TryHackMe - Basic Pentesting
This room is about:
- brute forcing
- hash cracking
- service enumeration
- Linux Enumeration
I thought this would be a good exercise to introduce my friend @jeongm-in from my CTF team to system exploitation.
First we deploy the machine, and use OpenVPN to connect to the TryHackMe network.
We run nmap (or a custom portscanning script) to enumerate ports and service versions.
22 - ssh
80 - apache
139 - netbios-ssn Samba smbd 3.X - 4.X
445 - netbios-ssn Samba smbd 4.3.11-Ubuntu
8009 - ajp13 Apache Jserv v1.3
8080 - http Apache Tomcat 9.0.7
Then, we run dirbuster and find a /development/ directory exposed on the webserver. It contains a dev.txt and j.txt. From these we learn that potentially Apache struts is being run somewhere and possible exploitable and that J’s password is easily crackable.
Next, using enum4linux on the server we get two local users, kay and jan, which match with the signatures on the txt files. We also learn that the minimum password length is 5.
We run hydra with a slightly cutdown rockyou.txt we create using awk to ensure minimum 5 character passwords.
$ hydra -l jan -P /usr/share/wordlists/5-char-min-rockyou.txt ssh://10.10.93.104
[...]
[22][ssh] host: 10.10.93.104 login:jan password: armando
Now, we log into the server using the ssh credentials we brute-forced. Poking into /home/kay we find ssh keys. We use ssh2john.py and then john with rockyou.txt to crack the encrypted private key (password is beeswax).
So loggin in as kay is as easy as:
jan@basic2:/home/kay/.ssh$ ssh -i id_rsa kay@10.10.93.104
Now we can open pass.bak in kay’s home directory, which turns out to be kay’s sudoer password. Checking with sudo -l, kay can run ALL commands with sudo. Getting root then is just:
kay@basic2:~$ sudo su
root@basic2:/home/kay#