Try Hack Me: Basic Pentesting Room

The skills to be tested and needed to solve this room are: webapp, boot2root, and cracking.

This room has been out for over a year, but it is still a great one practice. I was assigned an IP of 10.10.170.205

Shout-out to @ashu for creating this room. Visit https://tryhackme.com and create an account for free to take advantage of this great learning to hack platform.

Answers were masked so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you. The purpose of this write-up is to help you when you feel stuck and to see how other user like me cracked the room.

There are 11 questions to complete the room:

  • Deploy the machine and connect to the network
    • No answer needed
  • Find the services exposed by the machine
    • No answer needed
  • What is the name of the hidden directory on the web server (enter without “/”)
    • d*********t
  • Use brute-forcing to find the username and password
    • No answer needed
  • What is the username?
    • j**
  • What is the password?
    • a*****o
  • What service do you use to access the server (answer in abbreviation in all caps)
    • S**
  • Enumerate the machine to find any vectors for privilege escalation
    • No answer needed
  • What is the name of the other user you found (all lower case)
    • k**
  • If you have found another user, what can you do with this information?
    • No answer needed
  • What is the final password you obtained?
    • h******************************************************$

Steps:

  1. Deploy the machine and connect to the network:

2. Find the services exposed by the machine by using nmap. sudo nmap -sC -sV -oA basic_pentesting 10.10.170.20

  • sudo – we have to run the nmap scan with root privileges because “TCP/IP fingerprinting (for OS scan) requires root privileges.”
  • -sC – to scan using the default nmap scripts
  • -sV – to pull version information of open ports found during the scan
  • -oA basic_pentesting – to save the results of the scan to a file named “bounty” and saved in three different formats (normal, XML, and grepable)
Open ports are: 22, 80 ,139, 445, 8009 and 8080.
  • The nmap result above is telling that the website doesn’t have a title, yet it is still a good practice to check it anyway:
  • Let’s check the page source if we can find any clues:
Sure enough, the page source is telling us that there is a dev section.

3. What is the name of the hidden directory on the web server?

  • We will use gobuster to check for hidden directories, and hopefully we will find the clue of a “dev” section that was mentioned from the page source. gobuster dir -u http://10.10.170.205 -w /usr/share/wordlists/dirb/common.txt
  • dir – to use directory/file brute-forcing mode
  • -u – is the flag to tell gobuster that we are scanning a URL
  • -w – is the flag to set the list of possible directory and file names
There is only one interesting directory that was found.
  • Let’s check what is the content of the hidden directory
Found 2 interesting files.
  • Check what’s inside the dev.txt
The only probably helpful part of the message is that we know that SMB is configured.
  • Check what’s inside the j.txt
It is giving us a clue that a user that starts with J is using a weak password. We can use to exploit that.
  • We need to further enumerate victim machine because we still don’t have a clue of at least the naming convention that is used for username. Let’s enumerate the SMB service. Looking at the nmap result again, it is showing that guest can be used to access SMB:
  • Try to connect to SMB service using anonymous authentication. When prompted for a password, it is actually asking for your password and not a victim’s password. smbclient //10.10.170.205/anonymous
Staff.txt sounds like something we need to find a username
  • Download the file to your attack machine (Kali) using get so we can open it. get staff.txt
We have successfully downloaded the file
  • Go back to your Kali terminal and open the file by using cat. cat staff.txt
Now, we see two users with names starting with the letters J and K

4. Use brute-forcing to find the username and password

  • Remember the contents of the j.txt we found in the hidden directory? User k** was telling use j** that the password in used is weak. So, it just makes sense to try and brute-force user j** credentials than user k**. We are going to use the tool Hydra. hydra -l j** -P /usr/share/wordlists/rockyou.txt 10.10.170.205 ssh -t 4
  • -l – is to use a single username to crack
  • -P – this is an uppercase “p” to use a list of passwords to try and match the username
  • ssh – to specify what service we are trying to crack. Since SSH is one of the open services that came up from our nmap scan, it just makes sense to try and crack the service
  • t 4 – is to specify the number of tasks running to connect in parallel. The default is 16. Hydra recommends using just 4 threads when using it on SSH.

5. What is the username?

6. What is the password?

Hydra found the password.

7. What service do you use to access the server?

Service we use to access the server with the username and password we cracked using Hydra.

8. Enumerate the machine to find any vectors for privilege escalation

  • We can check if user j** have any sudo privileges by using sudo. sudo -l
Looks like our current user does not have sudo privileges.
Download of LinEnum is a success.
  • We need to transfer the download script to our victim’s machine. And since we already have a username and password to access the victim machine through SSH, we can take advantage of the SCP service to transfer the file. scp LinEnum.sh j**@10.10.170.205:/home/j**
  • LinEnum.sh – is the file we want to transfer
  • j**@10.10.170.205 – is the username to authenticate on the victim machine which is the 10.10.170.205
  • :/home/j** – is the location where we want the file to be transfered
Looks like we have a permission issue to write in this directory.
  • Since we cannot write to our intended location, we have to search for a location where user j** has permissions to write to. Let’s do a long listing of all the folders from the root level
  • Let’s try and copy LinEnum.sh from our attack machine to the victim machine, and specifically to the /tmp directory
The transfer was a success to the /tmp directory.
  • Confirm that the file is on the victim machine
The script is confirmed to be on the victim’s machine now
  • Let’s run the script to enumerate ways to escalate our privilege to root
We don’t have executable permission.
  • We can fix the execution permission by doing a chmod. chmod +x LinEnum.sh
Permissions issue is fixed.
  • Let’s run LinEnum.sh again. ./LinEnum.sh. There were a lot of information, but this is the one that caught my attention
We can use vim with root privileges and open up a file

9. What is the name of the other user you found?

  • Both in /etc/passwd and by checking /home, we can see user k**
And we can see that an interesting file pass.bak is inside user k** folder, but we don’t have permission to access it

10. If you have found another user, what can you do with this information?

  • The other user we found here is root, and we can utilize root to access user k** file.

11. What is the final password you obtain?

  • Since we found from enumeration that we can run vim as root, we can use vim to open the file pass.bak inside user k** directory. /usr/bin/vim.basic /home/kay/pass.bak
  • Successfully accessed pass.bak file and see the answer to question number 11
Final password found!

Hope you learned and enjoyed the write-up.

Please don’t forget to subscribe to my page N00b_H@ck3r, click the link and enter your email address.

Published by lightkunyagami

https://tryhackme.com/badge/18276

Leave a comment

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: