My TryHackMe Writeups

Writing THM excersise solvings here and my thoughts on how to solve them

Project maintained by NaystyX Hosted on GitHub Pages — Theme by mattgraham

Basic Pentesting

https://tryhackme.com/room/basicpentestingjt

As always with pentesting tasks I began by trying which ports where open with nmap -sV -sC 10.10.149.135

It showed me 4 ports open 22, 80, 139, 445

nmap

From previous knowledge I knew that some Samba servers have had pretty big vulnerabilities so it opened my interest, but first wanted to do gobuster for directories on the web server.

Questions

What is the name of the hidden directory on the web server(enter name without /)?

I ran gobuster dir -u 10.10.149.135 -w /usr/share/wordlists/dirbuster/directory-list-1.0.txt to find the directory.

gobuster

What is the username?

I did an enum4linux -a 10.10.149.135 to find out about smb shares and possibly usernames.

enum4linux

So now I got the username jan

What is the password?

Since I know know the username I can run hydra to bruteforce the password hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.149.135 ssh

hydra

What service do you use to access the server(answer in abbreviation in all caps)?

This is just SSH

What is the name of the other user you found(all lower case)?

This we already got before at the enum4linux

What is the final password you obtain?

I want to enumerate privilege escalation and wanna use an already known script to me which is LinPEAS.

First transfer the file using wget, we start http server on my computer and then wget it using ssh

Then make it executable with chmod +x linpeas.sh and then run with ./linpeas.sh

From there I found a key escalation at /home/kay/.ssh/id_rsa so I used cat and copied that file to my computer.

Then use ssh2john to make it into correct form and then use john --wordlist=/usr/share/wordlists/rockyou.txt john-pass to brute-force password

john

Now we can ssh with that id_rsa and kay username ssh -i id_rsa kay@10.10.209.106 (I had to reboot the server at one point)

last

With that the challenge is done, this was fairly easy and basic pentesting as the name suggests but good training so that I always remember the basics of pentesting atleast.