TryHackMe - Basic Pentesting Walkthrough

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

[Music] hey guys hack exploit here back again with another video in this video we're going to be taking a look at the various tri-hackme challenges more specifically we'll be taking a look at basic pen testing now a lot of people have actually been recommending try acme for quite a while and just haven't gotten down to making videos regarding it i have used it before mere fantastic service offers a structured way of learning and of course offers various challenges in the form of questions which is also very useful because again it teaches you how to go you know step step by step or to introduce at a very basic level the pen testing uh life cycle of the methodology of course i'm i'm primarily referring to this challenge basic pen testing which we'll be using to start off um and yeah so what i've done is i've just deployed it and this is a free room so you can check it out for yourself if you're interested i haven't done gone through the challenge yet all i've done is submitted the first two uh answers to the first two questions um so you can see in regards to the um to this particular challenge this machine this is a machine that allows you to practice web application hacking and privilege escalation right okay so if we take a look at the first task here you can see it tells us in these set of tasks you learn the following brute forcing hash cracking service enumeration uh linux enumeration the main goal here is to learn as much as possible make sure you're connected to our network using the open vpn configuration file and yeah all right so the first question is in regards to deploying the machine and connecting to the network via openvpn which i've done and the second question is in regards to performing an nmap scan to find the services exposed by the machine which i've also done the next question is to find the name of the hidden directory on the web server okay interesting so what i'll do is i'll just get cut out my nmap results here and let me just scroll to the top here you can take a look at mind map scan options right over here which i have so this is quite a comprehensive scan and immediately we can see that we have uh we have ssh running on port 22 which is running open sh 7.2 p2 which is always very common with many of these challenges i'm sure i think openssh 7.2 p2 is vulnerable to username enumeration so if i just use search exploit and let's try and see whether it is right so it is available to username enumeration that probably will be coming in handy shortly um so what i'll do now is uh let me just go back to my nmap results here uh so we have a we also have a web server running on port 18 that's running apache 2.4.18 and it's running ubuntu so we know from these from the banners we've gone back from our our services that are running we we know that we are running ubuntu we're not sure which version of course we also have smb running which is on port 139 and port 445 running a samba smbd so we pretty much know it's a linux box um because you know we don't have any microsoft stuff here so it's samba smbd 4.3.11 and we also have a apache j-serve protocol version 1.3 which is serving it on port 8009 which looks like an api endpoint right okay so for the operating system guess you can see that pretty much didn't give us anything but we have a few additional scripts that were executed and these are smb scripts uh so for smb discovery it gives us os windows 6.1 which is you know it's pretty weird especially because the banner tells this is running ubuntu the computer name is basic too as for the smb security mode we can see the account used is a guest authentication level is user challenge response so uh it looks like we might be able to perform some enumeration from smb but that's pretty much the results here so again if we take a look at the first question the first question pertains uh to finding a hidden directory on the web server so let's try and analyze the web server the ip is 10.10.28.233 so i'll just open that up so 10.10.28.233 open that up and you can see it tells us it's undergoing maintenance so please check back later if we view the page source we can see we have a comment telling us check our dev notes section if you need to know what to work on so what we can do is we can use an nmap script and you know i've been getting a lot of comments um on my nmap videos regarding you know why exactly did i make videos on nmap well again as i showed you it does have practical uses and an example of this is sudo and map you know especially when performing enumeration so i can say pseudo-end pseudoenmp we say port 80 right and we say script is going to be http enum and the target is 10.10.28.2 33. so i'm going to hit enter just put in my password and because i'm currently using the kali user right so that's going to perform the scan let's see if we can find any hidden directories which uh the first question is pretty much asking for so it's asking what is the name of the hidden directory on the web server enter the name without the directory the actual directory denote the denotion symbol right so there we are we can see the script completes and it tells us we have a directory called development and it's potentially interesting with directory listing so we can try and access that and let's see whether that gives us anything um so development and uh we can see that we have two files within development so it is directory listing enabled we can see it is running ubuntu so just want to confirm that we can see we have dev.txt so in dev.txt it looks like we have some messages being sent uh that that's what it looks like so uh we have a timestamp and of course the message so i've been messing around with that struts stuff and it's pretty cool i think i might have i think it might be neat to host that on this server too okay i haven't made any real web apps yet but i've i have tried that one example you get to show off uh that example you get to show off how it works okay and it's the rest version of the example oh and right now i'm using version 2.5.12 because other versions are giving me trouble okay so smb has been configured and it looks like we have users so that's k the user k and the user k also says smb has been configured which is where i'm going to be targeting next and then it tells us i got apache setup i'll be i'll be