Post

TryHackMe 1 - Basic Pentesting Room

TryHackMe #1 - Basic Pentesting Room

Hello to everyone!

This is my first ever write-up. In this so called write-up, i do not only go through the process of how to complete the tasks, but also my thoughts when i was trying to solve them. This means you will read about “wrong” or “good” solution choices. Simply put, this is all my thoughts in one place.

The objectives of this room was by completing a set of tasks to learn:

  • Brute forcing
  • Hash cracking
  • Service enumeration
  • Linux Enumeration

Task 1: Find the services exposed by the machine

One of the best ways to find what services are running on a machine is to fire up NMAP, one of the most famous scanners.

I started scanning using nmap but i got the message above. NMAP by default pings the target in order to determine active machines for scanning. In this case the target machine is not responding to our pings. One reason for that could be a filter before the target machine.

So, i used the -Pn flag to disable host discovery and receive results.

From the results above, the most interesting services are SSHHTTP and Microsoft-ds or SMB. The SSH service could be a potential way of connection, same of SMB, and the HTTP service tells us that a web server is probably running.

Task 2: What is the name of the hidden directory on the web server

Since the target machine is a web server, why not visit the website by clicking on the ip and see what we get.

On the left figure is the website and one the right figure is the inspect mode of the same website. The interesting part is the commend on the html files that says to check our dev note section.

This could mean that the hidden directory has something to do with dev or development or developers etc.

So in order to find hidden directories i used DirBuster tool (GoBuster is other good alternative).

By choosing a brute force list of directories and waiting couple of minutes, DirBuster managed to find the hidden directory “/development” and two txt files inside that directory.

Inside the two txt files is mentioned by one of the two people-users that the other one has a weak password that is easily crack-able. Combining that with the results from the NMAP scan, maybe achieving a connection by using the SMB protocol is possible for the next task.

Task 3: User brute-forcing to find the username & password

One of the first things i thought to try was the smb-brute script provided by NMAP, but no luck with that one (as seen right below).

The next thought was to use the HYDRA tool with the “rockyou” list in a ssh connection, but it took way to long and without any kind of results.

I also changed the list of common usernames with one that i found online, but even with that, it took way to long and no results came up.

By searching online i found another tool called enum4linux. This tool is used for enumerating information from Windows, Linux and Samba systems.

By typing the command “emun4linux -a 10.10.61.69”, the results in the figure below came up. (The target ip is different because the rest of the room was completed on another day).

The two users names found are “Kay”and “Jan”. Plus from the txt files we know that “J” or now “Jan” has a weak password for his account, so let’s try brute force with Hydra.

Task 4: What is the username?

The username is “Kay” or “Jan”.

Task 5: What is the password?

Now the fun part starts.

By using the command “hydra -I jan -P /usr/share/wordlis/rockyou.txt” (-I: specific username, -P: list of passwords to check) and a little bit of time, the password is “armando”.

Task 6: What service do you use to access the server?

The service i can use in order to access the server is SSH as “Jan” (since i have already found his password).

Task 7: Enumerate the machine to find any vectors for privilege escalation

Having acquired the username and the password successfully, let’s try and connect to the target machine as “Jan“. And success, now we have full access to the machine.

I can now browse the target machine as “Jan“. By looking around u found the other user’s home directory (Kay’s home) with a file inside named pass.bak. That’s probably what i look for. But when i try to read it, i get permission denied since the file has no read permissions by others and no sudo available.

Task 8: What is the name of the another user you found?

The name of the another user is “Kay“.

Task 9: If you have found another user, what can you do with this information?

So the goal is to find a way to login as “Kay” in order to access the machine and the file that contains the final flag.

By searching around i found the hidden directory .ssh that our current user has read permission in all the files, plus in private keys in the id_rsa file. (This file contains the private key used by the ssh connection and it has a passphrase to access it. In general another way of connecting with ssh will be a password).

But the file has a passphrase, so it not as straight forward. I need to find a way to find the passphrase.

Searching online i found a tool called “JohnTheRipper“. (The JohnTheRipper tool is a well known open-source used for password cracking)

Before using the tool a little bit of preparation has to be made. Firstly, a file that contains the private key has been created locally to my own machine.

Then modified the permission to 600 (only read by us) because this is how usually private key files work.

Now that the file is created, by using the command ssh2John kay_id_rsa> forjohntocrack.txt in order to make the file understandable for john or JohnTheRipper.

Let’s run John with the rockyou list. After a minute it found the passphrase, which is beeswax.

Trying again to connect as Kay via SSH with the newly acquired passphrase for the private key file. And we are in!!

Task 10: What is the final password you obtain?

Now that we are connected as Kay, we can finally read the pass.bak file and get the final password – flag.

With that my first ever room – challenge CTF in TryHackMe and my first ever write-up, are now complete. 

More amazing and exciting things in the future.

This post is licensed under CC BY 4.0 by the author.