Tryhackme - Basic Pentesting

Tryhackme – Basic Pentesting

In this walk through, we will be going through the Basic Pentesting room from Tryhackme. It is one of the best beginner level box which can hone your pentesting skills if you are new in this field. The room covers basic enumeration, directory bruteforcing, getting shell with online password attacks and basic privilege escalation to get the root. So without any delay, let’s get started.

Basic Pentesting

Machine Info:

TitleBasic Pentesting
IPaddress10.10.143.151
DifficultyEasy
ObjectiveThis is a machine that allows you to practice web app hacking and privilege escalation

Task 1 – Web App Testing and Privilege Escalation

Question 1 – Deploy the machine and connect to our network

Done

Question 2 – Find the services exposed by the machine

Done

  • We will start off with a regular nmap scan to reveal open ports and services.

sudo nmap -sS -sV 10.10.143.151

nmap scan

Question 3 – What is the name of the hidden directory on the web server(enter name without /)?

  • Fire up gobuster on the webserver found on port 80 to reveal juicy endpoints and directories.

gobuster dir -u http://10.10.143.151/ -w ~/Desktop/common.txt

gobuster scan

found directory - development

development

Question 4 – User brute-forcing to find the username & password

Done

Question 5 – What is the username?

  • We will use the nmap scripts for enumerating smb shares and users with the following command.

sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse 10.10.143.151

nmap SMB script

  • Finds anonymous access. Using Smbclient to access the share. Got staff.txt

smbclient //10.10.143.151/Anonymous

smbclient

  • Use smbget to download the file.

smbget -R smb://10.10.143.151/Anonymous

smbget get files

  • Got the Username – Jan

Got the username - Jan

Jan

Question 6 – What is the password?

  • Bruteforcing SSH password of username jan with hydra

sudo hydra -l jan -P ~/Desktop/rockyou.txt ssh://10.10.18.244

hydra SSH bruteforce

armando

Question 7 – What service do you use to access the server(answer in abbreviation in all caps)?

SSH

SSH login

Question 8 – Enumerate the machine to find any vectors for privilege escalation

Done

  • Downloading linpeas using wget and using it find privilege escalation vectors

SSH keys

Question 9 – What is the name of the other user you found(all lower case)?

kay

Question 10 – If you have found another user, what can you do with this information?

Done

  • Copy the SSH key into a file named id_rsa.

copy id_rsa

  • Use SSH2John to convert the file into a file understandable by john the ripper.
~/Tools/john/run/ssh2john.py id_rsa > privhash.txt

  • Bruteforcing the hash file to get the private key.

sudo ~/Tools/john/run/john privhash.txt

john cracking ssh password

ssh -i id_rsa kay@10.10.18.244

SSH login for user kay

Question 11 – What is the final password you obtain?

final password

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Answer set 1

Answer set 2

Also Read: Tryhackme – Anonymous

Conclusion:

Conclusion

So that was the “Basic Pentesting” room for you. Summing it up, First we start with a basic nmap port and service scan. We found SMB, SSH and HTTP service running. Then we try directory bruteforcing with gobuster, found hidden directory “developments”. From there we found out about the shares and an Apache struts version running (Rabbit hole). We tried nmap NSE SMB scripts to gather info about Samba shares. With that, we found a Anonymous share. Next, accessed share using smbclient. There we found file “staff.txt” and user “Jan”. Moving on, Bruteforced SSH password for user Jan using hydra. Later, found the Priv esc vectors by running linpeas and getting the final flag by bruteforcing the SSH key using john. On that note, let me be free from the grips of information warlords and you until then, “Keep Hacking!!!”

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top