Basic Pentesting — TryHackMe
Target: 10.10.135.217
#This is the basic pen testing room on tryhackme.com which allows us to practice web app hacking & privilege escalation.
We`ll start off by launching a Nmap scan on the provided Machine_IP (10.10.135.217 in my case)
nmap 10.10.135.217 -p- -A -v -Pn
(-p- for scanning all the ports, -A for enabling OS & version detection, -v for verbose, -Pn for disabling host discovery)
I disabled host discovery as my scan was going very slow and there was a lot of delay!
Looking at the scan results, we can see ssh, http, apache & samba running on the machine
We have found all the running services on the machine, which is the answer to our first actual question
Now, we`ll use dirbuster to brute force directories & discover what`s inside
We just found two directories, /development seems interesting, loading it into the browser we can see two .txt files
Looking at both the files, we just came to know that there are two users -J and -K, also j.txt shows that user -J has weak credentials
We`ll now move on to our next step, enumerating the SMB (Server Message Block) on Port 139 using enum4linux
enum4linux -a 10.10.135.217
(-a for simple enumeration)
Enum4linux results confirm both the users on system, kay and jay
Since we already know that jan has weaker credentials, we`ll continue to our next step, which is brute forcing SSH username & password using Hydra
hydra -l jan -P /home/kali/Documents/rockyou.txt ssh://10.10.135.217
(-l for username, -P for password list and then the ssh url)
Hydra has found valid password for user jan
User: jan
Password: armando
Now we`ll connect to SSH using the credentials,
After successfully logging in via SSH, we will continue looking for any interesting information
We just discovered pass.bak which is a backup file but user jan doesn`t have permission to access it.
Looking further into .ssh directory we have found id_rsa file which contains private key for user kay
We should copy the private key into a text editor on our local machine
Now, using a tool called ssh2john to get the hash of the keys from private key file,
python /usr/share/john/ssh2john.py key.txt > hash.txt
We`ll now use Johntheripper to crack the password for user kay using the hash we got from ssh2john
john — wordlist=/home/kali/Documents/rockyou.txt /home/kali/Documents/hash.txt
(I`m using rockyou.txt which is a very popular wordlist available on github)
Now we have the password from the hash file, we`ll try to connect to kay using the public keys we have,
ssh -i /home/kay/.ssh/id_rsa kay@10.10.135.217
After logging in as user kay, we can now finally access the pass.bak file which contains the final password we were looking for :)
We can use this password to escalate user account to root
Using ls to list the files in root directory, we have found flag.txt
The challenge is now complete!
Thanks for being here :)
