THM Basic Pentesting Writeup

Dolyetyus

Dolyetyus

Co Admin
21 Nis 2020
1,205
666
Delft
Hello everyone. In this topic, we will solve the machine called Basic Pentesting on the TryHackMe (THM) website. Let's get started.


First we perform an nmap scan:

Kod: 
nmap -sV -sS machine ip

ic6fmdk.png


As a result of the scan, we learned that ssh, http, netbios-ssn and ajp13 services are running on ports 22, 80, 139, 445, 8009, 8080, respectively. When we see that port 80 works with http, let's write the machine ip address in the browser and search it.

7tv6pz6.png



This web application may have hidden directories. We will use the gobuster tool to find out:


Kod: 
gobuster dir -u http://10.10.13.149/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

46tskwo.png


We found a "development" directory containing 2 files, let's explore them first:


pw4t0pk.png

sza0y3x.png

5ch7uj5.png


From the files above , we got the following information:
  1. SMB is configured.
  2. Apache struts works with 2.5.12.
  3. UserJ , uses a weak password that can be easily cracked.

Let's start enumerating the SMB port with the Enum4linux tool:

Kod: 
enum4linux -a ip address

mhwe4st.png


Now that we have both usernames, let's brute force attack both users using the famous tool HYDRA.

Kod: 
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://ip

mrin8kg.png


We successfully found the password for the jan account. Let's try logging in now
Kod: 
ssh jan@ip

We have successfully logged in. Now let's examine this machine specifically Kay's account to get something out of it.

mvczxqw.png


After searching deeper through Kay's directories a bit more, we found the ssh keys

b7z1tnd.png


Save the keys on your machine to a file using nano or the editor of your choice.

Now run the ssh2john tool to get the hash of the keys.

Kod: 
python /usr/share/john/ssh2john.py kay_id_rsa.txt > kay_id_rsa_ssh_hash.txt


Now we will use the John the Ripper tool to crack Kay's account password.

Kod: 
john --wordlist=/usr/share/wordlists/rockyou.txt kay_id_rsa_ssh.txt
cg6oaz4.png


Now access Kay's ssh using Kay account's public keys (our password is beeswax).

Kod: 
ssh -i id_rsa kay@ip


Here we are successfully logged into Kay's ssh, now let's navigate to that password backup file and read its contents.

Kod: 
cat pass.bak


Finally we got the password and here the challenge is complete.

iUBacd.gif



Translator: @Dolyetyus
Original Article: THM Basic Pentesting Writeup

 
ıcmılızaY

ıcmılızaY

Katılımcı Üye
28 Tem 2021
426
270
18
Belirsiz!
Dolyetyus' Alıntı:
Hello everyone. In this topic, we will solve the machine called Basic Pentesting on the TryHackMe (THM) website. Let's get started.


First we perform an nmap scan:

Kod: 
nmap -sV -sS machine ip

ic6fmdk.png


As a result of the scan, we learned that ssh, http, netbios-ssn and ajp13 services are running on ports 22, 80, 139, 445, 8009, 8080, respectively. When we see that port 80 works with http, let's write the machine ip address in the browser and search it.

7tv6pz6.png



This web application may have hidden directories. We will use the gobuster tool to find out:


Kod: 
gobuster dir -u http://10.10.13.149/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

46tskwo.png


We found a "development" directory containing 2 files, let's explore them first:


pw4t0pk.png

sza0y3x.png

5ch7uj5.png


From the files above , we got the following information:
  1. SMB is configured.
  2. Apache struts works with 2.5.12.
  3. UserJ , uses a weak password that can be easily cracked.

Let's start enumerating the SMB port with the Enum4linux tool:

Kod: 
enum4linux -a ip address

mhwe4st.png


Now that we have both usernames, let's brute force attack both users using the famous tool HYDRA.

Kod: 
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://ip

mrin8kg.png


We successfully found the password for the jan account. Let's try logging in now
Kod: 
ssh jan@ip

We have successfully logged in. Now let's examine this machine specifically Kay's account to get something out of it.

mvczxqw.png


After searching deeper through Kay's directories a bit more, we found the ssh keys

b7z1tnd.png


Save the keys on your machine to a file using nano or the editor of your choice.

Now run the ssh2john tool to get the hash of the keys.

Kod: 
python /usr/share/john/ssh2john.py kay_id_rsa.txt > kay_id_rsa_ssh_hash.txt


Now we will use the John the Ripper tool to crack Kay's account password.

Kod: 
john --wordlist=/usr/share/wordlists/rockyou.txt kay_id_rsa_ssh.txt
cg6oaz4.png


Now access Kay's ssh using Kay account's public keys (our password is beeswax).

Kod: 
ssh -i id_rsa kay@ip


Here we are successfully logged into Kay's ssh, now let's navigate to that password backup file and read its contents.

Kod: 
cat pass.bak


Finally we got the password and here the challenge is complete.

iUBacd.gif



Translator: @Dolyetyus
Original Article: THM Basic Pentesting Writeup

Genişletmek için tıkla ...
ELİNİZE EMEĞİNİZE SAĞLIK EFENDİM.
-
İYİ FORUMLAR. İYİ NÖBETLER.
 
Cevap yazmak için giriş yap yada kayıt ol.
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.