Basic Pentesting

Reconnaissance

Lets start with a initial nmap scan to find open ports

nmap -Pn 10.10.15.47

Detailed Nmap Scan :

Command Breakdown:

• (-sV): Service version

• (-sC): Default nmap scripts

• (-p): Specifying ports 22,80,139,445,8009 and 8080

• (-oN nmap): Saving it into a files called nmap

nmap -sC -sV -p 22,80,139,445,8009,8080 -oN nmap 10.10.15.47

We can find hidden directories on a website by using a tool called Gobuster

Command Breakdown:

• (-w): Specifying wordlist

• (-u): Specifying URL

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.15.47

Lets go visit the website and the directory that we found using Gobuster

dev.txt

j.txt

After reading through both of these files, dev.txt is telling us about a apache struts and version 2.5.12 and the j.txt file is telling us about the directory with a password in hash inside the machine. Looking at nmap scan, we can see that we SMB open, lets use enum4linux to enumerate SMB. -a for simple enumeration

enum4linux -a 10.10.15.47

Looking at the output, we found two users jay and kay

We should also try enumerating SMB with smbclient, so lets do that by trying to login as anonymous.

smbclient //10.10.15.47/anonymous

And we are in, lets look for files, we found a file called staff.txt, lets transfer it to our machine using the command get.

Lets see what it says

Exploitation

We see the same two usernames we found in the enum4linux scan, so now let us try bruteforcing the password for the username Jan as the question only asked about this username and password using a tool called hydra.

Command Breakdown:

• (-l): Specifying username

• (-P): Specifying password list

hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.14.57 ssh 

We found the password

Now let us login into ssh (Secure shell) , which is a service that we can use to access the server.

ssh jan@10.10.15.47 

Privilege Escalation

After enumerating for while, we can see that we can cd into kay directory, once we do that and look at the files, we can see that one directory in particular is interesting, and that is the .ssh directory, it is known to have ssh information to login using ssh, so if we get the ssh key for the user kay we can in theory login as that user. (*Also the TryHackMe room expired so the IP from now on is different*)

We can see that there is a id_rsa file , this file is something that we can use to login into ssh without the password, but we need the password for this file, and we can find the password for this file by using a tool called JohnTheRipper and Python

First we have to copy this file to our machine, we can do this by simply copying the content from the victim machine and pasting it into a file on our machine.

After you do that, we have to crack the password for this file by first getting the hash for the file using python, so the command we use will be

python /usr/share/john/ssh2john.py id_rsa > hash

Now we have to crack this hash using johntheripper

john --wordlist=/usr/share/wordlists/rockyou.txt hash

And the password we found: beeswax, lets now login as Kay into the machine using ssh, but this time it is going to be a different, so we have to use the file as a login, so we have to use this command.

chmod 600 id_rsa

We use this command because we have to give this file certain permission so that we are allowed to use this as a login into ssh. Now we use this command

ssh -i id_rsa kay@10.10.8.127

And with this, we are logged in as kay, after listing the contents of this file, we can see a pass.bak file, we could not see this file the last time as we did not have permissions of kay as we were logged in as Jan.

This is the final password that we found and the answer to the last question of this room

Bonus

We can become root with a simple command and this is sudo -l a command that we use to check what we can run as other users on the machine.

It looks like we have all permissions, so we can simply use this command to switch users to root sudo su

sudo su

And we are root!