Basic Pentesting TryhackMe Walkthrough

Hello Everyone. This is my first article. In this article I am showing you how to exploit a machine in Beginner path in TryHackMe. Concepts covered in this article:

  1. Directory Brute Force
  2. Password Brute forcing
  3. Gaining access to SSH server.

Scanning:

Let’s scan the IP for open ports. Use the following command to scan open ports.

nmap -sC -sV 10.10.146.38

The output will be similar to the following image.

Nmap Output

We can observe that, port 22 which has ssh service is open. Now we have to exploit this open port.

The next step we need to do in any penetration testing is, Directory brute forcing. We need to check whether there are any hidden directories. So we use gobuster tool for this method.

Gobuster output

We found that /development is a hidden directory. So let’s check that directory in our browser.

We can observe that there are two text files namely, dev and j.txt. So let’s check what’s in it. Something interesting information may contain.

If we open the two text files, we can see that there is a conversation between J and K. We came to know that passwords are weak and SMB is set active. (I didn’t captured screenshot of that page, I am sorry for inconvenience).

Enumerating SMB port:

So let’s enumerate SMB port by enum4linux command. We can get the username for smb port.

Use the following command: enum4linux -a 10.10.146.38

enum4linux

So we found that there are two users, Kay and Jan. So I guess the conversation in those two text files are these two users(K=Kay, J=Jan).

Password Bruteforcing:

Now we got the username, we need password to connect to smb port for remote access to that device. We use Hydra for password brute forcing. SO use the command hydra -t 4 -l jan -P /path_for_rockyou.txt_file ssh://10.10.146.38

This takes some time depending on your system speed. The output looks similar to the following one.

hydra output

So we finally got the credentials of the user jan. Now it;s time to connect to the server.

Use the command: ssh jan@10.10.146.38

If you were asked a question, answer it yes. Then enter the password.

BOOM!!. We are connected to the server. Now we have access to that device. If you go to /home/kay directory you will find a file called pass.bak. But you cannot open it, So it means kay is the root or admin. We need to gain access to kay’s account.

Privilege Escalation

We need to find a backup file to get kay’s password, so let’s dig more deeper in this directory. Run the command ls -al to list all the hidden files in that folder. W can see that there is folder called .ssh, let’s go there. Inside it there is file named id_rsa. Open it and copy the key in your system and name it id_rsa.

Now navigate to the folder in your system, where ssh2john.py script is. You will find it in /usr/share/john. Now we need to convert the id_rsa key to a hash format which can be extracted by john the ripper. The command is:

./ssh2john.py id_rsa > hash.txt

Now a hash.txt file will be created in that directory. We need to extract password using that file with the help of John the Ripper. The command is

john hash.txt — wordlist=<path_for_rockyou.txt>

This will extract the password and display it in terminal as shown above. Now we got username(kay) and password for the admin. Let’s access to his account.

The command is similar to connecting to jan by ssh, with a small change. As we are using the backup file id_rsa, we need to specify that.

Command: ssh -i id_rsa kay@10.10.146.38

HURRAY!! We got access to kay’s account, now we can open pass.bak file and read the flag.

This lab is a beginner friendly which helps to improve and test your basic skills. I will post the walkthroughs of other labs one by one.

That’s it the room is done. You can contact me on my Instagram account .

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Introducing the New ROSE Bloom Grants Program

COVID-19 Security Best Practices

Telstra Cel-fi Go Building Repeater

Telstra Cel-fi Go Building Repeater

Negative SEO: Recognize and eliminate popular attacks

Exposing Millions of Indian government website users' phone number details.

TextNow MOD APK v22.8.1.0 (Premium Features Unlocked)

EPNS Introducing Web3Notif to the Fantastic YAM Community

Visor Exploit Post-Mortem

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tridev Reddy

Tridev Reddy

More from Medium

Everything you should know about TabOrder and the ways to use in Delphi

An implementation of TLS Handshake Part 6: Server Handshake Finished

Started With Error

Buffer Overflow || Binary Exploitation || CTF — EASY BUFFER