CC: Pen Testing writeup - TryHackMe



CC: Pen Testing

A crash course on various topics in penetration testing


This write up is based on the following room from Try Hack Me:

Tasks 1 to 23 are pretty straight forward and can be answered using the help menus from various tools.

[Task24]

We will be using Kali Linux as our attacking Machine.

1. Deploy the VM and lets do the NMAP scan:



Interesting points are:
  • Port 22 Open - OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
  • Port 80 Open - Apache/2.4.18 (Ubuntu)
What can be over attack plan from here:
  • Brute Force Web Directories using the following tools:
  • Brute Force Web login, if we find any user
  • Search for Vulnerabilities in Apache HTTPd Web-server version 2.4.18 using:
    • ExploitDB
    • Searchsploit
    • General WebSearch
  • Search for know issues against OpenSSH 7.2p2
  • Brute Force SSH logins,if we find any user.
 Enough said, lets begun.

2. Before Busting the Directories on the Web Server, we should know that we have various list at our disposal and here the the list:-
  • /usr/share/wordlists/dirb/small.txt
  • /usr/share/wordlists/dirb/common.txt
  • /usr/share/wordlists/dirb/big.txt
  • /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
  • /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
  • /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt  [from https://github.com/daviddias/node-dirbuster/tree/master/lists]
These are few list which are very common and should work in most of the cases. If we dont find anything using one list, we should try with the others. First start with small and then move up.

Lets try Gobuster first:


Now Dirb:



Now Dirsearch:



The point here is to show case the various tools which are available for Brute Forcing the Directories on the web server.

Now all the tools are points towards a Directory "secret", but trying to access that on the browser yields nothing.

May be this directory contains something else, let try to brute force this directory.

Lets try the following command with Gobuster:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x .php,.asp,.aspx,.jsp,.js,.do,.action,.html,.json,.yml,.yaml,.xml,.cfg,.bak,.txt,.md,.sql,.zip,.tar.gz,.tgz -u 10.10.141.98/secret -t 40

A little explanation:
-w=word list
-x=extension to try, a comma separated list
-u=url to brute force
-t=thread (less value here ==> Less Noisy)

The above command can take a long time as we are using a medium size word list along with lots of extensions, but hey this is just to show what is possible. If you want to do a quick test use common.txt word list and fewer extensions like .html,.js,.txt,php.


Also check what Dirb gives us for this directory:


Ah a secret.txt file. Lets open it in the browser:


We get a Potential username here. Time for SSH brute force

3. Use Hydra to brute force ssh creds for this user:


4. SSH using the discovered passed and find out "user.txt"


5. Time for Privilege Escalation. Lets see what this user can run as sudo:


We got the Root Flag. All done!

Comments

Popular Posts