This room on TryHackMe is focused on enumeration and exploitation at a very basic level in a beginner-friendly manner. The way all the questions are queued and the hints that are provided alongside help a lot to develop a basic mindset while performing pentesting.

For solving this room, we are going to use different tools like nmap, dirb and hydra. So, let’s begin!

Initial Foothold

  1. Deploy the machine and connect to our network.

The first step is to deploy the machine and obtain the IP address for the room on which we can perform our pentesting tasks. Once the machine is deployed we can go to IP address and check what is hosted over there.

From the image, it can be seen that there is not much information available at the homepage but in the source-code, we can see that they are talking about the dev note section. We can run dirb to find out about various directories and pages hosted on this domain.

2. Find the services exposed by the machine

Nmap is a very useful tool that can be used to determine the various ports open on the target machine and the services running on them. We can perform a simple scan to get all the details like:

Now, we know all the services that are running on the target machine. Hence, this question is completed.

3. What is the name of the hidden directory on the webserver(enter name without /)?

As suggested in the first question we can run a dirb scan to find out all the directories on the webserver.

From the dirb results we can see that there is exactly one hidden directory and that is the answer to this question.

4. User brute-forcing to find the username & password

I found this part to be a little tricky as no login page was found, so where would I try to perform a brute-force attack. There were a few failed attempts that I’ve described below:

While exploring the hidden directory we come to know that Apache Struts 2.5.12 is running on the box. So, we can try to find some exploit for that service. After some googling, we can find an RCE script for this service on exploit-db and then we can also try to run it.

Maybe the way we are executing this script is wrong or the entry-point at which this script must be executed is not correct.

  • We can also look for exploits related to Apache Tomcat 9.0.7 running on port 8080. But there are no such ready-to-use exploits available for this service.
  • We can also see that Samba 4.3.11 is running on port 445. So, maybe we can look for some exploit related to that. On googling, some exploits related to this service we can find is_known_pipename exploit on rapid7 which can be accessed using metasploit. But even after trying various target types, a successful exploit can’t be performed.
  • The next thing that can to our mind is that as SMB port is open we can try some enumeration over SMB. This can be achieved through enum4linux which is a tool for detecting and extracting data from Windows and Linux OS, including those that are SMB clients on a network. Following details can be achieved through enum4linux:
  • Password policies on target
  • The OS of a remote target
  • Shares on a device (drives and folders)
  • User listing
  • We can run the command enum4linux <machien_ip> to find the users present on the target box. This command would take some time to complete so we need to be patient as the usernames are detected at the end of the search. The output would be similar to:

For this task, we do not need to answer any question but at least we know the names of the two users on the box.

5. What is the username?

In the previous question, we discovered that two users are present on the box. We can try entering the name of both the users one by one in the answer box for this question and the correct one would get accepted.

6. What is the password?

Hydra is one such tool that can be used to bruteforce passwords over numerous protocols. We can use the same here and bruteforce the password for the user that was accepted in the last question. The command and output for the same are given below:

The switches used here with hydra are:

So, now we have the password for the account. This is used as the answer to this question.

7. What service do you use to access the server(answer in abbreviation in all caps)?

We have used hydra to get the password for this service in the last question itself.

Privilege Escalation

8. Enumerate the machine to find any vectors for privilege escalation

Now that we have the credentials to gain the SSH access, we can login to that account using the obtained username and password.

Once, logged in we can look for files in the current directory as well as look for other users, their files and if we have access to them or not. We can also run the command sudo -l, to check if we can run some commands with root privilege but sadly we are not allowed to run any command with sudo privilege.

On further enumeration, we can see that there is another user as well that was detected by enum4linux as well. We can also look into the directory of that user and see if we can find some files. There is one odd file named pass.bak to which we don't have access. But we can access the id_rsa key in .ssh directory. With this SSH key, we can try to gain access to the other user using SSH and try to read the file.

So, we have found a vector for privilege escalation here!

9. What is the name of the other user you found(all lower case)?

In the previous question itself, we found out the user and the method through which we can escalate ourselves to the user’s account.

10. If you have found another user, what can you do with this information?

We have the user and their SSH key. So, we can try to access the user’s account via SSH but for that, we’ll need the passphrase for SSH access.

Steps to get the passphrase from id_rsa:

  1. We can copy the entire key in a file on our local system. (I’ve stored it in a file named ssh_key)
  2. Convert is to a format that JohnTheRipper can understand using the command: /usr/share/john/ssh2john.py ssh_key > key_for_john
  3. Pass on the newly created key_for_john to john and get the key.

4. Boom, we now have the passphrase for the key as well.

5. Change the permissions of the file ssh_key using chmod 600 ssh_key else it won't get accepted by SSH.

6. We can access the account of the other user using SSH now but using the ssh_key and obtained passphrase. The command that can be used is: ssh -i ssh_key username@<machine_ip>. (-i is used to pass the RSA key)

7. What is the final password you obtain?

Now, we have access to the box as the other user. We can now read the file pass.bak and get the answer to the final question.

With this, we have solved the Basic Pentesting room!

Some Key Points to Take Away

  1. When you see an open SMB port, try to use enum4linux to get various details related to the target.
  2. Hydra can be used for performing bruteforce attacks for various services.

Just another CyberSec Guy

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store