Scribd
Upload
58 views11 pages

Basic Pentesting THM

The document details the steps taken in a basic pentesting exercise on a TryHackMe machine. The pentest involves deploying the target, scanning for services, finding hidden directories, brute forcing user credentials, privilege escalation to another user, and obtaining a stronger password.

Uploaded by

sakitazeyek
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
58 views11 pages

Basic Pentesting THM

The document details the steps taken in a basic pentesting exercise on a TryHackMe machine. The pentest involves deploying the target, scanning for services, finding hidden directories, brute forcing user credentials, privilege escalation to another user, and obtaining a stronger password.

Uploaded by

sakitazeyek
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 11

TRYHACKME | BASIC PENTESTING

REPORT
Machine Used : Kali Linux

Zaur Qasimov
02.07.2022

Content:
 Deploy the machine and connect to our network
 Find the services exposed by the machine
 What is the name of the hidden directory on the web server?
 User brute-forcing to find the username & password
 What is the username?
 What is the password?
 What service do you use to access the server?
 Enumerate the machine to find any vectors for privilege escalation
 What is the name of the other user you found?
 If you have found another user, what can you do with this
information?
 What is the final password you obtain?
1.Deploy the machine and connect to our
network
“Basic Pentesting” is a pentesting room in TryHackMe which covers
very basic pentesting techniques.

First, we connect to TryHackMe's network using the OpenVPN


configuration file.
Command: openvpn Zaur.Qasimov.ovpn

Then we click on "Start the machine" on the upper right side of


the section.
IP Address: 10.10.90.8

2.Find the services exposed by the machine


To find the services running on our target system we will use
Nmap tool

Command: nmap –sV –A 10.10.90.8


We get the following results :

We can see that services are :


1.SSH at port 22
2.HTTP at port 80
3.SAMBA at port 139 & 445

3.What is the name of the hidden directory


on the web server?
To find the hidden directories on our web app we can use dirb

Command: dirb http://10.10.90.8/


/usr/share/wordlists/dirb/common.txt
We get the following results :

We have hidden directory : /development


Now navigate around development directory on the website.

As you can see, there are dev.txt and j.txt files here.

Let's take a look at their content.


Dev.txt>>
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now
I'm using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

J.txt>>
For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,

and I was able to crack your hash really easily. You know our password policy, so please follow

it? Change that password ASAP.

-K

From here we get the following results:


1.Website is using Apache 2.5.12 and also using SMB

2.User J is having a weak password

3.There are minimum 2 users (J and K)

4.User brute-forcing to find the username &


password
For this, we first need to find the usernames on the website.

So we know that samba is running on our target


We can use enum4linux script for this purpose:

Command: enum4linux –a 10.10.90.8

We get the following results:

As you can see here we found two users named Kay and Jan.

We know that Jan's password is weak, so let's try to find his


password.

For this we will do a brutforce attack and use the hydra tool.

Command: hydra -l jan -P /usr/share/wordlists/rockyou.txt


ssh://10.10.90.8

This command will try to brute force Jan’s password of SSH


service by trying words from the rockyou.txt wordlist.

So we find that jan's password is armando.


5.What is the username?
Username is Jan
6.What is the password?
Password is armando
7.What service do you use to access the server?
We use SSH service to access the server.
Command: ssh [email protected]

8.Enumerate the machine to find any vectors for


privilege escalation
We see that there are two users in the home directory: jan and
kay.

To find Kay's password, we will get his id_rsa key and then try to
crack it with John The Ripper.

I copy the id_rsa and save it as kay.txt on my kali machine.


Let's use John The Ripper now.

Command: ssh2john kay.txt > decrypted.txt

This will convert our Private SSH key into john form so that it can
be cracked further

Command: john --wordlist=/usr/share/wordlists/rockyou.txt


decrypted.txt

So we found that Kay's password id_rsa key is beeswax.


9.What is the name of the other user you found?
Other user is Kay
10.If you have found another user, what can you
do with this information?
We were able to connect to the server without
knowing kay's password.
11.What is the final password you obtain?
Final password:
heresareallystrongpasswordthatfollowsthepasswordpol
icy$$

You might also like