TryHackMe : Basic PentestingJT
“This is a machine that allows you to practise web app hacking and privilege escalation.”
This box is great for beginners and helps in understanding how basic tools like john and hydra can be used to brute-force our way into a system , so let’s get started with it right away !
I start enumerating the IP with an nmap to get a list of open ports on the machine. Since it was initially blocking my ping probes , I include the -Pn flag into our command.
There are quite a lot of services running on the system. I don’t know the SSH username or password (yet) so port 80 is the way to go.
On port 80 we don’t find any such interesting information. However, there is a subtle hint hidden in there.
“Check our dev note section if you need to know what to work on.”
So somewhere there must be a dev note section, we just gotta look for it.
Fire up gobuster and begin the search for the hidden directory.
gobuster dir -u 10.10.196.159 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-small.txt
A few hits in and we find something of interest :
Is this the dev note section which we were searching for ? Let’s look into it.
In this development directory there are two text files which seem like a conversation between the users J and K.
Here, an interesting information is revealed. There’s SMB at play which calls for running a scan using enum4linux (The Elites don’t want you to know this but ALWAYS go for an enum4linux whenever there’s SMB involved.)
enum4linux -a 10.10.196.159
There’s a long output but one very specific piece of information is of interest to us :
So the users J and K from earlier go by the name of kay and jan. Now, from K’s letter to J , we know that J has a weak password which means it can be easily brute-forced. We get hydra to do that for us with the help of rockyou.txt by using the command :
hydra -l jan 10.10.196.159 -P /usr/share/wordlists/rockyou.txt ssh
And after a few tries we get what we are looking for.
So the password for the user jan is armando. We use this information to SSH into the machine as the user jan.
ssh jan@10.10.196.159
Now it’s time to search for privilege escalation vectors and try to leverage them. This time our old friend sudo -l disappoints us :(
There’s nothing of interest in the home directory of the user jan either.
Finding nothing here , we move over to /home/kay. Here, we got a bunch of interesting files and folders. The one which drew my attention first was pass.bak but unfortunately we couldn’t read it’s contents.
So we move onto the next thing which drew my attention which is the .ssh directory and cd into it.
And here we have user kay’s SSH private key !!! Now we need to just copy it to our system. You can just go for copy-paste but I used netcat to get the job done.
Once we have the id_rsa we change it’s permissions as follows :
chmod 600 id_rsa
However when we try to SSH in as kay using this private key , we are faced with a challenge.
The private key is protected by a password. ENTER JOHN THE RIPPER !
We generate the hash for the given password file and store it in a new file using :
/usr/share/john/ssh2john.py id_rsa > id_hash
Now all we need to do is crack this hash to get the password and we deploy john again armed with our rockyou.txt
john id_hash — wordlist=/usr/share/wordlists/rockyou.txt
This gives us the password in a jiffy and now we can use it to SSH in as kay and this time use the private key to log in into the system.
ssh -i id_rsa kay@10.10.174.44
Once we login as user kay it’s just a matter of reading out the password stored in pass.bak file and get the required flag.
With this we come to the end of another CTF challenge from TryHackMe. This box has been a fun practice and is really helpful for understanding how to use tools like hydra and john. See ya all till next time.
