TryHackMe - Basic Pentesting
This room is about:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
I thought this would be a good exercise to introduce my friend @jeongm-in from my CTF team to system exploitation.
First we deploy the machine, and use OpenVPN to connect to the TryHackMe network.
nmap (or a custom portscanning script) to enumerate ports and service versions.
22 - ssh 80 - apache 139 - netbios-ssn Samba smbd 3.X - 4.X 445 - netbios-ssn Samba smbd 4.3.11-Ubuntu 8009 - ajp13 Apache Jserv v1.3 8080 - http Apache Tomcat 9.0.7
Then, we run
dirbuster and find a
/development/ directory exposed on the webserver. It contains a dev.txt and j.txt. From these we learn that potentially Apache struts is being run somewhere and possible exploitable and that J’s password is easily crackable.
enum4linux on the server we get two local users,
jan, which match with the signatures on the txt files. We also learn that the minimum password length is 5.
hydra with a slightly cutdown rockyou.txt we create using
awk to ensure minimum 5 character passwords.
$ hydra -l jan -P /usr/share/wordlists/5-char-min-rockyou.txt ssh://10.10.93.104 [...] [ssh] host: 10.10.93.104 login:jan password: armando
Now, we log into the server using the ssh credentials we brute-forced. Poking into
/home/kay we find ssh keys. We use
ssh2john.py and then
john with rockyou.txt to crack the encrypted private key (password is beeswax).
So loggin in as
kay is as easy as:
jan@basic2:/home/kay/.ssh$ ssh -i id_rsa email@example.com
Now we can open pass.bak in
kay’s home directory, which turns out to be
kay’s sudoer password. Checking with
kay can run ALL commands with sudo. Getting root then is just:
kay@basic2:~$ sudo su root@basic2:/home/kay#