Hello Everyone. This is my first article. In this article I am showing you how to exploit a machine in Beginner path in TryHackMe. Concepts covered in this article:
- Directory Brute Force
- Password Brute forcing
- Gaining access to SSH server.
Let’s scan the IP for open ports. Use the following command to scan open ports.
nmap -sC -sV 10.10.146.38
The output will be similar to the following image.
We can observe that, port 22 which has ssh service is open. Now we have to exploit this open port.
The next step we need to do in any penetration testing is, Directory brute forcing. We need to check whether there are any hidden directories. So we use gobuster tool for this method.
We found that /development is a hidden directory. So let’s check that directory in our browser.
We can observe that there are two text files namely, dev and j.txt. So let’s check what’s in it. Something interesting information may contain.
If we open the two text files, we can see that there is a conversation between J and K. We came to know that passwords are weak and SMB is set active. (I didn’t captured screenshot of that page, I am sorry for inconvenience).
Enumerating SMB port:
So let’s enumerate SMB port by enum4linux command. We can get the username for smb port.
Use the following command: enum4linux -a 10.10.146.38
So we found that there are two users, Kay and Jan. So I guess the conversation in those two text files are these two users(K=Kay, J=Jan).
Now we got the username, we need password to connect to smb port for remote access to that device. We use Hydra for password brute forcing. SO use the command hydra -t 4 -l jan -P /path_for_rockyou.txt_file ssh://10.10.146.38
This takes some time depending on your system speed. The output looks similar to the following one.
So we finally got the credentials of the user jan. Now it;s time to connect to the server.
Use the command: ssh firstname.lastname@example.org
If you were asked a question, answer it yes. Then enter the password.
BOOM!!. We are connected to the server. Now we have access to that device. If you go to /home/kay directory you will find a file called pass.bak. But you cannot open it, So it means kay is the root or admin. We need to gain access to kay’s account.
We need to find a backup file to get kay’s password, so let’s dig more deeper in this directory. Run the command ls -al to list all the hidden files in that folder. W can see that there is folder called .ssh, let’s go there. Inside it there is file named id_rsa. Open it and copy the key in your system and name it id_rsa.
Now navigate to the folder in your system, where ssh2john.py script is. You will find it in /usr/share/john. Now we need to convert the id_rsa key to a hash format which can be extracted by john the ripper. The command is:
./ssh2john.py id_rsa > hash.txt
Now a hash.txt file will be created in that directory. We need to extract password using that file with the help of John the Ripper. The command is
john hash.txt — wordlist=<path_for_rockyou.txt>
This will extract the password and display it in terminal as shown above. Now we got username(kay) and password for the admin. Let’s access to his account.
The command is similar to connecting to jan by ssh, with a small change. As we are using the backup file id_rsa, we need to specify that.
Command: ssh -i id_rsa email@example.com
HURRAY!! We got access to kay’s account, now we can open pass.bak file and read the flag.
This lab is a beginner friendly which helps to improve and test your basic skills. I will post the walkthroughs of other labs one by one.
That’s it the room is done. You can contact me on my Instagram account .