First, we start the machine and perform nmap scanning.
It's using http on port 80. We go to the website.
There is nothing on the page. When we look at the source code, we see something suspicious.
We start scanning the files on the web page.
We see a hidden folder named /development in the scan output.
We know that SMB is used. For this reason, we can use enum4linux -a 10.0.186.96.
Now we know the usernames
We remember the text written in the j.txt file. K asks J to change his password because his password is weak. That's why we're trying to crack J's password.
We use Hydra for this.
We run the command hydra -l jan -P /usr/share/wordlists/rockyou.txt.gz ssh://10.10.186.96.
So we get the Jan's password.
Now we can login via SSH.
Question 8 asks us to find a way of privilege escalation.
We're looking at the file of our other user, Kay.
When we want to print the file named pass.bak in the files, our authority is insufficient.
When we view the permissions of the files, we see a hidden folder named .ssh. This folder contains the id_rsa file.
We can get the RSA encryption key with the cat id_rsa command.
We copy this key to our desktop with nano.
We give read permission to the file with chmod 600 kay_id_rsa.
Then we parse this key with John the Ripper.
We make it clearer for the John the Ripper tool with the next command. We save our file with the name john.txt.
With the command sudo john –wordlist=/usr/share/wordlists/rockyou.txt john.txt, a brute force attack is made to find the password. It seems that our password is beeswax.
