Hacking the Basic Pen Test Machine (tryhackme)

 I started with the usual nmap scans and found several ports of interest.




I decided to visit the website on port 80 as a Gobuster scan was being undertaken. There was nothing of real interest on the page being served, but when I looked at its source I found a comment which referred to a developer directory. I tried /dev and /note but they did not work. The Gobuster scan found /development.





The obvious next place to go was the /development directory. I found two .txt files in there. They both contained useful information, but j.txt seemed to be the most useful for my next steps.




The name J was now of interest, so I kept it in mind as I went about checking out the SMB services listening on ports 139 and 445.





It would seem J stood for Jay and K for Kay. I created a file of possible usernames and then went about brute forcing accounts.





I started with the auxiliary/scanner/smb/smb_login module in msfconsole, but this did not work. I then tried default credentials for Tomcat on port 8080 at the /manager page. I used Burpsuite's intruder tool along with user:pass strings encoded into Base64 for this attempt (grepping on You are not authorized) but this did not work. My last port of call was SSH. I used hydra with my custom made username file and rockyou.txt





I was able to use the found credentials to SSH into the machine. I did some simple enumeration of the machine and discovered that kay was also a user but without root privileges.






I tried to use su to switch user to kay but without the correct password this did not work. sudo -l did not work because jan could not use sudo I checked /etc/crontab for cron job privilege escalation roots and I had a look at binaries with the SUID bit set. One of these stood out - it was vim.basic but without being able to use sudo I wasn't able to escalate to root from jan's account. I found a file called pass.bak in kay's home directory, but jan did not have read access to it. It became clear that I needed to find a way to log in as kay so I started searching for passwords. I eventually found an RSA private key.




I copied this to my local machine and tried to log back into the victim machine using it. I soon discovered that I needed to supply a passphrase in addition to the private key and after several attempts I aborted the effort.





My next step was to try to crack the passphrase for the RSA private key, so I located ssh2john.py and used it to create a hash I could use in johntheripper. John was successful so I could now try to SSH back into the machine as kay






This worked and I was now able to see the contents of the pass.bak file.




This marked the end of the Basic Pen Test machine on the tryhackme website as the last question was to provide the password I had just discovered. I wanted to carry on, however, as kay was still not root. I therefore tried sudo -l as kay and was happy to see the results.




I remembered how I had seen that vim.basic had the SUID bit set, so I decided I would now try to use that in order to get a root shell.





This worked and I was able to finally complete the machine by finding the root flag!














Popular posts from this blog

Hacking Year of the Owl (thm)

Image
NOTE: I am currently migrating my writeups and cybersecurity notes to  my github This writeup can be found in a new and shiny form at puzz00 year of the owl writeup  --- The Year of the Owl is a machine by MuirlandOracle on tryhackme   We start by using nmap to scan the TCP ports. The results show us that this appears to be a windows machine because we see netbios on port 139, SMB on 445 and winrm on its default port of 5985. We take a closer look but don't find much of interest. Since SMB is running, we can try a null session attack, but this does not work. We cannot connect using rpcclient without valid creds, either. Web app enumeration does not reveal anything of interest, so I have not included it in this post. We need to find another way to enumerate usernames and potential passwords. We can try common UDP ports using nmap. The results come back in the open|filtered state which is not very useful. We do not know if the ports are open or if the UDP datagrams are bei...
Read more

Hacking Reset (thm)

Image
  NOTE: I am currently migrating my writeups and notes regarding hacking aka pentesting to  my github - my reset writeup can be found here     Reset is a fun active directory based box on thm   We start with an nmap scan which shows us that the target machine is probably a domain controller as it has port 88 open. Domain controllers typically have this port open since they are involved in kerberos based authentication. We also find some useful data regarding the domain and machine we are attacking. In addition, we find port 5985 is open - this is of interest as it is a port which is used by winrm which in turn is a service which could potentially give us a remote session on the target machine if we find valid credentials.    Since smb is being used, we start our enumeration of the haystack machine by taking a look at it - can we get a null session and thereby enumerate useful data? We find that we can. The IPC$ share has read access to non-authentica...
Read more

Simple CTF (tryhackme)

Image
  I started with a quick SYN scan of all ports on the target machine. The -T4 flag speeds up the scan from the default -T3 and the -p- flag specifies all ports to be scanned. As can be seen from the results, ports 21, 80 and 2222 had services listening on them. It was now time to take a closer look at those three ports, so I used the -A flag with nmap to find out more. The anonymous login allowed using FTP on port 21 seemed interesting, so I connected to it in passive mode using the username anonymous and no password ftp -p 10.10.179.144 The connection was successful, but I could not get any listing of the directories or files using ls so I turned my attention to port 80 by navigating to the home page in my browser. I was greeted with a default Apache "It Works!" page. I then checked the robots.txt file and fired up a directory buster. I used gobuster as it is fast, but dirb, dirbuster or a home-grown one would also do. The /simple directory stood out as interesting, so I na...
Read more