First, let’s start with an nmap scan:
nmap -T4 -A 10.10.194.24
The only things open on the machine is SSH and web. The version running is OpenSSH 7.2p2 Ubuntu. As much as I’d love to start brute forcing ssh, I don’t even have a username to try and find.
However, checking for a possible exploit of the ssh version, we can find the following information:
OpenSSH 7.2p2 - Username Enumeration
So there is an exploit for this specific version of ssh for username enumeration. Copy the file contents and put it into a file called usernameEnum.py, and then try to run it. We need to install an additional tool called paramiko, so install that using pip. pip install paramiko
We also need to install numpy using pip install numpy
./usernameEnum.py 10.10.194.24 -U /usr/share/wordlists/seclists/SecLists-master/Usernames/top-usernames-shortlist.txt
We gathered a good amount of users with that information. So now, I am going to try and use the discovered usernames available to try and use a ssh brute force tool. Let’s try to use hydra, but first make sure these usernames are stored in a .txt file to use soon as the username list.
hydra -L lazyadminusers.txt -P /usr/share/wordlists/rockyou.txt ssh://10.10.194.24
Brute forcing with hydra doesn’t really do anything, so let’s transition over to port 80, the webserver.
Loading up the webserver gives a default page that looks like this:
Let’s try and do some directory busting. Let’s try dirbuster &, searching with the medium directory list and trying to find some information. We can find some JavaScript files and figure out some information that the victim is using SweetRice for javascript, a website management tool.