Tryhackme – Basic Pentesting
In this walk through, we will be going through the Basic Pentesting room from Tryhackme. It is one of the best beginner level box which can hone your pentesting skills if you are new in this field. The room covers basic enumeration, directory bruteforcing, getting shell with online password attacks and basic privilege escalation to get the root. So without any delay, let’s get started.
|Objective||This is a machine that allows you to practice web app hacking and privilege escalation|
Task 1 – Web App Testing and Privilege Escalation
Question 1 – Deploy the machine and connect to our network
Question 2 – Find the services exposed by the machine
- We will start off with a regular nmap scan to reveal open ports and services.
sudo nmap -sS -sV 10.10.143.151
Question 3 – What is the name of the hidden directory on the web server(enter name without /)?
- Fire up gobuster on the webserver found on port 80 to reveal juicy endpoints and directories.
gobuster dir -u http://10.10.143.151/ -w ~/Desktop/common.txt
Question 4 – User brute-forcing to find the username & password
Question 5 – What is the username?
- We will use the nmap scripts for enumerating smb shares and users with the following command.
sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.143.151
- Finds anonymous access. Using Smbclient to access the share. Got staff.txt
- Use smbget to download the file.
smbget -R smb://10.10.143.151/Anonymous
- Got the Username – Jan
Question 6 – What is the password?
- Bruteforcing SSH password of username jan with hydra
sudo hydra -l jan -P ~/Desktop/rockyou.txt ssh://10.10.18.244
Question 7 – What service do you use to access the server(answer in abbreviation in all caps)?
Question 8 – Enumerate the machine to find any vectors for privilege escalation
- Downloading linpeas using wget and using it find privilege escalation vectors
Question 9 – What is the name of the other user you found(all lower case)?
Question 10 – If you have found another user, what can you do with this information?
- Copy the SSH key into a file named id_rsa.
- Use SSH2John to convert the file into a file understandable by john the ripper.
~/Tools/john/run/ssh2john.py id_rsa > privhash.txt
- Bruteforcing the hash file to get the private key.
sudo ~/Tools/john/run/john privhash.txt
ssh -i id_rsa email@example.com
Question 11 – What is the final password you obtain?
Also Read: Tryhackme – Anonymous
So that was the “Basic Pentesting” room for you. Summing it up, First we start with a basic nmap port and service scan. We found SMB, SSH and HTTP service running. Then we try directory bruteforcing with gobuster, found hidden directory “developments”. From there we found out about the shares and an Apache struts version running (Rabbit hole). We tried nmap NSE SMB scripts to gather info about Samba shares. With that, we found a Anonymous share. Next, accessed share using smbclient. There we found file “staff.txt” and user “Jan”. Moving on, Bruteforced SSH password for user Jan using hydra. Later, found the Priv esc vectors by running linpeas and getting the final flag by bruteforcing the SSH key using john. On that note, let me be free from the grips of information warlords and you until then, “Keep Hacking!!!”