# Basic Pentesting ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafEmAvpN-pKATCRkm2%2F-Maff1xERE8mMNo1XXBF%2Fimage.png?alt=media\&token=69aa1e33-bd42-4b25-afef-bbdd3a0333ba) ## Reconnaissance Lets start with a initial nmap scan to find open ports ``` nmap -Pn 10.10.15.47 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafEmAvpN-pKATCRkm2%2F-MaffV3j3LHh420TXScn%2Fimage.png?alt=media\&token=1060c790-d1f8-4ee5-be57-98148569262a) Detailed Nmap Scan : Command Breakdown: * (**-sV):** Service version * (**-sC**): Default nmap scripts * (**-p):** Specifying ports 22,80,139,445,8009 and 8080 * (**-oN nmap**): Saving it into a files called nmap ``` nmap -sC -sV -p 22,80,139,445,8009,8080 -oN nmap 10.10.15.47 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafEmAvpN-pKATCRkm2%2F-MafgF9dzZkDNV3rPm1P%2Fimage.png?alt=media\&token=c592bd8f-8043-455f-a1e0-a29ca70f7971) We can find hidden directories on a website by using a tool called Gobuster Command Breakdown: * (**-w**): Specifying wordlist * (**-u**): Specifying URL ``` gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.15.47 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafEmAvpN-pKATCRkm2%2F-Mafh3JcMn4E1mh2Dw6V%2Fimage.png?alt=media\&token=d3d2d2de-1873-41c5-8e8b-1716d0876249) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafEmAvpN-pKATCRkm2%2F-Mafh9IpLmddbw3d9ACs%2Fimage.png?alt=media\&token=da9c5fd3-11a9-476b-ab96-8b436cde364b) Lets go visit the website and the directory that we found using `Gobuster` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafEmAvpN-pKATCRkm2%2F-MafhZycp-Bo955qP2mt%2Fimage.png?alt=media\&token=cfac7745-b37e-4d92-a4d0-794ef29ee70d) #### dev.txt ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafEmAvpN-pKATCRkm2%2F-MafherBNNoWtDVmeEh7%2Fimage.png?alt=media\&token=ae1c618d-edea-437a-bea8-7dd03eba1c45) #### j.txt ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafEmAvpN-pKATCRkm2%2F-Mafhkk4CDAIl3Aai-K6%2Fimage.png?alt=media\&token=1c6353ab-d4d8-4d0c-ad6b-9159bafe11b1) After reading through both of these files, dev.txt is telling us about a apache struts and version 2.5.12 and the j.txt file is telling us about the directory with a password in hash inside the machine. Looking at nmap scan, we can see that we SMB open, lets use enum4linux to enumerate SMB. `-a` for simple enumeration ``` enum4linux -a 10.10.15.47 ``` Looking at the output, we found two users `jay` and `kay` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafja9wApoj102lqtoo%2F-MaflQKSgzeSTXIO6y9H%2Fimage.png?alt=media\&token=f26bad79-a466-467c-9f97-e91ee0be016e) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafmAIxm6UB-CI11dT1%2F-MafnuibBzDZTuOy_q6Q%2Fimage.png?alt=media\&token=9cee67ce-2f7c-433b-ace5-288fc64af7b4) We should also try enumerating SMB with smbclient, so lets do that by trying to login as anonymous. ``` smbclient //10.10.15.47/anonymous ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafja9wApoj102lqtoo%2F-Mafm55GSoBRPc0Sw_fq%2Fimage.png?alt=media\&token=0d15953e-336c-4a54-8002-1b819b43b1e6) And we are in, lets look for files, we found a file called staff.txt, lets transfer it to our machine using the command `get`. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafmAIxm6UB-CI11dT1%2F-MafmUQ0oH8KIbUAUxDR%2Fimage.png?alt=media\&token=d43df3f9-f5fd-4b5b-85f2-449269611e8c) Lets see what it says ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafmAIxm6UB-CI11dT1%2F-Mafmhtg0WGBsszIWbK1%2Fimage.png?alt=media\&token=420f4eee-90b9-4059-aaab-a7942f99b429) ## Exploitation We see the same two usernames we found in the enum4linux scan, so now let us try bruteforcing the password for the username `Jan` as the question only asked about this username and password using a tool called `hydra`. Command Breakdown: * (**-l**): Specifying username * (**-P**): Specifying password list ``` hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.14.57 ssh ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafmAIxm6UB-CI11dT1%2F-Mafph9OVKgjKtPflZWl%2Fimage.png?alt=media\&token=e83fe6d9-22a7-4439-ae2c-c37eb77529f9) We found the password ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafmAIxm6UB-CI11dT1%2F-MafpsYa5nRh0_EtM4xq%2Fimage.png?alt=media\&token=103f9a50-59f3-4c3e-b38b-b3e2074de5f0) Now let us login into ssh (Secure shell) , which is a service that we can use to access the server. