On this post, I would like to share the trick to tackle Basic Pentesting. The objective of this machine would be to gain skills and knowledge on web application hacking and privilege escalation.
From the information that we can see above, we can predict that the machine will be running in Linux Operating System Environment. We also can expect that we require to find password that stored in the system.
Let’s started the challenge right now!
As usual, we need to deploy the machine so that we can access the machine later on while doing the challenges.
Once we have successfully deployed the machine, let start run the Nmap command in order to understand the machine a little bit.
The command that we will use would be something like
nmap -sV -T5 <IP Address> -PN
From the nmap’s result, I notice that port ssh and HTTP is open and let’s go to the website interface
Oh wow! The website is undergoing maintenance and nothing interesting have appeared here. At least, we know that the website is running for this server.
I will be running dirb to see whether another directory or sub-directory been implemented inside the website.
While waiting for the result completed, there is one directory that caught my attention. This website have a directory named /development/ and let see if anything useful been stored there.
The directory that we found did lead to Index of /development page with two .txt file which looks nothing to me by just see the filename.
Let go analysis those files and hope we can receive any clues or hints for this server.
From this message, we have been given information that the server is running Apache 2.5.12 and let’s do some research on Apache 2.5.12
I found that it’s Apache Struts 2.5.12 and it was last modified in 2017 which mean it was an outdated apache.
Let check on the another file!
Based on the message on this, we know that J and K are working closely together. We also notice that User “J” have been using a weak password. We might be using the user “J” to do some password cracking which it will less time.
While we already know that the machine is using the Linux Operating System Environment, we might as well run enum4linux to get more details on the machine’s details.
The command that we might be using can be seen as follows:
enum4linux -r <IP address>
The process will take a few minutes until we can see the username and password that represent “J” and “K”
We notice that the user “J” is jan and “K” is kay. So, we can key-in this answer into the TryHackMe question.
As we have already known that J has a weak password, so let start brute force the user to gain his password via hydra
hydra -l jan -P /home/darknite/Desktop/rockyou.txt ssh://<IP Address>
* I save the rockyou.txt that contain common password at my Desktop Directory. It normally depends on where you save the files. By default, it will save at /usr/share/wordlists/rockyou.txt
There is one question on the TryHackMe Basic Pentesting which sound such as
What service do you use to access the server(answer in abbreviation in all caps)?
The answer is ssh
We have username, password and service in order to access the server.
ssh jan@<ip address>
We are in the system via Jan’s ssh access. Let look around the Linux Operating System Environment for any suspicious file or directory
We found nothing here! Moving on to another user “kay” and see if there is any suspicious folder there.
After looking into kay folder, there is one file that caught my attention which pass.bak but sadly we have the right to open the file at all.
Then i test my luck and roam around .ssh folder
There is public key and private key for the ssh session. Let open and copy the content into your kali machine in order to decrypt ssh key.
In order to decrypt ssh key, we will be using ssh2john tools. What is written in the ssh2john, let’s see!
Let start decrypt ssh key right now
Once you have completed, we crack the password for the username “kay”
We got the password/passphrase for username “kay” and let’s ssh into “kay” and roam inside
The command that we need to key-in to get this would be
ssh -i /home/kay/.ssh/id_rsa kay@<IP Address>
I just remember that pass.bak cannot been open via username “jan” so let open the file using username “kay”
We are done with answering all question on TryHackMe: Basic Pentesting
This challenge will not completed if we dont get the root flag
Let’s us get that root flag in this machine. Firstly, we need to check if username “kay” can used root privileged
It didn’t show on the output here but let’s try our luck logging into root username. Let find root’s password and sadly I can’t find the password at all. I have lost around 2 minutes just to find the password.
Suddenly, i just remember about pass.bak and i was wondering what is the purpose of that file exist in the machine.
So, i try login root using the flag that been found in pass.bak and i successfully login as root.
Let go to root folder and look for the root.txt flag
Now, i have completely the challenge and i can sleep happily tonight.
Happy Learning Guys!