Basic Pentesting
Hello everyone , in this writeup i will give a walk-through on a boot-to-root room called, “Basic Pentesting Room”.
If you are wondering what does the Basic Pentesting THM room focuses on, these are the things you will learn answering the questions:
- Brute forcing
- Hash cracking
- Service, and Linux enumeration
The first question is:
It asks you to deploy the victim machine. That can be done easily with the “Start Machine” button.
2. Find the services exposed by the machine
First of all we should make a Nmap scan to determine different services that the machine has.
Success! We now have the services.
3. What is the name of the hidden directory on the web server(enter name without /)?
As we do need to investigate what is the hidden directory on the web server, we can use to find the hidden directories.
DIRB is a Web Content Scanner. It looks for existing (and/or hidden) Web Objects. It basically works by launching a dictionary based attack against a web server and analyzing the responses.
Our hidden directory is development.
4. User brute-forcing to find the username & password
Reviewing our enumeration we see that ports 139 and 445 are open. These ports are used for SMB (Server Message Blocks) which are HIGHLY vulnerable. So let’s use enum4linux which is a tool for enumerating information from Windows and Samba systems.
bingo! We do have two usernames: Kay, and Jan.
The correct answer is jan.
We will try hydra which is a parallelized login cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add.
7.What service do you use to access the server(answer in abbreviation in all caps)?
The service we use to access the server is SSH.
8.Enumerate the machine to find any vectors for privilege escalation
Here we go we have find password for jan account successfully. Now let’s try to login:
So in order to do that we need to escalate our privilege to the root level but we don’t have the password for user kay and jan doesn’t have that much user privileges so we will do it using the ssh key of kay and then finding the passphrase to access the machine as kay (without actual password) Let’s see the steps for this :
- Step 1 : Get the id_rsa key from kay’s directory and save it in our system :
cd /home/kay
cd .ssh
cat id_rsa
Then copy this key and save it in our system by the name “Aymen.txt”
- Step 2 : Cracking the key for passphrase :
python3 /opt/john/ssh2john.py Aymen.txt > decrypted.txt
This will convert our Private SSH key into john form so that it can be cracked further
John — wordlist=/usr/share/wordlist/rockyou.txt decrypted.txt
Bingo ! this will give us : beeswax
- Step 3 : Accessing as kay
ssh -i /home/kay/.ssh/id_rsa kay@[TARGET_MACHINE_IP]
What is the final password you obtain?
We have successfully completed our basic pentesting room on tryhackme.