Try Hack Me: Basic Pentesting Walkthrough
This is the second walkthrough that I decide to write and diferently from de first, this has more to do with my main interest that is pentest.
So I had a lot of fun completing this room and writing this text.
This room give an opportunity for those who are starting like me, to apply what learned in a real scenario of pentest.
I hope this little text can be useful to someone else. =D
Task 1
1.1 — Deploy the machine and connect to our network
This question doesn’t need an answer.
1.2 — Find the services exposed by the machine
This doesn’t need an answer too, but in order to do what was ask we need follow the next steps:
Step 1: Run nmap on IP Address of the target using the command:
nmap “target IP”
Step 2: Look at the result to see the services running on the open ports.
Let’s save it for later!
1.3 — What is the name of the hidden directory on the web server(enter name without /)?
For this task we just need to use some directory bruteforce tool like dirb, dirbuster, gobuster or any other that you programmed.
I like gobuster because I think it’s easier to use threads.
Step 1: Run gobuster on target using some wordlist of common directories.
This is the wordlist I’ve used:
Use the command below:
gobuster -u http://10.10.26.50 -w directory-list-2.3-small.txt dir
I stoped on the first directory since it was the answer.
Anwser: development
1.4 — User brute-forcing to find the username & password
This question doesn’t need an answer either, but this process will help us in the next questions.
Step 1: Let’s take a look into the hidden directory.
There are two files .txt, each one tells us useful information.
- System uses Apache 2.4.18;
- Both files shows us the abbreviation of two users, J and K;
- The first one dev.txt shows that the system is using SMB;
- The second one shows that the user J has the weakest password.
Step 2: Do an enumeration of the system using enum4linux tool.
Knowing that the system uses Samba (SMB), we can use enum4linux that is useful to enumerate Windows and Samba systems.
The command is: enum4linux “IP target”, in order to find the users, just add -U,
enum4linux “target IP” -U
Now we know the users.
kay and jan.
Step 3: Brute-force using Hydra.
Now that we have the Users, we can use them to brute-force the password.
One of the tips we get from j.txt is that the user starting with the Letter J has a weaker password, so we just need to brute-force the password for the jan user using Hydra.
But where?
In the services that we got with nmap, we can see that ssh is running on the server, so let’s brute-force it using the command below:
hydra ssh://10.10.52.201 -l jan -P /usr/share/wordlists/rockyou.txt
Done! The password is armando.
That’s it! Let’s to next task!
1.5 — What is the username?
Answer: jan
1.6 — What is the password?
Answer: armando
1.7 — What service do you use to access the server(answer in abbreviation in all caps)?
Answer: ssh
1.8 — Enumerate the machine to find any vectors for privilege escalation
This question doesn’t need an answer, but let’s take this chance to log in and take a look into system.
Step1: Now that we have both the username and the password of jan, we can login using the ssh service with the command below:
ssh jan@”target IP”
Password: armando
We are in!
Step 2: Look around.
Walking by the system we can find a directory from another User Kay.
Inside, there is an interesting file pass.bak supposedly containing his password, but unfortunately we don’t have permission to read it with the current user.
So… We need to escalate privilege. xD
1.8 — What is the name of the other user you found(all lower case)?
At this point, we already know that!
Answer: Kay
1.9 — If you have found another user, what can you do with this information?
This question doesn’t need an answer.
1.10 — What is the final password you obtain?
So, we need to read that Kay’s file.
Inside Kay’s directory, there are other interesting directories, like “.ssh”.
Inside this directory, we can see that we have permission to read id_rsa file, that contains the private key to access the ssh server.
Let’s exploit this flaw to get access to user kay.
Step 1: Read id_rsa file to get private keys.
Step 2: Copy and paste the key in a new file inside your machine.
I think it’s easier to simply copy and paste the content of the file into a new one than send a copy through the server.
So I create a new file using nano in my machine named pass_kay.txt and pasted the key.
If we try to use this new file as password to our ssh log in, it will be refused because saying that’s too unprotected.
It happens because the file has loose permitions.
So we need limite the permissions of this file to be accepted.
Step 3: Change the file permissions using the command:
chmod 600 “file name”
Step 4: Now we can try to log in sending this file as password, using the command ssh with the argument -i to especify the file.
ssh -i “file name” kay@”target IP”
But as you can see, it ask us for a passphrase that is protecting the kay’s key.
To get it, we need to extract a hash from the file and crack it using brute-force.
Step 5: Extract a hash from the file using ssh2john.py tool, with the command below:
python2 /usr/share/john/ssh2john.py “file with key” > “name for hash file”.txt
Step 6: Crack this hash using the john tool.
john -wordlist:”wordlist path” “hash file”
Now that we got the passphrase beeswax, let’s log in the ssh server again.
Step 7: Log in using the next command:
ssh -i “key file” kay@”target IP”
Passphrase: beeswax
We are in!!
Now let’s read that kay’s file pass.bak.
Step 8: Read file pass.bak
cat pass.bak
And that’s it!
Answer: heresareallystrongpasswordthatfollowsthepasswordpolicy$$
That’s it!
This is my little attempt to contribute to this awesome universe of cybersecurity.
If you have any suggestion or saw some error, please tell me.
I’m here to learn and want to improve in that task.
Thanks for read until here!
And if I can help you with something, let me know! xD
