In these set of tasks you’ll learn the following:
1. brute forcing
2. hash cracking
3. service enumeration
4. Linux Enumeration
- Find the services exposed by the machine
sudo nmap -A -T4 10.10.101.207 -oN nmap_basicpentest
2. What is the name of the hidden directory on the web server(enter name without /)?
gobuster dir -u 10.10.101.207 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 40 -o gobuster_basic 2>/dev/null
Information Gathering about the /development directory.
Enumerating SMB Shares and Users:
enum4linux -a 10.10.101.207
3. User brute-forcing to find the username & password
I’ve been auditing the contents of /etc/shadow to make sure we don’t have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
Brute forcing SSH:
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.101.207
4. Enumerate the machine to find any vectors for privilege escalation
5. Enumerate the machine to find any vectors for privilege escalation
Transfer linpeas.sh via SCP since Port 22 is open.
Run the linpeas.sh from the target machine to check for possible escalation.
Navigate to /home/kay/.ssh/ and copy id_rsa into the attacker machine for brute forcing.
Try to Login as kay using the id_rsa.
Brute force id_rsa using ssh2john.
Login as kay using the cracked hash.
5. What is the final password you obtain?