TryHackMe: Basic Pentesting — Write-Up

Hi,

This article is about Basic Pentesting room created by on TryHackMe.

It is free room and everyone can join it.

In these set of tasks you’ll learn the following:

• brute forcing
• hash cracking
• service enumeration
• Linux Enumeration

Let’s get started

Start the machine.

When you start machine your IP_Address of this machine can be different than shown in article.

You will get a specific IP_Address for machine as shown in figure 1.1 below:

figure 1.1

nmap -sS -sV 10.10.202.55 | tee nmap.txt

figure 1.2

Access this IP_Address from web browser, shown in figure 1.3 below:

figure 1.3

There might be hidden directories in this web app. To find out we will use dirbuster tool:

dirbuster

After running this command GUI will open as shown in figure 1.4 below:

figure 1..4

After configuring as shown above click on start button to start finding hidden directories shown in figure 1.5 below:

figure 1.5

We found a directory “development” which is containing 2 files :

figure 1.6

File dev.txt :

figure 1.7

File j.txt:

figure 1.8

Both files contains messages for -K and -J.

From above files we got following information:

1. SMB has been configured.
2. There is Apache struts version 2.5.12 running.
3. User J is using weak password which can be cracked easily.

Let’s start enumerating SMB port with enum4linux tool:

enum4linux -a 10.10.202.55 | tee enum4linux.txt

figure 1.9

Now we got both usernames now let’s bruteforce attack on both of the users using famous tool HYDRA.

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.202.55 | tee hydra.txt

figure 1.10

Here we go we have find password for jan account successfully. Now let’s try to login:

ssh jan@10.10.202.55

figure 1.11

Here we have successfully login. Now let’s explore this machine especially Kay’s account to get something. We have found password backup file of the Kay’s account but unfortunately we donot have privileges on jan account to see them neither jan can sudo command.

figure 1.12

In order to read the password backup file we have to escalate the privileges. After exploring a bit more Kay’s directories we found ssh keys as shown in figure 1.13 below:

figure 1.13

Save the keys on your machine in a file either using nano or editor you like.

Now run ssh2john tool to get the hash of the keys.

python /usr/share/john/ssh2john.py sshkey.txt > sshkeyhash.txt

figure 1.14

Now run John the ripper tool to crack the passphrase for the account of Kay.

john — wordlist=/usr/share/wordlists/rockyou.txt sshkeyhash.txt

figure 1.15

Now access the Kay’s ssh using the public keys of Kay account.

ssh -i id_rsa kay@10.10.202.55

figure 1.16

Here we go we have successfully logged in into Kay’s ssh, now lets go to that password backup file and read the content of it.

figure 1.17

We have finally got the password and here the challenge is completed.

Lets try to escalate the privilege from kay’s account. First we have to check what privileges Kay have by using command:

sudo -l

figure 1.18

Result shows kay have all of the sudo privileges, so we try to execute command:

sudo su

figure 1.19

We have got the flag.txt file.

Hurrah! We have completed this Basic Pentesting Challenge. Thanks for staying till here.