Basic Pentesting Writeup

10 min readJun 5, 2020

This article outlines my approach to solving the “Basic Pentesting” room available on the TryHackMe platform for free to members. I have provided a link to TryHackMe in the References below, where you can signup and try hacking this virtual machine yourself. Without any further delay, lets jump in!

Disclaimer

I like to encourage anyone who has not yet attempted this room, to do so before reading this writeup. Try to see how much of the room you can solve, then comeback and read this writeup for some help or see a different approach. This way, you learn more and can enjoy the challenge without too many spoilers! If you are stuck, I would advise the following:

Try answering the questions provided as you go along and use them as a guide on what to do next.
Perform as much enumeration as possible and use multiple tools to achieve this.
Consider common methods used to escalate privileges.
Be patient and take regular breaks. You may notice something you didn’t see before with a fresh pair of eyes!

Background

This TryHackMe room is aimed at allowing players to practice web app hacking and privilege escalation. This room is accompanied by a list of questions that must be answered in order to complete the writeup. So lets get started!

Service & Web Enumeration

I started by connecting to and scanning the target virtual machine for any open ports and services using the NMAP tool.

The NMAP command can be broken down as follows:

-Pn: Disables host discovery.
-sV: Performs version detection for the services.
-sC: Performs a script scan using default scripts available in NMAP.
-v: Provides verbose details about the NMAP scan.
-oN: Outputs scan results to a file.

The NMAP scan found the following ports and services:

port 22 (SSH)
port 80 (Apache)
port 139 & 445 (SMB)
port 8009 (Apache Jserv)
port 8080 (Apache Tomcat)

I decided to start with port 80 first. Visiting the web page hosted on port 80 presents the following page.

I decided to use GoBuster, a tool which can be used to find hidden directories. This tool uses a word list of common directory names and attempts to load these directories.

The GoBuster tool provided the following output.

The “development” directory caught my attention. Looking at the directory, two files were found called “dev.txt” and “j.txt”.

Looking at the “dev.txt” file, some interesting development notes were left behind. The developers mentioned that they configured “SMB” which can be considered the next point to enumerate. The version number (“2.5.12”) of some software they were using is also mentioned which could have a vulnerability that can be exploited. Finally, the abbreviations for both developers names can help indicate potential users on the server.

Looking at the “j.txt” file, I discovered that the password hash stored in the shadow file for the developer whose name starts with “j” can be easily cracked.

SMB Enumeration

I decided to enumerate the SMB ports for any useful information next. I used a tool called “smbmap” which can enumerate samba share drives across an entire domain.

The “-H” specifies the host to scan. Looking at the results from “smbmap”, I noticed that there was a share file called “Anonymous” that had “READ ONLY” permissions and there was a file called “staff.txt”.

I used the tool “smbclient”, which is a client that can ‘talk’ to an SMB/CIFS server, to provide an interface similar to FTP in practice. I used “smbclient” to view the contents of the “Anonymous” share file. When prompted for a password, I simply left it blank.

I list the contents of the share file and see the “staff.txt” file. I then used the “get” command to retrieve the file.

Looking at the contents of the “staff.txt” file, I learn that the name of the developers are “Jan” and “Kay”.

SSH Brute Force

With the names of the developers recovered, I decided to try and brute force the SSH login on port 22. I knew by answering the questions provided, that the username was “Jan”. However, when I attempted to brute force the SSH login using this username and the “rockyou.txt” word list available on Kali, I discovered that this did not work 🤔!

A break down of the Hydra command is as follows:

-f: Stop brute forcing the login page once the password is found.
-V: Display the attempts being made by Hydra and other details.
-t: Number of connects/tasks being run in parallel (max is 64).
-l: indicates a single username e.g. “Jan”(use -L for a username list).
-P: indicates use the following password list e.g. “rockyou.txt”

I decided to go back and perform some more enumeration on the SMB ports. I used the “enum4linux” tool which is used for enumerating information from Windows and Samba systems.

Looking through the output, I noticed that the tool had enumerated two users called “kay” and “jan”. I decided to use the username “jan” instead and this successfully gave me the password for the SSH login.

Linux Privilege Escalation

I can use the credentials discovered for the developer called “Jan” to login to the virtual machine via “SSH”.