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafqb7XGZklY_bm6yKb%2F-Mafr6FWQbDQiHzrcevv%2Fimage.png?alt=media\&token=88aa79c2-1bf2-43f0-a1ab-15b3abf31fae) ``` ssh jan@10.10.15.47 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafqb7XGZklY_bm6yKb%2F-MafqycekUXMxPFM4Te9%2Fimage.png?alt=media\&token=a4971780-c21e-48d8-91f0-995cf061c401) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafqb7XGZklY_bm6yKb%2F-MafraHbi_hGECVqFwbf%2Fimage.png?alt=media\&token=8b7def13-0fe6-40a4-b746-4257fe4a6a40) ## Privilege Escalation After enumerating for while, we can see that we can cd into `kay` directory, once we do that and look at the files, we can see that one directory in particular is interesting, and that is the `.ssh` directory, it is known to have ssh information to login using ssh, so if we get the ssh key for the user `kay` we can in theory login as that user. (\*Also the TryHackMe room expired so the IP from now on is different\*) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafqb7XGZklY_bm6yKb%2F-MaftPnSN26oz-ELF0-b%2Fimage.png?alt=media\&token=21ea83e8-7116-4a36-ab21-e6a4f6290beb) We can see that there is a `id_rsa` file , this file is something that we can use to login into ssh without the password, but we need the password for this file, and we can find the password for this file by using a tool called `JohnTheRipper` and `Python` First we have to copy this file to our machine, we can do this by simply copying the content from the victim machine and pasting it into a file on our machine. After you do that, we have to crack the password for this file by first getting the hash for the file using python, so the command we use will be ``` python /usr/share/john/ssh2john.py id_rsa > hash ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafqb7XGZklY_bm6yKb%2F-Mafv-fZbNnOhsMMtb31%2Fimage.png?alt=media\&token=cafd5399-9347-477c-81f9-7132836b9c1d) Now we have to crack this hash using johntheripper ``` john --wordlist=/usr/share/wordlists/rockyou.txt hash ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafqb7XGZklY_bm6yKb%2F-MafvRpX3lvph9nhaZLK%2Fimage.png?alt=media\&token=96b3ab88-34c1-4025-a306-8e4d7d9f7081) And the password we found: beeswax, lets now login as `Kay` into the machine using ssh, but this time it is going to be a different, so we have to use the file as a login, so we have to use this command. ``` chmod 600 id_rsa ``` We use this command because we have to give this file certain permission so that we are allowed to use this as a login into ssh. Now we use this command ``` ssh -i id_rsa kay@10.10.8.127 ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafqb7XGZklY_bm6yKb%2F-MafwMK8fr1_kBjINaxl%2Fimage.png?alt=media\&token=c3399254-2e8f-4400-8b9d-748a7cd50100) And with this, we are logged in as kay, after listing the contents of this file, we can see a `pass.bak` file, we could not see this file the last time as we did not have permissions of kay as we were logged in as Jan. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafqb7XGZklY_bm6yKb%2F-MafwoI5xH9ut0fP0JIJ%2Fimage.png?alt=media\&token=119e7f2e-ccf0-4118-b690-b7458bb30b53) This is the final password that we found and the answer to the last question of this room ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-Mafqb7XGZklY_bm6yKb%2F-Mafx8djzxBHxOA6_GJR%2Fimage.png?alt=media\&token=2bd389b5-f275-4a93-8cc6-37be67154c19) ## Bonus We can become root with a simple command and this is `sudo -l` a command that we use to check what we can run as other users on the machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafxAXuCZ4XpFgYJARy%2F-MafxZpc8ReT5tq_5ZBe%2Fimage.png?alt=media\&token=8599847d-2794-4837-be99-e0b99cc66039) It looks like we have all permissions, so we can simply use this command to switch users to root `sudo su` ``` sudo su ``` ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MafxAXuCZ4XpFgYJARy%2F-Mafxn94S9UVfKkZ_P6f%2Fimage.png?alt=media\&token=42ff84e9-607a-44cc-8fc3-e4f04194fd1f) And we are root!