This machine is from THM: Link This is also available in VULNHUB
we have nmap scan report saying that the following ports are open
- ssh 80
- http 22 etc [refer the scan report]
Basic enumiration has to be done on the target machine always. used enum4linux to enumirate the username and os type and other details of the target system and are able to find the usernames This will be helpful when we have ssh port open and dont know the username.
enum4linux -a 10.10.212.198 | tee enumiration.logHere is the enumiration report in enumiration.log
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
From the above output we can see the users kay and jan.
We use hydra to crack passwords on servers. We use wordlist and the type of service followed byu the ipaddress [refer the help dialog]
hydra -l jay -P /usr/share/wordlists/rockyou.txt ssh://Tar.get.IP/I used a tool linPEAS thet should be executed in the target system to know what are the possibilites of previlage escalation can be done on what processes. I have the tool on my kali vam /opt/tools/linpeas.sh Once it is copied using the scp
scp -P 22 /files/linpeas.sh jay@Target_IP:/~I found a ssh private key and used that private key to connect to kay the private key is stored as ssh_key. This is converted to hash using
john ssh2john /path/to/the/file And cracked the password that is stored in the relevant txt file in the files directory now i can see the passowrd logging into kay's account.
ssh -i /identity/filekay @Target-IPaddress