TryHackMe - Basic Pentesting (Walkthrough). Salik Khan • Mon Aug 14 2023
penetration-testing
writeup
tryhackme
thm

This is an easy machine meant to teach basic concepts of penetration testing. Let's start.

I'll be using a Kali Linux machine on WSL-2 as my attacking device.

After connecting to OpenVPN and launching the machine, here are the IP Addresses we get:
Local Machine: 10.9.101.147
Target Machine: 10.10.71.145

Finding the exposed services on the machine.

I am going to use nmap to get a list of exposed ports and services on the machine:

$ nmap -sV -A -v 10.10.71.145

the results look like this:

We can see there's an SSH port open on 22, an HTTP port on 80 and SMB on 139, 445.

Visiting the IP Address in the browser gives us this page:

one of the tryhackme questions is "What is the name of the hidden directory on the web server(enter name without /)?", also looking at the source of the page, we see the following comment:

which means there has to be some subdirectory on the website, I'm gonna use gobuster with a common wordlist to find it.

Immediately we find there is a /development hidden directory on the domain:

visiting the website gives us two text files, which are essentially dev notes.

this gives us some very important info about the server:

1. There are at least 2 users on the server, J and K. (not essentially the usernames)
2. J's password is weak.
3. The server is configured to use SMB.

We need to find the usernames of these two users to find a way to get into the server, I'm gonna use a tool called enum4linux to bruteforce the SMB usernames.

$ enum4linux 10.10.71.145

We get the users Jan and Kay (J and K).

From the devnote, we know Jan had a weak password, so I'm gonna try and bruteforce my way into Jan's ssh account using hydra and rockyou.txt.

$ hydra -l jan -P ./rockyou.txt ssh://10.10.71.145

Hydra finds the password for the user jan:

armando.

Now I'm gonna ssh into the user account for jan,

The THM prompt now says "Enumerate the machine to find any vectors for privilege escalation."

Looking around on the file system, there is an account kay on the server with a file pass.bak in the home directory,

and sure enough, we need access to kay's account to read it. Since we can't ssh into it from the outside, I'm going to use jan's account to get the ssh private key for kay's account, try and find the passphrase to it, and log into it from jan's account.

I'm going to copy this ssh private key to my attacking device and try to find the passphrase to it using john the ripper.

First, I'm gonna convert it to a format compatible with john using the tool ssh2john with comes with john.

$ ssh2john id_rsa.txt > decrypted.txt

Now i'll use john with rockyou.txt to crack the passphrase for the key.

$ john ./decrypted.txt --wordlist=./rockyou.txt

the passphrase for the key is beeswax.

Now I'm gonna use Jan's account to log into Kay's account.

$ ssh -i /home/kay/.ssh/id_rsa kay@hydra -l jan@10.10.71.145

and just like that, we're in kay's account.

We can read kay's pass.bak file now.

The password is: heresareallystrongpasswordthatfollowsthepasswordpolicy$$.