How I used Enum4linux to Gain a Foothold Into the Target Machine (TryHackMe) : Benjamin Reitz
by: Benjamin Reitz
blow post content copied from Finxter
click here to view original post
Enum4linux is a software utility designed to extract information from both Windows and Samba systems. Its primary objective is to provide comparable functionality to the now-defunct enum.exe tool, which was previously accessible at www.bindview.com. Enum4linux is coded in PERL and essentially functions as an interface for the Samba toolset, including smbclient, rpclient, net, and nmblookup.
CHALLENGE OVERVIEW
- CTF Creator: John Hammond
- Link: Basic Pentesting
- Difficulty: Easy
- Target: user flag and final flag
- Highlight: extracting credentials from an SMB server with SMBmap
- Tools used:
nmap
,dirb
,enum4linux
,john
,hydra
,linpeas
,ssh
- Tags: security, boot2root, cracking, webapp
BACKGROUND
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-267.png)
This is a pretty standard type of CTF challenge that involves some recon, gaining an initial foothold, lateral privilege escalation, and discovery of the flags.
It was a great way to review how to use the standard pentesting tools (i.e., nmap
, dirb
, smbmap
, john
, hydra
).
If you are just starting with CTF challenges, you may find some of the tools and concepts to be a bit more technical. Please check out the video walkthrough if anything is unclear in this write-up!
ENUMERATION/RECON
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-268.png)
IP ADRESSES
export targetIP=10.10.192.10 export myIP=10.6.2.23
ENUMERATION
NMAP SCAN
nmap -A -p- -T4 -oX nmap.txt $targetIP
-A
Enable OS detection, version detection, script scanning, and traceroute-p-
scan all ports-T4
speed 4 (1-5 with 5 being the fastest)-oX
output as an XML-type file
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-255.png)
DIRB SCAN
dirb http://$targetIP -o dirb.txt
-o
output as<filename>
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-256.png)
WALK THE WEBSITE
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-269.png)
Check our dev note section if you need to know what to work on. (I found a hint in sourcecode)
http://10.10.192.10/development/
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-257.png)
Reading through these two documents, we learn the following interesting things:
- User “J” has a weak password hash in /etc/shadow that can be cracked easily!
- We may be able to find an exploit for REST version 2.5.12
Searching through exploit-db
we find two possibilities:
- https://www.exploit-db.com/exploits/45068
- https://www.exploit-db.com/exploits/42627 (this one is probably it!)
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-258.png)
I tried out this python exploit, but didn’t have any luck. Let’s move forward for now and enumerate the SMB server.
ENUMERATING SMB
smbmap -a $targetIP
We see a listing for an anonymous login in our results. However, we aren’t able to log in as anonymous
.
USING ENUM4LINUX TO EXTRACT SSH LOGIN CREDENTIALS
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-270.png)
enum4linux -a 10.10.192.10
-a
Do all simple enumeration (-U -S -G -P -r -o -n -i
)
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-259.png)
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-260.png)
found users: kay
and jan
My guess is that our first user credential with the easy hash will be for user jan
because the hidden file j.txt
in the /development
folder was written to “J
”.
USING HYDRA TO BRUTEFORCE A PASSWORD FOR JAN/KAY
hydra -l jan -t 4 -P /home/kalisurfer/hacking-tools/rockyou.txt ssh://10.10.192.10 hydra -l kay -P /home/kalisurfer/hacking-tools/rockyou.txt ssh://10.10.192.10 discovered password for jan: armando
LOCAL RECON – LOG IN AS JAN VIA SSH
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-271.png)
We’ll automate our local recon with linpeas.sh
To get the script on our target system, we spin up a simple python3 HTTP server on our attack box and use wget
to copy it to the /tmp
directory of our target system.
After running linpeas.sh
we review our results and found a hidden ssh key for user kay. Our next step is to prep and crack the hash to discover the hash password needed for logging in as user kay.
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-261.png)
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-262.png)
LATERAL PRIVILEGE ESCALATION TO USER KAY
First we’ll use ssh2john
to prep the hash to use with John the RIpper.
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-263.png)
Next, we’ll crack the password for the hash with john.
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-264.png)
Now that we’ve brute-forced the password with hashes of the wordlist rockyou.txt
, we can go ahead and switch users to kay with the password beeswax
.
POST-EXPLOITATION
Locate pass.bak
file
Cat to find “final password”
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-265.png)
FINAL THOUGHTS
![](https://blog.finxter.com/wp-content/uploads/2023/02/image-272.png)
This box showed the power of enum4linux
for enumerating Linux machines. We were able to extract two usernames that helped us to brute force our way into the server and gain our initial foothold.
Linpeas also can do similar things, but the big difference between the two is that Linpeas is for local enumeration, and enum4linux
is for initial enumeration before gaining a foothold.
Recommended: Web Hacking 101: Solving the TryHackMe Pickle Rick “Capture The Flag” Challenge
February 19, 2023 at 12:20AM
Click here for more details...
=============================
The original post is available in Finxter by Benjamin Reitz
this post has been published as it is through automation. Automation script brings all the top bloggers post under a single umbrella.
The purpose of this blog, Follow the top Salesforce bloggers and collect all blogs in a single place through automation.
============================
![Salesforce Salesforce](https://1.bp.blogspot.com/-7PAEudGm-vA/X5xmpBCB6-I/AAAAAAAAACU/4l5vI_EgYqYlEXFHs1xEeyiYP9Dyl89IgCLcBGAsYHQ/s600/1.jpg)
Post a Comment