Try Hack ME — Basic Pentesting
This is my first #1 blog post in series of blogs. I will be publishing all Boot to Root machines that I solve from various platforms like Hackthebox, Vulnhub, TryHackMe etc.
First thing first, we run a simple nmap scan to see which ports are open and what services are running on these ports.
nmap -sC -sV -O -oA simple_scan 10.10.28.113
- -sC: run default nmap scripts
- -sV: detect service version
- -O: detect OS
- -oA: output all formats and store in file named simple_scan
Lets get back to the results showing 6 ports are open:
Before we start investigation on ports we found, let’s run a comprehensive nmap scan in the background to make sure we cover all the bases.
Lets run a nmap scan that covers all the ports.
nmap -sC -sV -O -p- -oA full_scan 10.10.28.113
We get back to the scan result, no other ports are open.
Similarly, we run an nmap scan with the -sU flag enabled to run a UDP scan.
nmap -sU -O -p- -oA udp_scan 10.10.28.113
Let’s start with port 80. Visit the Url in browser.
Looks like it is under maintenance. But it might have some hidden directories in this web application. To find out hidden directories, we will use dirsearch tool.
python3 dirsearch.py -u http://10.10.28.113/ -e *
By using dirsearch we have found a directory named “development”. Lets open it in browser and see what it has to offer.
We have found 2 text files, ‘dev.txt’ and ‘j.txt’.
Both the messages contain -K and -J.
From above files we got the following information:
- SMB has been configured.
- Apache structs version 2.5.12 running
- J’s password is weak and easily crack-able.
Let’s start with SMB enumeration.
smbclinet -L 10.10.28.113
We have found ‘Anonymous’ Share folder using anonymous login. Now lets try to access the share folder and download what ever it has to offer.
Read downloaded file staff.txt.
Now we know, what K and J means. From previous message we get to know that Jan’s password is weak and easy to crack. So let’s use Hydra to brute force Jan’s SSH credentials.
hydra -l jan -P /usr/share/wordlists/rockyou.txt -t 4 ssh://10.10.28.113
Now we have successfully found the login. Let’s try to login.
Here we have successfully logged in to Jan’s account. Now we explore the machine, especially Kay’s account with which we might get some juicy information. We have found a password backup file in Kay’s account, but Jan does not have both privilege to read and to execute as sudo.
In order to read password backup file, we need to escalate privileges. After exploring a bit more in Kay’s directory, we found encrypted ssh private key as shown below.
Save the key in file. As it is encrypted, let’s convert the key into crack-able hash for John using ‘ssh2john.py’ and save it in another file.
python /usr/share/john/ssh2john.py basic_key > basic_key_hash
Now run John, to crack the passphrase.
john --wordlist=/usr/share/wordlists/rockyou.txt basic_key_hash
Give appropriate file permission to key and try to login to Kay’s account using key file and cracked passphrase. And read the password backup file.
chmod 600 basic_key
ssh -i basic_key firstname.lastname@example.org
We have finally got the password and here the challenge is completed. Let’s try to get higher privilege’s.
Now check what privilege Kay is having by running following command.
As per the result, Kay is having all sudo privileges. Run the following command to become root.
We have completed Basic Pentesting for TryHackMe. Thank you staying till the end.