Basic Pentesting
  • Basic Pentesting - A TryHackMe Writeup
Powered by GitBook
On this page

Basic Pentesting - A TryHackMe Writeup

Last updated 8 months ago

We begin by starting our machine and running our usual nmap scan

We get a list of ports:

The Room asks us, What is the name of the hidden directory on the web server(enter name without /)?

The web server would be port 80,or possibly 8080. So lets try gobuster to see what we can find.

Fairly quickly we find the answer, as one directory pops up pretty fast. If we browse to that directory we see we have a few txt files that have some important information that will most likely help us.

The next step in the room asks to find the username & password using brute force. I wonder what username and password we’d be looking for?

In the txt files we have a dev note that mentions something about Struts and Apache, and even a version number. I wonder if we can try finding an exploit for this. I was able to find an exploit in metasploit, it says it executed successfully but no shell was created. Lets keep digging.

We see in the port list that we have port 139 for SMB. Lets see if we can use Anonymous login.

Boom! We have access. Lets see what the staff note tells us.

Alright, so we have some possible usernames, which one of them is the correct answer in the room.

Now, lets see if we can brute force our way into the SSH port with this username and a password list using Hydra

And sure enough! we get the password. So we have the answer for that question, and also the next question that asks what service we will use to access the server. Since we were just brute forcing SSH, we can use that as the answer. ssh into the server with the new password we found

Now lets poke around. We see another user on the server, which is the answer to the next question.

Navigating around, it doesn’t look like jan has a lot of permissions to view much. We can see the other users directory but we are unable to open the pass.bak file that is listed there. We are unable to run sudo commands, as jan is not part of the sudoers group.

If we poke more around the other users directory, we can see there is the .ssh folder that has the id_rsa keys

If we copy the id_rsa and the authorized_keys to our local machine we can try ssh into the user ourselves.

Once saved, we’ll need to change the permissions for these files

chmod 600 id_rsa authorized_keys

Then we can ssh in using the -i flag.

ssh -i id_rsa <user>@10.10.11.55

It is now prompting us for a password. Hmm.

We can try brute forcing the id_rsa password with John

ssh2john id_rsa > id_rsa.hash

john — wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

We get the password, so now lets try logging back in with the ssh -i id_rsa command, and typing that password when prompted.

Now we can view the pass.bak and we have the answer to our final question!