TryHackMe: Basic Pentesting — Write-Up
Hi,
This article is about Basic Pentesting room created by on TryHackMe. It is free room and everyone can join it.
Description: This is a machine that allows you to practise web app hacking and privilege escalation.
This room teaches about hacking web applications. Let’s get started,
Deploy the machine from “Deploy” button as shown in figure 1.2 below:
You will get a specific IP_Address for machine as shown in figure 1.3 below:
When you deploy machine your IP_Address of this machine can be different than shown in article. Scan the machine with nmap as shown in figure 1.4 below:
nmap -Pn -sS -sV -p- 10.10.83.60
Access this IP_Address from web browser, shown in figure 1.5 below:
There might be hidden directories in this web app. To find out we will use dirbuster tool:
disbuster
After running this command GUI will open as shown in figure 1.7 below:
After configuring as shown above click on start button to start finding hidden directories shown in figure 1.8 below:
We found a directory “development” which is containing 2 files let’s first explore them:
File dev.txt:
File j.txt:
Both files contains messages for -K and -J.
From above files we got following information:
- SMB has been configured.
- There is Apache struts version 2.5.12 running.
- User J is using weak password which can be cracked easily.
Let’s start enumerating SMB port with enum4linux tool:
enum4linux -a 10.10.83.60
Now we got both usernames now let’s bruteforce attack on both of the users using famous tool HYDRA.
hydra -t 4 -l jan -P /directory_path/rockyou.txt ssh://10.10.83.60
Here we go we have find password for jan account successfully. Now let’s try to login:
Here we have successfully login. Now let’s explore this machine especially Kay’s account to get something. We have found password backup file of the Kay’s account but unfortunately we donot have privileges on jan account to see them neither jan can sudo command.
In order to read the password backup file we have to escalate the privileges. After exploring a bit more Kay’s directories we found ssh keys as shown in figure 1.15 below:
Save the keys on your machine in a file either using nano or editor you like.
Now run ssh2john tool to get the hash of the keys.
python /usr/share/john/ssh2john.py sshkeys.txt > sshkeyshash.txt
Now run John the ripper tool to crack the passphrase for the account of Kay.
john --wordlist=rockyou.txt sshkeyshash.txt
I have copied rockyou.txt file in my desktop directory just to idnore writing full path.
Now access the Kay’s ssh using the public keys of Kay account.
ssh -i /home/kay/.ssh/id_rsa kay@10.10.83.60
We tried to access Kay’s ssh directly but unsuccessful. Let’s try to access from Jan’s account. First login ssh of jan account then type same command:
Here we go we have successfully logged in into Kay’s ssh, now lets go to that password backup file and read the content of it.
We have finally got the password and here the challenge is completed.
Lets try to escalate the privilege from kay’s account. First we have to check what privileges Kay have by using command:
sudo -l
Result shows kay have all of the sudo privileges, so we try to execute command:
sudo su
We have got the flag.txt file.
Hurrah! We have completed this Basic Pentesting Challenge. Thanks for staying till here.
If you like this article, please support on Patreon.
