#1.TryHackMe Series writeups : Basic Pentesting

There are several beginner-friendly rooms on Tryhackme. Starting with rooms like Nmap or Introductory Researching is a wonderful idea if you’re new to the site.But you should make things more challenging once you’ve mastered the fundamental tools and approaches. You won’t make much progress if you keep solving rooms at the same level.

For those who have the fundamentals and are looking for a greater challenge, today’s topic, a room, is a terrific challenge. I’m happy you’re here for the TryHackMe Basic Pentesting guide.

THM Basic Pentesting:

This TryHackMe room is designed with beginners in mind and focuses on enumeration and exploitation at a very fundamental level. The order in which the questions are queued, as well as the hints offered, aid in developing a fundamental mentality for pentesting.

In these set of tasks you’ll learn the following:

• brute forcing
• hash cracking
• service enumeration
• Linux Enumeration

We’ll utilise many tools to solve this room, including nmap, dirb, and hydra. Let Us Count!!

Deploy the machine from “Start Machine” button as shown below:

As displayed, you will be assigned a specific IP_Address for the machine.

Once the machine is deployed , you will get IP address which can different for your machine.

Scan the IP address using nmap which finds the services exposed by the machine.

“Nmap is a very useful tool that can be used to determine the various ports open on the target machine and the services running on them. We can perform a simple scan to get all the details like:”

Commands: nmap -sV <IP>

Access this IP_Address from web browser, as shown below:

This web app may have hidden directories. We will use the dirsearch tool (there are other tools like dirbuster, gobuster) to find out:

In the below endpoint you will find j.txt and dev.txt files. Both files contains messages for -K and -J.

Q3. What is the name of the hidden directory on the web server(enter name without /)?

Answer: development

Q4. User brute-forcing to find the username & password.

It asks you to bruteforce. However, we know that the SMB is used, so we might attempt enumerating it first. This manner, we can find the username without resorting to a time-consuming brute force attack. For this, we can use the enum4linux script:

Command: enum4linux -a <IP_ADDRESS>

So for Q4. we have two users and don’t know which one to bruteforce first. But remember the message “K” left for “J” informing him that his password is weak and easily cracked? Let’s see if we can bruteforce it.

For Bruteforcing , we will be using Hydra tool.

“Hydra is one such tool that can be used to bruteforce passwords over numerous protocols.”

Command: hydra -L jan -P /usr/share/wordlists/rockyou.txt ssh://<IP_ADDRESS>

Q5. What is the username?

Answer: jan

Q6. What is the password?

Answer: armando

We have used ssh in the above image for accessing the server, so ….

Q7. What service do you use to access the server(answer in abbreviation in all caps)?

Answer: SSH

8. Enumerate the machine to find any vectors for privilege escalation

We know the username , password and the service on which we can try. Now let’s try to login:

Command: ssh jan@<IP_ADDRESS>

We have successfully logged in. Now let’s look over this machine, particularly Kay’s account, to see if we can find anything. We discovered a password backup file for Kay’s account, but Jan cannot execute sudo commands.

We must increase the rights in order to read the password backup file. We discovered ssh keys after looking through Kay’s directories a bit more.

• Save the keys to your machine in a file using nano or another editor of your choice. here the file name in which it is saved is “sshrsakey.txt”
• Run the ssh2john tool to obtain the hash of the keys.

Command: python /usr/share/john/ssh2john.py sshrsakey.txt > keyhash.txt

• Now run John the ripper tool to crack the passphrase for the account of Kay.

Command: john — wordlist=rockyou.txt keyhash.txt

• As a result, the password should be brute forced in a minute.
• Now access the Kay’s ssh using the public keys of Kay account.

Command: ssh -i /home/kay/.ssh/id_rsa kay@<IP_ADDRESS>

• We attempted to directly access Kay’s ssh but were unsuccessful. Let’s attempt to log in using Jan’s account. the same command after first logging in with your jan account via SSH:

Command: ssh jan@<IP_ADDRESS>

Command: ssh -i /home/kay/.ssh/id_rsa kay@<IP_ADDRESS>

• We’ve managed to log into Kay’s ssh, now let’s open the password backup file and see what’s within.

Here, we have finally got the password and here the challenge is completed.

Q9. What is the name of the other user you found(all lower case)?

Answer: Kay

Q11. What is the final password you obtain?

Answer: …………….!!!!! It’s on you to find out !!!!!…………….

Hurrah!! This Basic Pentesting Challenge is now over. Thank you for sticking around.

Some Important Takeaways:

- Use enum4linux to find out information about the target when you observe an open SMB port.
- For a variety of services, bruteforce assaults can be carried out using Hydra.