Basic Pentesting
A writeup of the Basic Pentesting room on TryHackMe. Link: https://tryhackme.com/room/basicpentestingjt
Last updated
A writeup of the Basic Pentesting room on TryHackMe. Link: https://tryhackme.com/room/basicpentestingjt
Last updated
To connect with the Basic Pentesting room from my Kali VM, I first had to make sure my OpenVPN configuration file was up and running and after this, I could begin working through this room.
Reconnaissance
First step I took in this room was to run an Nmap scan on the deployed machine.
I used (-sC), (-sV), (-Pn), (-vv) as the switches in this command so that I could use the default scripts (-sC), see the system version (-sV), make sure I could bypass the active firewall by avoiding ICMP packets (-Pn), and increase the verbosity or the details in the scan (-vv). This scan took almost 40 minutes since I didn't specify any speed switches such as (-T1-5) unfortunately, which is something I'll remember to do next time.
From the information found above taken from the scan, we can see that ports 22, 445, 8080, 80, 139 are open. Some more information we can gather from this screenshot above is that the host is called "BASIC2" and is running Linux. We can also see that they are using Apache 2.4.18 (Ubuntu).
Seeing that port 80 was open, this means that there could potentially be an http application running on the machine. Based on this, I went to look up the IP on a Firefox browser. (http://10.10.82.149)
As a quick side note, leaving port 80 open is a security risk because it allows for unencrypted data to be sent back and forth, making it easy for a third party attacker to access your system and data. This is unlike port 443, used by https.
From the browser, we can see that there is a website that says, "Undergoing Maintenance"
By checking the source code, we are able to see that there is a hidden comment in the code mentioning a "dev note section".
From this hidden note we can see that theres more pages to the website, so I tried to make some random guesses as to what this page may be called.
From this web page we can see that the site is actually running Apache 2.4.18, on an Ubuntu Linux Server. Reconfirming what we saw prior with the Nmap scan we conducted earlier.
There is actually an application we can use to brute force these hidden web pages much quicker, Gobuster. Gobuster was a tool I used earlier in the "Introduction to Offensive Security" room so I was already familiar with it.
I had to restart my current Basic Pentesting deployable machine due to technical issues giving me the new IP of 10.10.82.149.
I first went to look for all the wordlists that were at my disposale on the Kali VM I was using.
I decided to look for wordlists under dirbuster since they seemed to have ones that were good for finding web directories.
Continuing with the scan, to find the hidden web pages I ran the command "gobuster dir -u http://10.10.82.149 -w /usr/share/wordlists/rockyou.txt -t 25 --timeout 20s". The switches used in the command were (dir -u) to specify the http web page, (-w) to specify the wordlist I wanted to use, (-t 25) to specify the threads, and (--timeout 20s) so that gobuster would wait longer for a response.
In running the command, gobuster found that the page /development was a hit. In going to this web page we can see several files that are posted by two users trying to communicate with each other. While I was doing this, I kept gobuster running in the background in case more hits were found.
Keeping track of the open port 445 I found earlier in the Nmap scan I conducted, I ran an enum4linux scan. Port 445 being open poses a vulnerability because of how an attacker can use the NetBIOS service found to perform attacks.
Enumeration
Using the command "enum4linux -a 10.10.34.117", I was able to run a scan that found the user information on the system.
From the scan, the users "kay" and "jan" were returned. These users correspond with the messages that were being sent back and forth on the /development page I viewed earlier.
Because of the scan I just ran, we can see that the passwords on the system are short and weak. To find the password, we can use a password cracker such as Hydra to brute force the password in the machine.
During this part of the room, I had technical issues once again to where I had to restart the deployed machine. The new IP was 10.10.241.68.
I used the command, "hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.41.158 ssh -c 20". The switches being used in this command include, stating the user (-l), stating the wordlist that I want to use (-P), the IP address of the ssh connection I want to make (10.10.34.117 ssh), and increasing the amount of seconds hydra waits for a response to 20 seconds (-c 20). I did the final switch because of the constant failure hydra had in connecting through ssh to the system.
The connection over SSH made this difficult as it prolonged the amount of time for the scan to complete. Because the connection was also shaky, hydra was taking even longer. At this point I switched over to TryHackMe's Ubuntu AttackBox to see if that would alleviate the problem, and started a new deployable machine, with the IP 10.10.200.16.
After the scan was complete, I was able to see that the password for the user "jan" was "armando". With these newfound credentials, we can actually log into the machine. It couldn't find the password of user "kay".
Gain Access
Using the credentials for the user "jan" with the password of "armando" we can use the command ssh jan@10.10.241.68 to log into the machine.
Once in the machine, we can look around using "ls -la", which in this case didn't seem to bring up anything interesting except for a file owned by the user "kay" named "pass.bak".
Using linPEAS, a privilege escalation script, I can try using an scp protocol to transfer the malicious script onto the system.
From here, we can go back to the system and check to see if the file we transferred is there. We can use "cmod +x linpeas.sh" to mark this script as executable.
I began running linpeas by simply using the command, "./linpeas.sh | tee linpeas_log.txt". I ran the script and printed the output out into a file that I could read later.
From the linpeas script I was able to find a potential private key for ssh, which we could use to login as kay. I went back to the kay user folder I found earlier to look for the location the key was stored in. I found both an id_rsa.pub and an id_rsa.
I also went and read the id_rsa file which showed a long string of characters.
I copied the contents of the id_rsa file onto a txt file on my desktop and then transferred it through scp to the victim machine.
Then, I made sure that the ssh file was only readable by me by using the "chmod 600" command. From here, I attepted to use the ssh key to login as kay but I recieved a prompt for a passphrase.
From here, I used John The Ripper, a hash cracker, to try to figure out what the passphrase for the ssh key was. I first created an ssh file that John The Ripper would be able to read.
Next, I ran John The Ripper to crack the hash in the file and find the passphrase.
At this point, my TryHackMe attackbox had expired in the middle of the hash cracking so I had to go back to using my regular Kali VM.
I caught my Kali VM up to speed and then logged in using the ssh key.
From John The Ripper, I was able to find that the passphrase for the file was "beeswax". I used this to login as kay into the system.
Once in, I had permissions to read the pass.bak file that I saw earlier.
And from here I was able to find the final password and complete the room!
