← Back Published on

Basic Pentesting TryHackMe CTF

Tools used

We are performing a penetration test on a web application some of the tools and tactics we will be using include

  • brute forcing
  • hash cracking
  • service enumeration
  • Linux Enumeration

I am using the most trusted and used tool in hacking. KALI LINUX 🙂

I started off with a simple ping to make sure the target was awake.

the assigned IP for my attack target is 10.10.1.103

And I move into nmap

> Nmap -sV -sC -Pn -oN pentest_web.txt 10.10.1.103

This is a standard nmap tool used by penetration professionals

-sS allows us to have a secret scan

-sV probes all open ports and tries to find service and version information

-sC runs flag scripts against all open ports and also checks for vulnerabilities

-pN displays hosts discovery

-oN outputs all the information into a file that we labeled as pentest_web.txt

Right off the bat, I can see that there is a website hosted on Port 80, We have Port 22 open which means we can connect remotely with SSH.

It also has samba open. Samba allows for the request of services from the server on a network. So, we can assume it is a Linux machine with that information and because it is running ubuntu!

The Version of SSH running is Openssh 7.2 P2 Ubuntu  we can do a quick vulnerability search for this type of version Using the kali installed tool searchsploit!

And you can see it is vulnerable to username emulation

Because we see that port 80 is open. Let's also check the web browser to view their web service.

we can see the following information

Nothing that helps. Let's view the source and get more info

So we have some type of developer notes… I'm going to try a nmap scan with running a script for emulation specifically on Port 80 to see if I can acquire any more information.

> Nmap -p80 --script http-enum 10.10.1.10

So, we have a developer link. Let's search for it! 10.10.1.103/development/

We have 2 files under this development page! Let's open and see

We have messages in the development notes on the web server. As we can see, we have information in these files.

We found 2 users -K and -J along with versions of the server to be noted as well. We can use enum4linux to get more information

> enum4linux -a 10.10.1.103 

the -a gives us all the preset search types. So, we get some information on users within this webserver. Take a look

Along with some shared information we see anonymous and IPC as share names on the smb

Again, Smb stands for Server message block. and it is a network protocol that enables users to communicate with remote computers and servers. we found out that SMB is running from our initial nmap scan earlier

A recap. We found during our initial nmap scan that port 445 is open. This is how we know smb is being used, along with other info we gathered.

We can use the SMB client command along with a share name to see if we acquire any more information or Flags.

> smbclient //10.10.1.103/Anonymous

I hit enter to bypass to password enter and entered dir to get more info

We see a txt file.

Let's use the command get

> get staff.txt

If we go back to our home directory we can see the text file.

We crack open that file and we get info! Right on! We have the complete names now. Jan and Kay. We have usernames. Now let's brute-force the passwords. Let's use hydra, A popular password-cracking tool.

> hydra -l Jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.1.103 -I *lowercase L at the beginning* *capital i at the end* for clarity

And rock you is a famous list of 14,341,564 unique passwords taken from real users from a severe hack many years back.

we got a password for Jan! It is Armando. Now, we have a server and a username, and a password. Let's break into Jan's user account We will Ssh into Jan - secure shell

> ssh jan@10.10.1.103

What does Jan have access to?  Nothing really.

Let's see what Jan is connected to tho. cd.. back to the home directory of Jan and we get this

Kay is listed as a user in the directory!!!???  Let's view it

Kay is listed as a user in the directory!!!???  Let's view it

I tried a few and found this, under ssh. We have access to the private and public keys!  We see public and private.

This is known as an RSA key pair. the RSA private key is used to generate digital signatures, and the RSA public key is used to verify digital signatures

The RSA public key is also used for key encryption of DES or AES DATA keys and the RSA private key is for key recovery

We are going to focus on the private key. We crack open id_rsa and get this,

As expected. It is used for encryptions. And clearly not a password we need for Kay’s account. We copy and paste that long txt into a file we created on our own terminal

> Vim id_rsa 

creates a vim file that we can directly add txt to. We paste it and exit out > using:wq! This is like yelling SAVE! To the file lol

So a quick test. Let's try and secure shell into Kay’s id_rsa file

 > Ssh -i id_rsa kay@10.10.1.103

And as we expected, it needs a passphrase :(

But we can see here, if we provide the correct passphrase, we get a key!

But… we can encrypt the id_rsa file we created earlier to find a passphrase. “Hopefully” Using john the ripper. so I opened john

> /usr/share/john

> ls -a to show our contents

Now we make a file for the unencrypted hash and put it into john
> ./ ssh2john.py ~/Documents/id_rsa > hash.txt

So, we used the john file of ssh2john.py and included our id_rsa info to make a hash.txt file. With our hashed output

We now have a hashed file in the hash.txt file

A weak hash

look at the 1. Within Linux a shadow file hash of $1$ is considered a weak version of hashing with encryption

We open the location where john the ripper is and give it the hash.txt file to run wordlists against it. Again we are using john to use a wordlist agains this txt

We are turning the hash into a passphrase!

And we get it! Beeswax!

So we can now hop into the terminal where Jan is located and ssh into kays account

> ssh -i -d_rsa kay@10.10.1.103 and we get prompted to enter the passphrase. So we do

And we are in! So,we can now view what kay has in her files

A pass.bak file. We open it up and we get a password! Our final flag!!

Password blacked out to keep secure for tryhackme

This CTF even took a while. and i Learned a lot. it is interesting to see how a password phrase is encrypted. and we need that passphrase to receive access to the users Password. 

It is also interesting to see how within a few seconds we can type a command to determine vulnerabilities on a given user and server. 

Updates, Updates, Updates! Always keep up on updates and security patches for servers and users. Have long passwords, with several types of special characters and create more time wasted or hoops to jump through for any person or bot trying to steel credentials. 

In cybersecurity we are in the buisness of keeping people in buisness. We can get lucky everyday as security admins or cybersecurity personals. And that is great! 

But, it only takes a criminal 1 time to get lucky. Only one.