putting in our content later which makes sense because you can see it tells us it's undergoing maintenance if we take a look at the comment left by g by k again for the user j so it looks like k is saying i've been auditing the contents of the etsy shadow file which contains passwords on linux encrypted passwords or hashed passwords similar to your sam database on windows to make sure we don't work so we don't have any weak credentials and i was able to crack your your hash really easily so it's looking uh looks like you're using a really old hashing algorithm you know our password policy so please follow it change the password uh as soon as possible from kane all right so it looks like kay is a really serious administrator and he's got his stuff done and but of course he hasn't because he's leaving development notes on the web server okay so that's interesting so what if we try and access port 8009 which i doubt will give us much because if it's using jserv so 8009 probably we might have something to do with it later i'm not too sure yeah looks like that doesn't load up um interesting so we we definitely know that from here we have two users we have j and k and um we also have ssh running so there and we we might be able to perform some username enumeration but that's too much that's i don't think that is something that we might want to do but uh let's just provide the answer to the third question which is development so development uh sorry filament like so and hit submit and um let's see if that is correct uh that didn't give me anything back let's submit again now let me just try and reload the page here looks like the page doesn't load back or give me a response when i enter that um right okay uh so please log in now it looks like my session expired so i'll just log in all right just logged in and i'll just specify development like so and hit submit uh hopefully this time it is work there we are the answer is correct so use user brute forcing to find uh i believe that's use brute forcing to find uh the username and the password so uh we need to find the username and password so if we have smb running um we can pretty much use enum for linux now when we talk about smb enumeration enum for linux is pretty much the standard because it lists out the shares any users we you know we we might have potentially um so we can use enum for linux if we were running windows we would use some of the windows scripts to list out the various protocols to see if it's vulnerable to eternal blue stuff like that um so what we can do now is i'll just say enum for linux and then we specify the information here so uh enum for linux uh and um just go back into my first session just exit out of this sorry uh there we are so uh if we take a look at the help options for enum for linux um we just specify a and that will do all simple enumeration this option is a name right so it's enabled by default so we'll just say sudo enum for linux and we just say a 10.10.28.223 hit enter let's see if we can enumerate anything else or any more information i primarily want to see if there's any shares but let's see let's see what we get i want to see if there are any users as well because there's making reference to brute forcing um right so we then have to provide the username and the password and then it says what service do you use to access the server uh and then we need to enumerate the machine to find any vectors for privilege escalation and what is the name of the other user you found okay so there are two users we know that so it looks like one will give us initial access and we'll find another user on the system uh if you have found another user what can you do with this information interesting okay we can provide an answer for that and what is the final password you obtain okay um so that's interesting uh let's just go back into the results here and um looks like uh we get a few results that i was not expecting here so uh right um let's just try and run that by default uh so it was a pseudo-edium for linux 10.10.28.233 um there we are okay so we can see that we have let's just wait for it to complete loading don't jump uh or make any conclusions yet so for user enumeration looks like there's an issue with the script the perl script um okay all right so it looks like we have a share name called anonymous which pretty much means we can access it i'm guessing um so let's see we have any more information here for the groups nothing there users i doubt we get anything the script looks like it has an issue i think i've also run into this issue before with the enum for linux script um so i'll just wait for this to complete uh in the meantime log on username enumerating using the sid basic to nobody unknown unknown yeah so that doesn't look like it's working so if we take a look at the the shares which is information which is important so you can see for the shares we have anonymous and ipc of course um so to access this what we can do is uh we can we can mount it or we can actually just try and use smb client and we can just try and uh log in so what i'll do is i'll try and log in or using a well we can we can actually mount it and then list the files within it because we're not really running windows and i'm pretty much familiar with enumerating on windows of course i've done it before linux so what i'll say is i'll say smb client and then of course you need to provide the ip address but because we know the share name we can provide the ip and the the actual share name so in this case the ip will be 10.10.28.233 and then we provide the share name which is anonymous hit enter and this is asking me for my password uh let's say if we say dir yeah we get some data within here so we have staff dot txt right so um what if i say get stuff dot txt uh hit enter all right so it looks like that worked so we can try and see the contents of stuff.txt right so it's currently stored in my home directory under staffed dot txt so we catch the contents of staff.txt we can see uh announcement to staff uh please do not upload the non-work related items to this share i know it's all fun all in fun but this is all mistakes happen right so this means you too jan so it looks like we get a user jan and k which are the two users and the abbreviations were listed on the web server jnk so jan nk so we know the two users uh that we can use and i'm guessing our access vector will be through ssh