Basic Pentesting TryHackMe

Hello guys back again with another walkthrough. This time am going to be handling Basic Pentesting a vulnerable box in TryHackMe

As always we’ll start of with a nmap scan. This gives us a pretty good idea of the service that the box is running and if we’re lucking we might get an outdated version that has a 1 day exploit

And we get a bunch of ports are open. First ssh (secure shell) which requires authentication which in turn will allow us to log into the web server but without VALID credentials we continue enumerating. Next we see port 80 that is running a web server. And some standard SMB ports, and port 8080 is running tomcat. On opening it with Mozilla

We get a webpage saying the website is under maintenance we should come back to check later.

Looking at the page source we find some comments left about a development section on the web server

I decided to see if some common web server files existed like robots.txt sometimes you get lucky and find some directory that might have juicy information. But it did not exist in the web server

Before enumerating SMB shares we should have some king of enumeration running in the background. So i decided to run Gobuster which is a web directory bruteforcing utility tool among other things . And decided to enumerate the SMB shares

And using Smbclient we get a share called anonymous

  • -N tells smbclient to use Null authentication(We log into the shares as guest)
  • -L tells smbclient to list shares

On listing the contents present in the share we find a text file called staff

I decided to download it to my box and view it’s contents

We get a message to the staff telling them not to upload non-work-related items on the anonymous share. But we get two usernames from the file Jan and Kay

Now that i hit a dead end i decided to check on gobuster and see if it had found anything interesting and we find a development directory

Navigating to it using Mozilla we get two text files dev.txt and j.txt i downloaded both of them to my box

Looking at both of them we get really useful information that can help us compromise the box and get a shell

  1. We get that Jan’s password is weak so probably we can bruteforce it using Hydra
  2. The Apache web server probably is running tomcat struts and a while back that had a remote code execution vulnerability “Apache Struts “serialization” vulnerability” and the exploit was released to the public

I tried ssh brute forcing using the username Jan since we were told her password was weak and almost immediately got a valid password

I decided to log into the box using ssh

Once i got access to a box it’s was time for lateral movement and privilege escalation. Looking at the passwd file

There’s another user in the box called Kay but we don’t have a way to get access to his account i decided to run linpeas which automatically identifies privilege escalation vectors and it outputs them in colors

After linpeas ran i looked at the result and found there was a ssh key for Kay that we had read access on

I copied the ssh key to my box

I used ssh2john which is a python script that converts the key into a format that john the ripper can understand and crack the passphrase. And after about 5 second the password was cracked

Now we can log into the box using ssh as Kay user using ssh key.

After gaining access to the box as Kay i found a file called pass.bak which appeared to be some sort of password backup

At first i thought that it was root’s password. I tried logging into the box with it

But got authentication failure

I tried to see if the password was for Kay

And user Kay is allowed to run all commands with root privileges

And by just typing sudo su we are root

And that’s it for now guys till next time take care and if you liked the walkthrough you can clap below

Penetration Tester/Analytical Chemist who Loves Cybersecurity. GitHub(, ExploitDB(