BASIC PENTESTING - Tryhackme
#FInding open ports with nmap scan
Just connect to the box and use nmap to find the open ports.
nmap -sv ip-address or url
reveals all the open ports in the address.
#FInding Hidden directory with ffuf tool
For hidden directory we can use ffuf tools.
ffuf -u url -w /usr/share/wordlists/dirb/common.txt
can be used to find hidden directory in the url.
We can also use gobuster and other tool also.
#FInding user with some enumeration
We can search through the website using inspector tools. By using ffuf we got /development as hidden directory so when we visit ip_address/development we got two files stating that some user have very easy to crack password. It also says that smb server is running on the web server.
We can use smbclient to print out the shared volumes on the smb server with :
smbclient -L ip_address
By analyzing the output from above command we find that there is anonymous access.So, We can then login to the smb server using anonymous login as :
smbclient \\\\ip_address\\anonymous
After the login , with ls -la command we find that there is a .txt file which we can access to and there is a message mentioning the two user Jan and Kay .
#Accessing user password with hydra
After knowing the username we can crack Jan’s password as it was mentioned that Jan has weaker password . We can use graphical hydra to crack the password .
After the cracking of the password we find that the password for Jan is armando
#Login with password and privilege escalation
After getting password we can login to ssh server with the credentials with :
ssh username@ip_address
After getting to ssh we can manually search for some ways for privilege escalation or we can automatically find the list with linpeas enumeration . Linpeas are faster and helps in finding escalation more better. We can get linpeas on ssh server using scp command as :
scp file_directory&file_name ip_address:/address_to_be_placed
After a thorough search we find that there is private ssh key for user kay and and we can try to access the user with private ssh key but it is protected with the passphrase. We have to save the private ssh key in a file and made permission to read only using :
chmod 600 file_name
So we have to crack the passphrase . We can crack the passphrase with JohnTheRipper , since the private ssh key is not into hash format we have to change it to hash format with JohnTheRipper ssh2john.py module .This module can be located using the command : locate ssh2john.py . It is generally ins /usr/share/john directory.
Using command :
python ssh2john.py private_ssh_key_file_name>hashed_file_name
After the file is changed to hash we can crack the passphrase with JohnTheRipper as :
john hashed_file_name - -wordlist /usr/share/wordlists/rockyou.txt
Once the passphrase is cracked we can login to ssh with Kay using :
ssh -i private_ssh_key_file_name kay@ip_address
After login to ssh we can cat the pass.bak file to extract the password.
Summary :
Finding open ports
Enumerating for usernames.
Bruteforcing username for password.
Privilege escalation with cracked password
Crack the key_phrase for login.
Finish the problem.
Tools used :
Nmap
ffuf or gobuster
Smbclient
Hydra
Linpeas
scp
JohnTheRipper