so um what we can do now is we can try brute forcing you know both the password both accounts and let's see if we can actually get initial access um so if we take a look at the questions just so i stay on track so we can use brute forcing to find the username and password um so so let's actually perform that first so to do this i'll just use hydra so uh hydra and we specify the user so hydra l and we say we will use jan first and the pass the password list will be under user share word list and we'll just use rocky.txt and this is ssh 10.10.28.233 and i'm guessing that will use the default um we'll use the default port right okay so all right i have a previous um let me just skip that so it i and um it's going to begin the brute force process right so i'll try it off with jan first and then of course we'll move on to k but we know the we can actually just hit complete on that one because we're still performing the brute forcing then of course we need to get the username and password and then of course we we can try and access it with ssh because these are obviously accounts on the system um and through the share we were able to enumerate so we were able to to find this staff.txt okay so that's using smb client um right okay interesting so what if i try and access ipc right which is uh we can just say ipc here let's see if we have anything there smb client ipc that's interesting why didn't that work uh ipc right hit enter right okay it usually works the other way around um so if we list within uh we we can see we don't have anything within this directory so nothing within the ipc share um let's try and see if we can let's see what else we're able to gather from enum for linux regarding smb i don't think there's anything more but it should have been able to enumerate the users which is very weird for the smb server we know it's running ubuntu we know we have two users um right okay so i'll pretty much i think i need to look into this script and why it doesn't work anymore because it's been a while since that has been fixed so what i'm going to do is i'm just going to wait for this to complete of course and in the meantime we can probably uh take a look at some of the results we got from nmap and some of the questions um right so there's nothing much here that's useful of course smb is also available um through udp on port 137 and we there is um an smb brute script which can perform some brute brute forcing although i don't think that i've used that on linux before which is weird because whenever you're dealing with smb it's primarily going to be on um it's primarily going to be on windows and of course i'm not saying that's that's what you'll find it's just that windows you know as smb enabled by default and there's a ton of information you can get from smb so i'm just going to pause the video here and just wait for this to complete if it does if it takes too long we'll try the other user and see how else we can get access because again following the structure that's listed out here we need to find the username and the password right okay all right so the brute force has um has just completed uh just that took um i think about two to three minutes if i'm not wrong um and we can see that the username or the the username lo jan has a password armando so we can try and log in using those credentials of issh um so ssh will save jan at 10.10 uh 28.2 33 right and we hit we enter in the password armando hit enter and we get access to basic two under these uh jan right all right so if i uh what am i doing um so we display the uh operating system in information so cat at c issue let's just see issue we can see it's ubuntu 16.04.4 lts and the kernel is quite uh recent i would suggest that's version 4 which i don't think is vulnerable to any kernel level exploits um let me just list the and all the the directory so it looks like we have uh less host here which we don't have permissions to access of course and um right okay so we can provide the username which we got was jan and armando and we hit submit right let's see if that works um right that works out and armando does that work out as well okay so what service do we use to access with ssh in all caps we need to provide that in all caps okay that worked as well so enumerate the machine to find any vectors for privilege escalation right okay and then what is the name of the other user which i think we know already uh we were able to tell was k uh which we can actually try and display but uh before we do that cat etc password let's see what users we have jan tomcat k it looks like those are the only users we have access to and of course we have the root user but i don't think we're supposed to escalate to root uh that's not listed within the challenge um so uh we have reup that's pretty much all the users so i think the other user is going to be k right over here and home k that's the user directory so what i'll do is let's just provide that user here so that's okay looks like that is correct as well so we only have one last question we need to to actually provide an answer to and that's what's the final password uh we will obtain okay so if i list out if i just take a step back you can see within the home directory let's see if we can access k uh indeed we can and what's password dot back pass back permission denied uh we have uh bash history let's get off bash history i don't think we have permissions to do that can we access ssh uh looks like we can access ssh and we have the private and public key so if we let's see if hopefully we can get out the private key which we indeed we can so i think this is going to be our access vector of course the access vector is ssh but we can actually log in using the private key so let's see if we can actually log in so again i'll just reduce my font size here so i can just copy that the entire the entire key the private key here um so i'll just copy that and um just bring that back here right okay so what i'll do is i'll create a file here and i will call it we'll just call it uh id rsa right and we'll put it we'll put the contents of that key in here and chmod let's just give it the appropriate permissions here sorry 0 400 and id rsa ssh i id rsa and we're logging in with k at ten point sorry ten point n point twenty eight point two thirty three hit enter it's in invalid form and looks like the key the private key as a passphrase okay that's that's