-->

  • TryHackMe Badbyte Infiltrate BadByte and help us to take over root

     


     

    BadByte 


    Badbyte (https://tryhackme.com/room/badbyte) covers many important aspects of penetration testing such as importance of enumeration , hash cracking ,port forwarding , web exploitation and privilege escalation. First of all fire up your pen testing machine and connect to TryHackMe network by OpenVPN. Then deploy the given machine.  TryHackMe Badbyte Infiltrate BadByte and help us to take over root



    Reconnaissance


    First of all we have to perform a traditional port scan with nmap OR rustscan but we will used nmap. With the following nmap scan, you can get the answers for all 4 questions.



    1) How many ports are open?

    Ans :- 2 ports are open.



    2) What service is running on the lowest open port?

    Ans :- Lowest port is 22. So, the service running there is SSH.

     

     


     



    3) What non-standard port is open?

    Ans :- Only non-standard port we can find is 30024.



    4) What service is running on the non-standard port?


    Ans :- FTP is running on that port instead of port 21.





    Foothold


    So, you know that there are FTP and SSH services running on the machine. Let us try to login to FTP as an anonymous user.



    Download note.txt

     Download note.txt


    We can log in to FTP as an anonymous user without specifying a password. When looking around we can see that there are two files named id_rsa and note.txt. Let us download those.



    1) What username do we find during the enumeration process?


    When looking at the note.txt, we can find out the username as “errorcauser”.

    Ans :- errorcauser








    John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems.


    To crack ssh private key first use ssh2john python script convert private key to hash (It comes with Kali Linux. Run locate ssh2john).


    • python path/to/ssh2john.py privatekey > privatekey.hash



    Then use john to crack the hash.



    • john privatekey.hash -w=/path/to/wordlist



    Crack the passphrase of the private key and SSH into the machine. Make sure to change the file permissions of SSH private key to 600.



    2. What is the passphrase for the RSA private key?


    We come across that the id_rsa file we downloaded is a SSH private key. In order to use this with SSH, we need a passphrase. So, first we need to convert this key into a hash using ssh2john.

    Ans :- cupcake



    Now, we have the hash of the ssh key. So, We can crack it using JohnTheRipper.
     

     


     

    we can easily find out the passphrase by cracking it with john’s default wordlist.




    Port Forwarding


    As we have the passphrase, we can login to ssh using it. We have to set up dynamic port forwarding. However when we try to login, an error is occurred as following.





    Remember to provide the above cracked hash as the passphrase. You will be able to easily login as Errorcauser.



    Then we have to set up proxychains for the dynamic port forwarding. So, go to the proxychains configuration file which is located at “/etc/proxychains.conf” of your pentesting machine and open it with Nano editor.

     




    Then, make necessary changes. (comment out socks4 127.0.0.1 9050 and add socks5 127.0.0.1 1337 to the end of configuration file)


    Then, run a port scan using nmap to enumerate internal ports on the server using proxychains.

     

     


     

     


    After some time, we are given an output like following.

     

     



    After finding the port of the webserver, perform Local Port Forwarding to that port (port 80) using SSH with the -L flag as following.







    Here, remote port is 80(which we found by nmap scan) and the local port is given as 8080. Give the same passphrase we cracked earlier.


    1) What main TCP ports are listening on localhost?


    From the above result, we can see that apart from the ssh port, ports 80 and 3306 are also open.

    Ans :- 80, 3306


    2. What protocols are used for these ports?


    http and mysql services are running on those ports.


    Ans :- http, mysql



    Web Exploitation


    As port 80 is open, we can come across that there is a web application involved. Just give the IP:PORT combination in your web browser.






     
    1) What CMS is running on the machine?


    When analyzing the web application, we can come across that it is developed using Wordpress.

    Ans :- wordpress





     

     

     

    2. Can you find any vulnerable plugins?
    You can use wordpress enumeration nmap script to find the plugins.

    Ans :- No answer needed





    We are given an output as follows as the result of above enumeration.




    I just Googled the plugins for vulnerabilities and found the answers for the following questions.




    3. What is the CVE number for directory traversal vulnerability?

    Ans :- CVE-2020-11738





    4. What is the CVE number for remote code execution vulnerability?

    Ans :- CVE-2020-25213



    5. There is a metasploit module for the exploit. You can use it to get the reverse shell.

    In msfconsole search for a relevant exploit. I found it easily as follows.





    You have to set rhost as 127.0.0.1 ,rport as 8080 , lhost as your tun0 IP and run the exploit. If everything is fine, you will be prompted with the meterpreter session.







    6. What is the name of user that was running CMS?

    Give the command “whoami” and you will be able to find the username.

    Ans :-  cth



    7. What is the user flag?


    In the user’s home directory, you can find the user flag.

    Ans :-  THM{227906201d17d9c45aa93d0122ea1af7}






    Privilege Escalation



    As for now, we have a low privileged shell. But, we need to escalate our privileges in order to obtain the root flag.




     

    1) What is the user’s old password?


    When browsing the file system for a little bit, you can come across that the log file, /var/log/bash.log can be accessed by the user, without requiring password. Just “cat” the log file and you can find the password there.

    Ans :-  G00dP@$sw0rd2020


     

     
     
     
     

    Make the user, a superuser. Then you may need to change some directories, in order to get to root’s home.


    Then you can obtain the root flag as follows.




     


    2) What is the root flag?


    You have to guess the new password of the user, in order to get the root flag. As we must use SSH, we must need the new password. It is very easy to guess.(Hint: Old password was configured last year and now we are not in last year. Isn’t it?) After guessing the new password, we can ssh as the new user.

    Ans :- THM{ad485b44f63393b6a9225974909da5fa}



    Disclaimer

     

    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)


     


  • 0 comments:

    Post a Comment

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.