Basic Pentesting TryHackMe
Hello guys back again with another walkthrough. This time am going to be handling Basic Pentesting a vulnerable box in TryHackMe
As always we’ll start of with a nmap scan. This gives us a pretty good idea of the service that the box is running and if we’re lucking we might get an outdated version that has a 1 day exploit
And we get a bunch of ports are open. First ssh (secure shell) which requires authentication which in turn will allow us to log into the web server but without VALID credentials we continue enumerating. Next we see port 80 that is running a web server. And some standard SMB ports, and port 8080 is running tomcat. On opening it with Mozilla
We get a webpage saying the website is under maintenance we should come back to check later.
Looking at the page source we find some comments left about a development section on the web server
I decided to see if some common web server files existed like robots.txt sometimes you get lucky and find some directory that might have juicy information. But it did not exist in the web server
Before enumerating SMB shares we should have some king of enumeration running in the background. So i decided to run Gobuster which is a web directory bruteforcing utility tool among other things . And decided to enumerate the SMB shares
And using Smbclient we get a share called anonymous
- -N tells smbclient to use Null authentication(We log into the shares as guest)
- -L tells smbclient to list shares
On listing the contents present in the share we find a text file called staff
I decided to download it to my box and view it’s contents
We get a message to the staff telling them not to upload non-work-related items on the anonymous share. But we get two usernames from the file Jan and Kay
Now that i hit a dead end i decided to check on gobuster and see if it had found anything interesting and we find a development directory
Navigating to it using Mozilla we get two text files dev.txt and j.txt i downloaded both of them to my box
Looking at both of them we get really useful information that can help us compromise the box and get a shell
- We get that Jan’s password is weak so probably we can bruteforce it using Hydra
- The Apache web server probably is running tomcat struts and a while back that had a remote code execution vulnerability “Apache Struts “serialization” vulnerability” and the exploit was released to the public
I tried ssh brute forcing using the username Jan since we were told her password was weak and almost immediately got a valid password
I decided to log into the box using ssh
Once i got access to a box it’s was time for lateral movement and privilege escalation. Looking at the passwd file
There’s another user in the box called Kay but we don’t have a way to get access to his account i decided to run linpeas which automatically identifies privilege escalation vectors and it outputs them in colors
After linpeas ran i looked at the result and found there was a ssh key for Kay that we had read access on
I copied the ssh key to my box
I used ssh2john which is a python script that converts the key into a format that john the ripper can understand and crack the passphrase. And after about 5 second the password was cracked
Now we can log into the box using ssh as Kay user using ssh key.
After gaining access to the box as Kay i found a file called pass.bak which appeared to be some sort of password backup
At first i thought that it was root’s password. I tried logging into the box with it
But got authentication failure
I tried to see if the password was for Kay
And user Kay is allowed to run all commands with root privileges
And by just typing sudo su we are root
And that’s it for now guys till next time take care and if you liked the walkthrough you can clap below