Once logged in, I started manually enumerating the virtual machine for information. I looked at the “/home” directory and saw another user folder called “kay”. I could list the contents of this folder and discovered a file called “pass.bak”. Unfortunately, I do not have permission to view the contents of the file.

I decided to speed up my enumeration of the machine by using a shell script called “LinEnum.sh”, which is a script that performs local Linux enumeration & privilege escalation checks.

I copied the “LinEnum.sh” script to the “/tmp” directory using the “scp” (secure copy) command.

I changed the permissions on the script to make it executable and then executed it and outputted the results to a text file.

Once the script had finished, I used “scp” to copy the “LinEnum-Report.txt” file to my current local directory.

Looking through the report results, I discovered that the “vim.basic” file editor had the SUID flag set.

I can use the “vim.basic” editor to edit files with root permissions, which allows me to view the contents of files I would normally not have permission to view. I used this knowledge to view the “pass.bak” stored in the user kay’s folder by using the “vim.basic” editor.

Opening the “pass.bak” file in the vim editor gives the password for the “kay” user.

I can now use this password to login as the “kay” user using “SSH”. At this point, all the questions have been answered for the “Basic Pentesting” room.

I decided to see if I could gain root access. I checked what commands I could run using the “sudo” command as “kay” and discovered that I could run all commands as root with sudo.

I listed to contents of the “root” directory and saw a file called “flag.txt”.

Reviewing the contents of the file revealed that I had completed the challenge but that there was a second approach to solving this room. Interesting 😏!

Bonus Solution

So despite completing the room, I was intrigued to find the other way to gain a shell and escalate my privilege on the Linux machine. Curiosity got the better of me 😅.

Apache Struts 2.5.12 Reverse Shell

I remember finding some interesting information in the “dev.txt” file where the developers mentioned “struts” and version “2.5.12”. I decided to use “searchsploit” to see if any vulnerabilities were related to this information and the target machine.

Sure enough, I discover that there is a remote code execution in “Apache Struts” version 2.5.12. I decided to use “Metasploit” to see if I could get a reverse shell by exploiting this vulnerability. I use the “search” functionality in “Metasploit” to find an exploit and after a quick search on google (see References), I came across one that I thought would work.

I set the “RHOST” value to the target machine and launched the exploit but this failed.

I checked the options for the exploit and saw that a “TARGETURI” was set.

I decided to see if this “TARGETURI” worked by typing it into the URL.

It doesn’t appear the page exists. After some more searching on Google, I came across another article (see References) that explains how to detect and exploit the Java Struts2 REST Plugin vulnerability. It made reference to a URL similar to the “TARGETURI” in the exploit except the version was also specified at the end of the “TARGETURI”. I checked to see if this worked by changing the URL. This worked and I received a successful response.

I changed the “TARGETURI” for the exploit and attempted the exploit again.

This time the exploit worked and I got a reverse shell 😄!

SSH Privilege Escalation

I started thinking of other ways to escalate my privileges on the target machine. I decided to use another enumeration script called “LinPeas.sh” which is the supposed successor to the “LinEnum.sh” script I used previously. I followed the same approach as I did with the “LinEnum.sh” script and then outputted the results to a report that I could examine. I found this report was much easier to read and I noticed that the script had discovered a possible private SSH key was found in the user “kay” directory.

I tried to see if I could login as the user “kay” through SSH by specifying the “id_rsa” file as the identity file using the “-i” option for the “ssh” command but I was prompted for a passphrase.

Since the SSH private key is password protected, I started looking online for a way to recover the passphrase. I discovered that a password cracking tool called “John the Ripper” provided a script called “ssh2john” which can be used to convert the “id_rsa” private key to a hash which can then be cracked. I copied the private key to my local host and ran the “ssh2john” script on it which produces a hash.

I can now use “John the Ripper” tool to crack the hash.

This was successful and the passphrase was discovered!

I can now use this passphrase to login as the user “kay”.

This concludes my alternative solution to this virtual machine.

Closing Remarks

This was a really fun virtual machine to solve and it shows how important enumeration is. This room was also a great way to practice web app hacking and privilege escalation skills.

Thanks for reading my writeup till the end and feel free to follow me on Twitter: @TheTMC113. Till next time 😄!