TryHackMe | Basic Pentesting Walkthrough
Hi there, I’m glad to see you here. In this article, we’ll solve together the “Basic Pentesting” room in TryHackMe. In some sections, I’ll share brief about the subject. Don’t forget! You must always research to learn more. I hope it will be helpful for you. Let’s start!
In these set of tasks we’ll learn the following:
-Brute Forcing
-Hash Cracking
-Service Enumeration
-Linux Enumeration
The main goal here is to learn as much as possible.
Deploy the machine
Q1: Deploy the machine and connect to our network.
A1: No answer needed
Step 1: You need openvpn configuration file to connect with VPN to machines in TryHackMe.
Step 2: Use openvpn command and start your VPN connection.
Step 3: Can you see the IP address of the machine?
Step 4: You can check your connection.
Q2: Find the services exposed by the machine.
A2: No answer needed
Firstly, we need to run a nmap scan to find out which ports are open and which services are running on these ports.
Nmap (Network Mapper) is a free and open source utility for network discovery and security auditing.
nmap -A -T4 -p- 10.10.44.49-A : Enable OS detection, version detection, script scanning and traceroute.
-T4 : Set timing template (higher is faster).
-p- : You can specify “-p-” to scan ports from 1 through 65535.
Q3: What is the name of the hidden directory on the web server (enter name without /)?
A3: development
There are probably some changes on the home page. It’s okay, let’s check the page source.
The comment line contains information about the dev note section. So where is it?
We can use the gobuster tool to find hidden sections in a website.
Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains.
gobuster dir -u http://10.10.44.49/ -w <wordlist>dir : Uses directory/file enumeration mode.
-u : We can use the option “-u” to specify the target domain or subdomain you want to dig into the hidden directories and files.
-w : Path to the wordlist.
I can’t believe they kept the development section from us. What a shame!
Do you wonder what’s in these files? I can hear you say yes. Me too..
Who are K and J? I guess codename J has a weak password.
Q4: User brute-forcing to find the username & password.
A4: No answer needed
A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until you discover the one correct combination that works.
Q5: What is the username?
A5: jan
When we looked at the Nmap scan result, we found that the Samba service was running on port 445. So what is Samba and how is the enumeration process performed?
Samba is an implementation of the SMB/CIFS protocol for Unix systems, providing support for cross-platform file and printer sharing with Microsoft Windows, OS X, and other Unix systems.
Enum4linux is a tool for enumerating information from Windows and Samba systems.
-a : Do all simple enumeration. This option is enabled if you don’t provide any other options.
As Anonymous, we can access file sharing without the need for a user and password.
There’s a file here called “staff.txt”. Let’s get the file on our machine and read it.
smbclient is ftp-like client to access SMB/CIFS resources on servers.
I agree with you Kay..
Q6: What is the password?
A6: armando
When we looked at the Nmap scan result, we found that the SSH service was running on port 22. But we need username and password to connect. If you remember, we know the username. Who has a weak password? Let’s find the password.
hydra -l jan -P <wordlist> 10.10.44.49 ssh
Hydra is a parallelized login cracker which supports numerous protocols to attack.
-l : login with LOGIN name
-P : load several passwords from FILE
[machine IP] : the IP address of the target machine
ssh / protocol : sets the protocol
We can connect to the system via SSH using Jan’s credentials.
The SSH protocol (also referred to as Secure Shell) is a method for secure remote login from one computer to another.
You’ll find Kay’s directory as you browse through the folders. Let’s look at folders and files. No way! Unfortunately, we couldn’t read the pass.bak file. But did you notice a directory? Everyone has permission to read the “.ssh” directory.
Firstly, use the cat command to view the file content. Then create a id_rsa file on your machine to decrypt Kay’s RSA key. Finally, copy the contents of the id_rsa file into the id_rsa file you created.
id_rsa: In the context of ssh and related software, id_rsa is your RSA *private* key, used to sign and authenticate your connection to a remote host.
We’ll use the special John the Ripper tool called ssh2john.py which can extract the crackable hash from the SSH private key.
Ssh2john is part of John the Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys)] private key to john format for later cracking using JtR.
Now we can use John The Ripper to crack this hash and extract the SSH private key password.
John the Ripper is a popular open source password cracking tool that combines several different cracking programs and runs in both brute force and dictionary attack modes.
Let’s try to connect using Kay’s credentials.
Q8: Enumerate the machine to find any vectors for privilege escalation.
A8: No answer needed
A privilege escalation attack is a cyberattack designed to gain unauthorized privileged access into a system.
Q9: What is the name of the other user you found (all lower case)?
A9: kay
Do you remember? We learned the users using the Enum4linux tool.
Q10: If you have found another user, what can you do with this information?
A10: No answer needed
Q11: What is the final password you obtain?
A11: heresareallystrongpasswordthatfollowsthepasswordpolicy$$
That’s it! I knew you’d make it.
But this is not enough! Use the “sudo su” command and Kay’s password to get root privileges and catch the flag.
Congratulations! You found the flag.
Thank you for your time. See you soon! Until that time.. Happy Hacking ❤
Resources:
https://www.kali.org/tools/enum4linux
https://www.kali.org/tools/gobuster
https://www.geeksforgeeks.org/gobuster-penetration-testing-tools-in-kali-tools
https://www.kali.org/tools/gobuster
https://owasp.org/www-community/controls/Blocking_Brute_Force_Attacks
https://www.kali.org/tools/hydra
https://www.ssh.com/academy/ssh/protocol
https://www.techtarget.com/whatis/definition/John-the-Ripper
https://www.crowdstrike.com/cybersecurity-101/privilege-escalation
https://www.kali.org/tools/samba/#smbclient
https://www.samba.org/samba/docs/current/man-html/smbclient.1.html
