CTF Walkthroughs, TryHackMe

TryHackMe – Basic Pentesting Walkthrough

Introduction

As the name suggests, this was a really simple challenge that involved accessing an open SMB share to identify usernames, performing a SSH brute-force attack to obtain access, and cracking the passphrase for a world-readable SSH key to escalate privileges.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified port 22 (SSH), 80 (HTTP), 139 (NetBIOS) ,445 (SMB), 8009 (HTTP) and 8080 (HTTP), the next step will be to start enumerating HTTP.

Enumerating HTTP

The following page is displayed when navigating to the site on port 80:

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -t to specify the number of concurrent threads

The scan has identified a /development entry, when visiting it, some dev.txt and j.txt files are available:

Using the SMBClient tool to enumerate open shares through NULL session:

It appears there is an “Anonymous” share. When connecting to it, a staff.txt file can be seen:

Downloading the file and reading it locally:

The file mentions Jan and Kay, so these usernames could be used to perform a brute-force attack against the SSH service.

Using hydra to brute-force the password, using the following flags:

  • -f to stop the attack when a valid password is found
  • -l to specify the username for the brute-force attack
  • -P to specify the wordlist to use for the bruteforce attack
  • the service and target to brute force

Authenticating as jan via SSH:

Privilege Escalation

When enumerating common files and folders, it appears there is a “kay” user on the box:

There is a world-readable private SSH key in the kay user’s home directory, although this requires a passphrase:

Copying the key to a file in the local Kali machine:

Using the SSH2John tool to extract the hash out of the key:

Using John the Ripper with the following flags to crack the previously found hashes:

  • –wordlist to specify the wordlist to be used, in this case, rockyou
  • the text file containing the hashes, one per line

The hash was cracked successfully. Logging into into the machine as kay:

After obtaining access to the system as the kay user, the challenge is concluded.

Conclusion

This was obviously a fairly trivial challenge, although it is great to understand how misconfigured services and weak credentials can very often lead to a full system compromise, in the real world these types of attacks are not at all uncommon.