It is nice to meet you all again with another walkthrough of the basic Pentesting machine available on TryHackMe. It covers Service Enumeration, Hash Cracking, Brute-Forcing through Hydra, and Privilege Escalation. So, let us get this test started.
To make sure that we are connected to their network, I am using the ping command on the given IP address and it seems we are.
Now let us do some information gathering. We need to find out which ports are open and which services are running on the ports so we will take help from our friend NMAP:
Use command: nmap -sC -sV <IP addr>
From this Nmap scan, we got the list of open ports and the respective service running as follows:
Here, the HTTP port is open. So, we can try to access the website to see if it can give us any piece of information.
The resultant page seems to give us no information but when checking the source code, we found following note for us:
We do not know about the dev note section. So, we can use dirsearch/dirbuster to find the hidden directories.
But here, we are going to use our older friend NMAP to find the dev directory. For this, we can use Nmap scripts. This enumerates directories used by popular web applications and servers.
Use command: # nmap -p80 –script http-enum <IP addr>
Now we got the name of the directory “development”. Let us check what is in it:
We found dev.txt and j.txt files here. After opening them we can see following contents:
It is a chat between 2 users K and J.
Now we need to find out the users and we also know it has SMB configured. To enumerate SAMBA,
Use command: # enum4linux <IP addr>
So, we finally found 2 users as shown above, user kay and jan.
As we already know it is a weak password from reading messages between K and J, we can crack it using Hydra Tool.
For that, we need a list of passwords and I am using Rockyou wordlist. It is a password dictionary used to perform different types of password cracking attacks. It is the collection of the most used and potential passwords. It is already added in Kali Linux by default and to find it,
Use command: #locate rockyou
The rockyou file has a .gz extension which means that it is a zip file. We must unzip it to use it.
Use command: #gzip -d rockyou.txt.gz
We can check it by going to the location of the file.
Hydra tool is installed by default on Kali Linux. Now we will attempt to log in as the jan user using a rockyou.txt password list with 6 threads on the given SSH server.
Use command: # hydra -l jan -P /usr/share/wordlists/rockyou.txt -t 6 ssh://<IP Addr>
Hurray, here we found password: armando for user jan.
Now, let us try to log in as user “jan”.
Use command: ssh jan@IP addr
We can say “yes” and provide password(armando) for user jan.
So now we have access to user jan.
Now we need to find any vectors to escalate our privileges. Let us look for files on the host.
We do not find anything on the user jan. So now we can check for other directories or users and found the user kay.
Here we found something interesting. It is a .ssh file and while trying to access It, found the public and private keys in that.
Opening the public and private keys:
Ahaa…We hit the Jackpot here..!!!
We got the private key of user kay. This will be our access vector. Let us log in through ssh now.
It looks like we need to find a passphrase first.
We can use john the ripper to crack an SSH RSA key, but to brute-force using john, we must convert it into a suitable format first. For this, we have ssh2john.py pre-installed in Kali Linux.
We can find it using locate command.
If we open a hash file rsakey.hash here we can see
Now we can use john the ripper again to crack the hash using the same wordlist rockyou.txt and retrieve the passphrase for user kay.
Finally, we got the passphrase beeswax.
As we know from a previous search that .ssh also has read and write permission for user kay. As we have passphrase now, let us ssh:
Now we can find the final password and for that, we will investigate pass.bak, which we found earlier under the home directory of user kay.
So, this is the final password we obtain.
Solving this challenge enables us to get an overall idea of how to perform basic tasks in Penetration testing when we have only the IP address of the target, like scanning our target machines and look for its vulnerabilities. We understood how basic enumeration works. Apart from that, we also learn to use different tools to crack passwords and hashes and tried to gain access. Thanks for reading and will meet you next time with another blog soon.
Until next time, Happy hacking…!!!