Basic Pentesting
Welcome to the Basic Pentesting room tutorial. We will be skipping questions that do not require an answer.
Reconnaissance
Lets start with a initial nmap scan to find open ports
Detailed Nmap Scan :
Command Breakdown:
(-sV): Service version
(-sC): Default nmap scripts
(-p): Specifying ports 22,80,139,445,8009 and 8080
(-oN nmap): Saving it into a files called nmap
We can find hidden directories on a website by using a tool called Gobuster
Command Breakdown:
(-w): Specifying wordlist
(-u): Specifying URL
Lets go visit the website and the directory that we found using Gobuster
dev.txt
j.txt
After reading through both of these files, dev.txt is telling us about a apache struts and version 2.5.12 and the j.txt file is telling us about the directory with a password in hash inside the machine. Looking at nmap scan, we can see that we SMB open, lets use enum4linux to enumerate SMB. -a
for simple enumeration
Looking at the output, we found two users jay
and kay
We should also try enumerating SMB with smbclient, so lets do that by trying to login as anonymous.
And we are in, lets look for files, we found a file called staff.txt, lets transfer it to our machine using the command get
.
Lets see what it says
Exploitation
We see the same two usernames we found in the enum4linux scan, so now let us try bruteforcing the password for the username Jan
as the question only asked about this username and password using a tool called hydra
.
Command Breakdown:
(-l): Specifying username
(-P): Specifying password list
We found the password
Now let us login into ssh (Secure shell) , which is a service that we can use to access the server.
Privilege Escalation
After enumerating for while, we can see that we can cd into kay
directory, once we do that and look at the files, we can see that one directory in particular is interesting, and that is the .ssh
directory, it is known to have ssh information to login using ssh, so if we get the ssh key for the user kay
we can in theory login as that user. (*Also the TryHackMe room expired so the IP from now on is different*)
We can see that there is a id_rsa
file , this file is something that we can use to login into ssh without the password, but we need the password for this file, and we can find the password for this file by using a tool called JohnTheRipper
and Python
First we have to copy this file to our machine, we can do this by simply copying the content from the victim machine and pasting it into a file on our machine.
After you do that, we have to crack the password for this file by first getting the hash for the file using python, so the command we use will be
Now we have to crack this hash using johntheripper
And the password we found: beeswax, lets now login as Kay
into the machine using ssh, but this time it is going to be a different, so we have to use the file as a login, so we have to use this command.
We use this command because we have to give this file certain permission so that we are allowed to use this as a login into ssh. Now we use this command
And with this, we are logged in as kay, after listing the contents of this file, we can see a pass.bak
file, we could not see this file the last time as we did not have permissions of kay as we were logged in as Jan.
This is the final password that we found and the answer to the last question of this room
Bonus
We can become root with a simple command and this is sudo -l
a command that we use to check what we can run as other users on the machine.
It looks like we have all permissions, so we can simply use this command to switch users to root sudo su
And we are root!
Last updated