interesting so if we take a look at the public key um cat id rsa.pub we can see and we get a a bit of a comment at the at the end uh i don't have to type in a long password anymore okay all right so it looks like the the ssh key has a um is it is encrypted with a password so what we can do is we can use um let's locate ssh to john uh which i will allow us to crack this so it's does this work natively because last time i was performing at uh ctf on volnob i had to actually go to the python script directly so i'll just go into user and we'll say john and there we are all right so uh ssh to john and we then provide uh the idrsa uh which is in our current directory so that's on the documents and uh i put another try hack me and basic pen testing and it's idrsa and we'll output this into i will just say key dot txt well that'll actually give us the hash so hash.txt hit enter just use sudo right right right so what am i doing this i need to output this into my documents as well so documents try acme basic pen testing hit enter let's see if that works out okay i'll go back into my documents and try acme basic pen testing there we are and if i cut the contents of hash.txt uh let's just see what we have here uh yeah so it looks like a hash and a very weak one you can see we have one here the one option i believe within linux let's just perform some research on this um com linux shadow account let me just change that to english english here so linux shadow file hash hash format um so yeah this this will pretty much explain what i want to explain here so when we are cracking this which so uh option the one denotes that that this is a the id as it were as it says here is the algorithm that was used typically on later on newer versions of linux it pretty much comes with option six which is sha 512 512 so that means it's md5 which which means we can pretty much crack it with um with john the ripper here um so i'll just uh get out of that and we list the files we have hash.txt so we can say john um and we'll just say txt hit enter and that should automatically detect it so it tells us this is md5 aes md5 and we can actually use the word list is equal to user share word lists the roku dot txt and we hit enter and let's see whether that is able to crack it and immediately we get the key for id rsa which is beeswax okay so that looks like the key here okay so we can pretty much try and use the key to login also sshi rsa sorry that's idrsa and we log in as the user k 10.10.28.233 and the password is piezwax i believe and yeah we get access to k okay so that was fairly simple uh we were able to perform um the privilege escalation that's the vector for privilege escalation okay so we didn't have to provide an answer there if you found another user what can you do with this information we can log in via ssh complete and what is the final password to obtain so let's just list the contents here we have the password dot back file so cat pass.pack and this looks like the password so i'll just copy this and let's see whether this is the password here and we put it in there and hit submit and uh hopefully that is correct and there we are so we've completed the room so yeah that was fairly simple that is basic pen testing uh i think that's a good introduction into you know local linux uh you know information gathering enumeration and privilege escalation of course uh the thing that i liked about it the most was the fact that it incorporated important aspects of ssh and i've you know i've come across many students who are not aware of how to u how ssh works in regards to uh asymmetric encryption aspect of it where you have the private and the public key and how they can be used to authenticate with each other and of course uh the additional security feature implemented with the ssh and uh you know and and the key pairs is going to be encrypting the ssh key whether it be private uh sorry when it is private with a passphrase in this case you can see we were able to get the passphrase um using ssh to john which actually gave us the the actual hash and then we were able to crack it that way and of course in most cases you're not going to come across accounts that have been secured by with md5 especially on linux now as i said most of the latest versions um usually come with uh sha 512 so if i just go back in if i open up a new session here and i say this is on my local kali machine so sudo cat etsy shadow open that up uh yeah so you can see it uses the the strongest form of encryption here which is recommended but of course this is a very good introduction to pen testing let me know what you guys think this was i i really like these challenges i think i'll be doing more of the triac me challenges and trying to explain a few uh a few more things uh you know giving you a bit of information regarding what i'm doing some tips and tricks regarding how you can you know uh you can streamline your enumeration process and i'm really interested in improving uh the amount of information i divulge when it comes down to enum especially when talking about ports like smb which is is some people find you know quite complicated but again hopefully this video shed some light on that uh it was a very very good challenge and yeah that's gonna be it for this video guys thank you so much for watching uh if you have any questions or suggestions let me know in the comment section would love to hear them and i'll be seeing you in the next video peace i just want to take a few minutes to thank all our patreons that support us on patreon.com forward slash hack exploit so thank you very much your support is truly appreciated and uh you really keep us going so thank you to the patreons murph the surf daniel bork jonathan kyle adam mack jamal guillery defean barry jeremy nikolai marihara max ciao dustin empress and michael hubbard

Info

Channel: HackerSploit

Views: 162,242

Rating: undefined out of 5

Keywords: hackersploit, hacker exploit, kali linux, tryhackme, linux, hacking, tryhackme walkthrough, tryhackme review, tryhackme vulnversity, tryhackme basic penetration testing, tryhackme basic pentesting, tryhackme blue, tryhackme learn linux, tryhackme linux, tryhackme king of the hill, tryhackme vulnversity walkthrough, tryhackme openvpn, tryhackme metasploit walkthrough, tryhackme tutorial

Id: a5iQtVBYec4

Channel Id: undefined

Length: 30min 19sec (1819 seconds)

Published: Sat Sep 19 2020