Basic Pentesting is a very beginner friendly CTF at TryHackMe. Here’s my write-up on how I solved this room.
- Web App Testing and Privilege Escalation
Q1. Deploy the machine and connect to our network
(No answer needed)
Q2. Find the services exposed by the machine
(No answer needed)
Q3. What is the name of the hidden directory on the web server(enter name without /)?
Ans : development
Q4. User brute-forcing to find the username & password
(No answer needed)
Q5. What is the username?
We know SMB is open in port 139 and 445, so I tried hitting ports 139 and 445 to check for usernames.
I used enum4linux for this purpose. One can download the tool here.
Upon performing a scan, I got the below results.
Ans : jan
Q6. What is the password?
For this task, I used hydra to do a brute-force with rockyou.txt and got the below result.
Ans : armando
Q7. What service do you use to access the server(answer in abbreviation in all caps)?
Ans : ssh
Q8. Enumerate the machine to find any vectors for privilege escalation
(No answer needed)
Q9. What is the name of the other user you found(all lower case)?
Just enumerating, we found another user
Ans : kay
Q10. If you have found another user, what can you do with this information?
pass.bak wasn’t readable so maybe we can try to look into ssh folder and check if there’s id_rsa
(No answer needed)
Turns out there’s id_rsa and it’s readable. We can copy this file to our local machine and then use ssh2john to get the hash.
Once done, we can use john to crack the hash.
Q11. What is the final password you obtain?
To find this, we need to login into kay’s account and read pass.bak
But accessing kay’s account from local machine wasn’t possible. So I tried to login into kay’s from jan’s account.
And, Viola.
Ans : heresareallystrongpasswordthatfollowsthepasswordpolicy
Feel free to contact me at @thebinarybot in twitter if you feel there’s any correction(s) to be made in this article or for help to solve this room. Cheers :)
