THM — Basic Pentesting
#1
Deploy the machine and connect to our network
Let’s ping the IP: 10.10.211.144 to check if we can connect to the THM box.
#2
Find the services exposed by the machine
$nmap -T4 -A 10.10.211.144The -T option allows you to change the speed of the flag. The default scan speed is -T3, in my case I use -T4 to speed more (Max is -T5).
By using nmap scan we can check the services used by this machine.
#3
What is the name of the hidden directory on the webserver (enter name without /)?
To find hidden directories we can use tools such as gobuster, dirbuster or dirb.
I will be using gobuster, and this tool will need a directory list to scan using a directory list. The list can be found: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
You can install gobuster with this command:
$ sudo apt-get install gobuster
Next, let’s start the gobuster scan:
$gobuster dir -u 10.10.211.144 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Very quickly we can see that there is a directory “/development” found.
Ans: development
#4
Use brute-forcing to find the username & password
&
#5
What is the username?
Let’s explore a bit on the victim’s IP.
Nothing much on the webpage, let’s look into /development.
In dev.txt file we see some update log from user Kand J.
K mentions that J’s hash can be cracked easily.
First, let’s explore SMB.
Let’s use the hint given from #5: What about using SMB to find a username?
Above, I input the command: $smbclient -L \\\\10.10.211.144\\, to list the sharenames found from the victim’s IP. The password I input for all is just “password”.
Let’s look into IPC$. We can try to connect to it using:
$smbclient -L \\\\10.10.211.144\\IPC$
We can see that we are in the smbclient, and we can further enumerate from there.
We can input help to list out commands that we can use.
Tried to enumerate but cannot seem to find any information.
Let’s try to enumerate the sharename “Anonymous”
From the above, we found out there is a staff.txt file. I download it using: get staff.txt
Here we found out that the user K is Kay and the user J is Jan.
We could also enumerate the username by using enum4linux.
I went to google search: using smb to find a username
Found a website that uses enum4linux to enumerate SMB.
Let’s try using it with the command:
$enum4linux 10.10.211.144
Here we can see that there are 2 Unix users named kay and jan.
Ans: Jan
#9
What is the name of the other user you found(all lower case)?
Ans: Kay
#6
What is the password?
Hint: What about using a tool like hydra to bruteforce?
Now let’s try to find the password of the user Jan using hydra
$ hydra -V -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.211.144- -t option is
- -l option is for login name
- -P the password list needed to bruteforce
- -V for verbosity, meaning we can see each attempt printed out on the terminal
We found the password for Jan’s account: armando
Ans: armando
#7
What service do you use to access the server(answer in abbreviation in all caps)?
Ans: SSH
#8
Enumerate the machine to find any vectors for privilege escalation
Hint: Use a privilege escalation checklist or tool like LinEnum
We can use LinEnum, but I will be using LinPeas.
We need to download the linpeas.sh from here and store it somewhere.
I stored it on my desktop and hosted a server using python running on port 2222.
Let’s download it into the jan’s machine.
A good place to store the linenum.sh file would be /var/tmp directory.
Let’s run it, but remember to change the permission so you can execute it.
From the scan, we can see that we can read kay’s id_rsa key.
Let’s look into /home/kay/.ssh/id_rsa
Double-check on the permission and make sure that we are indeed able to read the file.
Next, copy this private key into a file and name it kay_id_rsa.txt.
Now we need to create a file with the key that John can understand.
Use this command:
$/usr/share/john/ssh2john.py kay_id_rsa.txt > forjohntocrack
Next, we crack the file using the command:
$sudo john forjohntocrack --wordlist=/home/kali/Desktop/rouckyou.txt
Now we found out that kay’s password is “beeswax”.
The thing to note is to $chmod 600 for the RSA key, as that is the preferred config.
Now we can access kay’s account.
Here we get the final password!
#11
What is the final password you obtain?
Ans: here…$$
Let’s check what sudo privilege kay has.
We can see from above, that kay can run ALL commands using Sudo.
Let’s try to change to the root user.
We did it!
