3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv
wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG
URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7
AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK
AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5
phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR
ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV
ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC
D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG
OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT
t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ
4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY
-----END RSA PRIVATE KEY-----

• id_rsa passphrase cracked with john the ripper: beeswax
• pass.bak:

heresareallystrongpasswordthatfollowsthepasswordpolicy$$