How I used Enum4linux to Gain a Foothold Into the Target Machine (TryHackMe) : Benjamin Reitz

Reader
February 18, 2023
How I used Enum4linux to Gain a Foothold Into the Target Machine (TryHackMe)
by: Benjamin Reitz
blow post content copied from  Finxter
click here to view original post

5/5 - (1 vote)

💡 Enum4linux is a software utility designed to extract information from both Windows and Samba systems. Its primary objective is to provide comparable functionality to the now-defunct enum.exe tool, which was previously accessible at www.bindview.com. Enum4linux is coded in PERL and essentially functions as an interface for the Samba toolset, including smbclient, rpclient, net, and nmblookup.

CHALLENGE OVERVIEW

  • CTF Creator: John Hammond
  • Link: Basic Pentesting
  • Difficulty: Easy 
  • Target: user flag and final flag
  • Highlight: extracting credentials from an SMB server with SMBmap
  • Tools used: nmap, dirb, enum4linux, john, hydra, linpeas, ssh
  • Tags: security, boot2root, cracking, webapp

BACKGROUND

This is a pretty standard type of CTF challenge that involves some recon, gaining an initial foothold, lateral privilege escalation, and discovery of the flags.

It was a great way to review how to use the standard pentesting tools (i.e., nmap, dirb, smbmap, john, hydra).

If you are just starting with CTF challenges, you may find some of the tools and concepts to be a bit more technical. Please check out the video walkthrough if anything is unclear in this write-up! 

ENUMERATION/RECON

IP ADRESSES

export targetIP=10.10.192.10
export myIP=10.6.2.23

ENUMERATION

NMAP SCAN

nmap -A -p- -T4 -oX nmap.txt $targetIP
  • -A Enable OS detection, version detection, script scanning, and traceroute
  • -p- scan all ports
  • -T4 speed 4 (1-5 with 5 being the fastest)
  • -oX output as an XML-type file

DIRB SCAN

dirb http://$targetIP -o dirb.txt
  • -o output as <filename>

WALK THE WEBSITE

Check our dev note section if you need to know what to work on. (I found a hint in sourcecode)

http://10.10.192.10/development/

Reading through these two documents, we learn the following interesting things:

  • User “J” has a weak password hash in /etc/shadow that can be cracked easily!
  • We may be able to find an exploit for REST version 2.5.12 

Searching through exploit-db we find two possibilities:

  1. https://www.exploit-db.com/exploits/45068
  2. https://www.exploit-db.com/exploits/42627 (this one is probably it!)

I tried out this python exploit, but didn’t have any luck. Let’s move forward for now and enumerate the SMB server.

ENUMERATING SMB    

smbmap -a $targetIP

We see a listing for an anonymous login in our results. However, we aren’t able to log in as anonymous.

USING ENUM4LINUX TO EXTRACT SSH LOGIN CREDENTIALS

enum4linux -a 10.10.192.10

-a  Do all simple enumeration (-U -S -G -P -r -o -n -i)

found users: kay and jan

My guess is that our first user credential with the easy hash will be for user jan because the hidden file j.txt in the /development folder was written to “J”.

USING HYDRA TO BRUTEFORCE A PASSWORD FOR JAN/KAY

hydra -l jan -t 4 -P /home/kalisurfer/hacking-tools/rockyou.txt ssh://10.10.192.10
hydra -l kay -P /home/kalisurfer/hacking-tools/rockyou.txt ssh://10.10.192.10

discovered password for jan: armando

LOCAL RECON – LOG IN AS JAN VIA SSH

We’ll automate our local recon with linpeas.sh

To get the script on our target system, we spin up a simple python3 HTTP server on our attack box and use wget to copy it to the /tmp directory of our target system.

After running linpeas.sh we review our results and found a hidden ssh key for user kay. Our next step is to prep and crack the hash to discover the hash password needed for logging in as user kay.

LATERAL PRIVILEGE ESCALATION TO USER KAY

First we’ll use ssh2john to prep the hash to use with John the RIpper. 

Next, we’ll crack the password for the hash with john. 

Now that we’ve brute-forced the password with hashes of the wordlist rockyou.txt, we can go ahead and switch users to kay with the password beeswax.

POST-EXPLOITATION

Locate pass.bak file

Cat to find “final password”

FINAL THOUGHTS

This box showed the power of enum4linux for enumerating Linux machines. We were able to extract two usernames that helped us to brute force our way into the server and gain our initial foothold.

Linpeas also can do similar things, but the big difference between the two is that Linpeas is for local enumeration, and enum4linux is for initial enumeration before gaining a foothold. 

👉 Recommended: Web Hacking 101: Solving the TryHackMe Pickle Rick “Capture The Flag” Challenge


February 19, 2023 at 12:20AM
Click here for more details...

=============================
The original post is available in Finxter by Benjamin Reitz
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================

Salesforce