Lab - Medium
Last updated
Last updated
Hello, everyone. Today, we will be exploring the Medium-level Password Attacks Walkthrough lab from the HTB Academy Penetration Testing Course. Our goal is to obtain the contents of flag.txt in /root/ .
First, we will perform an IP scan to identify open ports and assess the available options.
We have three open ports (22, 139, 445). Let's list the shared resources available on the server.
Let's review the contents of the SHAREDRIVE share.
First, let's apply the rules from custom.rule
to each word in password.list
and save the modified versions in mut_password.list
.
Next, let's extract any useful information from the "Docs.zip" file obtained from the SMB server.
We have obtained the password for the file "Docs.zip." Let's use it to extract the contents.
I've received a file named Documentation.docx. Let's examine it to determine the information it contains.
I attempted to open the file, but it is password-protected. Let's proceed with cracking it.
We now have the password. Let's proceed by opening the Documentation.docx file to review its contents.
We have obtained the password for the username "jason." Let's proceed with attempting to connect via SSH using these credentials.
We have successfully established an SSH connection using the user account "jason".
I investigated and found that port 3306 is open, which is the default port for MySQL. Let's attempt to connect to the MySQL server using Jason's credentials again.
Let's analyze the database to determine what information we can extract.
During the investigation, I discovered an additional username, "dennis," and obtained the associated password from the MySQL server.
Let's use these credentials to log in as the user "dennis".
I conducted an extensive investigation to locate the flag and discovered a hint indicating that useful files might be available in the home directory of one of the users.
Let's proceed by obtaining the SSH key for the user Dennis.
Let's copy the content of id_rsa
to a file in our attacking machine and adjust its permissions to enable its use. Before doing so, let's extract the password first.
First we extracted the hash from the SSH private key file (id_rsa
) so that it can be cracked using the John the Ripper.
Here we have obtained the password. Let's update the file permissions and use the file with root access to verify if this solution works.
Now we can get the flag.