[EN] Tryhackme Basic Pentesting Writeup

Hello everyone. Today I will show you the solution to the Basic Pentesting CTF.

Let’s Start.

Task 1: Web App Testing and Privilege Escalation

1.Deploy the machine and connect to our network

No answer needed

2.Find the services exposed by the machine

3.What is the name of the hidden directory on the web server ?

We will now do a directory search

ffuf -u http://MACHINE_IP/FUZZ -w /wordlist_path

gobuster dir -w /wordlist_path -u http://MACHINE_IP/

Yay We Found Hidden Directory and We go there.

4.User brute-forcing to find the username & password

No answer needed

5.What is the username?

We checking the pages.There were Conversations about SMB. And We saw that the SMB port is open in Nmap Output.

I think We will use “enum4linux”

enum4linux -a <MACHINE_IP>

We Found usernames !!!

6.What is the password?

We only know username and we think SSH therefore We will use “hydra”

hydra -l jan -P /wordlist_path <MACHINE_IP> ssh

Yes We Found password. Lets go inside

We are in !!!

7.What service do you use to access the server ?

SSH

8.Enumerate the machine to find any vectors for privilege escalation

No answer needed

9.What is the name of the other user you found ?

There are many solution method. You can go “/home/” directory and see it. Or you can read “/etc/passwd” and see it (True method in my opinion)

10.If you have found another user, what can you do with this information?

No answer needed

We can maybe check crontabs or find ssh key.

find / -name “*id_rsa*” 2>/dev/null

We take “id_rsa” and crack with john. But we must before hash with john.

python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash

john — wordlist=/wordlist_path id_rsa.hash

Yay we Found !!!

ssh -i id_rsa kay@localhost (write in jan’s ssh)

Hokus Pokus !!!

11.What is the final password you obtain?

YAY CONGRATS !!!

This CTF was so fun. See you in new CTF’s.