Another day, another challenge.
Today’s blog post – I will give a walk-through on a boot-to-root room called, “Basic Pentesting Room”. This boot to root is perfect to get practice in preparation for the OSCP.
Let’s get started.
Logging into TryHackMe with your credentials and heading into the room we see the following:
OK, we have tasks to complete and we will learn the following skills – brute forcing, hash cracking, service enumeration, and Linux enumeration.
The first question is:
Clicking the deploy button at the top we get the following:
Second question is:
OK, we need to find the services exposed. What can we do?
One solution is to use nmap -sV (TCP scan) <IP address>
In this case it would be nmap -sV 10.0.0.204. Doing this we see the following screenshot:
Success! We now have the services.
Let’s use dirb to find the hidden directories. See the following screenshot:
Our hidden directory is development.
Reviewing our enumeration we see that ports 139 and 445 are open. These ports are used for SMB (Server Message Blocks) which are HIGHLY vulnerable. Let’s run the command enum4linux and see what we find.
We found two users: kay and jan
First, entering kay, I received an error. Let’s try entering jan. Success!
Let’s fire up Hydra which is password cracking tool with the password list of rockyou (this password list is used a lot in Kali and even in the OSCP… hint, hint!)
The service we use to access the server is SSH.
Since we have a new user (kay) and we have a ssh folder that lists the public key we can try to get the password.
From question #10 we have the user (kay) and a public key how can we go about cracking the key?
Doing a quick Google search, I was presented with the following link.
Scrolling down we see the following:
Let’s see if we can recreate this to find the passphrase. Using the ssh2john we created the hash.
Next we’ll use John The Ripper with the famous rockyou wordlist to see if we can crack the passphrase.We were successful! The passphrase is beeswax. Let’s try to ssh with kay’s private key and see if we can get in.
Entering the passphrase we see that we were able to successfully log into the kay account! Just to be sure I issued the command of whoami (don’t mind the fat fingering!)
Next, we run the list command to see what we’re working with. We see a pass.bak file, let’s see if this lists the password. Opening the file we see the password. Score!
Let’s run sudo -l, which will show us what commands kay can run as root. We’re prompted with the password and we entered the password that we just acquired. We’re presented with all of the commands that kay can run, and we see that kay can execute all commands as root. Great, this will be helpful for us.
There’s another file that is important in the directory – bash_history. Bash_history is useful because it shows all the commands the user executed before logging off. Let’s open the file.
After opening the file we see a lot of commands. There is one that is very useful – sudo su. If working correctly, running this command we will change from the kay user to root. In other words we would do privilege escalation – where we start as a non-admin user and through improper configuration change to a root user. Let’s try the command and see if it works.
Running the sudo su command, and typing whoami, we see that we’re now root! We do another directory listing which shows the files from before, so no change. Let’s see if we can get into the root directory.
Changing to the root directory we see that there is a flag.txt file. Opening this file we presented with the verbiage above. We solved the challenge!