Basic Pentesting: TryHackMe [Easy]
A penetration testing also known as pentest, is an authorized simulated cyberattack on a computer system, network or web application to identify security weaknesses and vulnerabilities. The goal of a pentest is to evaluate the security of the system and provide recommendations to fix the identified vulnerabilities before a real attacker exploits them.
A penetration test target may be a:
- White box: the hacker will have full knowledge of the target and its expected behavior.
- Black box: the hacker is not given any information about the inner workings of the target, they are auditing.
- Gray box: This is a combination of the white and black box. In this scope, the hacker has a limited knowledge of the target.
In this walkthrough, we are going to see how a basic penetration testing works step by step. We’ll explore the following points:
- Brute forcing
- Hash cracking
- Service enumeration
- Linux Enumeration
NOTE: This room doesn’t require you to have a paid version of TryHackMe. You only need to create an account on the platform, and that’s it.
Well, after launching your Attackbox and the target machine, take your cup of coffee ☕️ and let’s get started :)
Answer the questions below
1°) Deploy the machine and connect to our network ✅
2°) Find the services exposed by the machine ✅
One way to find the services exposed by the machine consists of using Nmap which is a powerful and versatile tool for network exploration and security auditing that can be used for host discovery, port scanning, service and OS detection, and so on.
Here we’ll use Nmap to perform a port scanning on our target network.
Nmap Port Scanning
For that, we will run a Nmap TCP Syn Scan:
We can notice that there are six open ports on the target system which is great.
One of Nmap’s biggest strength is NSE scripts (Nmap Scripting Engine) which allows us to run scripts written in Lua programming language. These scripts can be used for a variety of things: from scanning for vulnerabilities, to automating exploits for them. They are generally located in /usr/share/nmap/scripts directory.
In the Nmap command above, we used -sC option which runs Nmap default scripts against our target. When using this option, Nmap will attempt to query running services for further information about the network (e.g. query a web server for its header, supported method and title).
While this is useful, you may need sometimes to perform further enumeration on a specific service in order to gather more juicy information.
That’s what we are going to delve into the next section.
Services Enumeration
In this section, we will try to do further enumeration on services such as HTTP and SMB which can sometimes have several security misconfigurations if not properly configured.
To do that, we are going to use tools such as Nikto and enum4Linux.
HTTP Enumeration
Before jumping to any HTTP Enumeration, let’s try first to display the webpage in our browser.
As you can see, we only got a text saying that the website is undergoing maintenance and that we need to check back later. No more information.
Nevertheless, after inspecting the webpage (on the right side of the figure above), we can notice that there is a strange comment, saying to check a so-called dev note section.
Though this is pretty awkward, let’s keep it in our notes; it could be useful.
Now it’s time to use Nikto against our target’s web server.
Nikto is a free and open-source web server scanner that is used to identify potential vulnerabilities in web servers and web applications.
The -h option is used to specify the target’s url, while the -o option is used to write the output in a specified file.
As you probably notice, Nikto returned a bunch of juicy information such as the web server version and some directories that might be interesting to take a look at.
In addition to running Nikto, we can run another tool that can be used for web directory/file discovery called Gobuster.
Talking about it, let’s give it a try. After all, who knows 🤷♂️?
Maybe, we can come across other interesting information.
To use gobuster, we will run the following command:
Let’s break down the gobuster command used above: gobuster dir -t 20 --random-agent -r -u $TARGET_URL -w $wordlist -o gobuster.txt
gobuster dir: uses directory/file enumeration mode-t: number of concurrent threads (10 by default)--random-agent: use a random user-agent-r/--follow-redirect: follow redirects-u/--url: the target URL-w/--wordlist: Path to the wordlist
NOTE📝: To change the default timeout, you can use the --timeout option followed by the value you want (the default value is 10s).
Here, Gobuster returned the same directories to us like Nikto. However keep in mind that depending on the wordlist you used, it can return different results.
3°) What is the name of the hidden directory on the web server(enter name without /)?
Answer:
/development/✅
Well, after running Nikto and Gobuster, let’s take a look at this mysterious /development/ directory. Can’t wait to see what is behind it 🫣
Hmmm, dev? This word reminds me about something 🤔?
Yesss! The comment that we saw while inspecting the webpage’s source code. Seems that the web developer was referring to this file.
Let’s check its content:
This text looks like two people (-K and -J), having a conversation. Moreover, they also mentioned things like SMB and Apache server during the conversation.
Well, let’s check the other file /development/j.txt
Interesting, looks like -J doesn’t respect the password policy and he’s using a weak password which is easily crackable.
Now that we have ended with the web server enumeration, let’s do the same on the SMB server.
SMB Enumeration
To enumerate the SMB server, we will use enum4linux which is the Linux alternative to enum.exe for enumerating data from Windows and Samba hosts.
Let’s run it and see what we get.
Let’s break down the enum4linux -U -S -G $TARGET_IP command used for the SMB server enumeration:
-U: get a userlist-S: get a sharelist-G: get the group and the member list$TARGET_IP: the target ip address.
NOTE📝: If you don’t want to memorize all these options, you can use enum4linux -a $TARGET_IP which will do all simple enumeration.
As you probably notice, we found an anonymous account. An anonymous account is a user account that can access shared folders and files on an SMB server without providing any authentication information.
Furthermore, we also found a share, called Anonymous that can be read by anyone.
Let’s explore this share using the smbclient command:
Super!! We found two names (Jan and Kay) that are surely the complete name of -K and -J, we earlier found during the web server enumeration.
Let’s now try to use all the information we gathered during the enumeration in order to get our first initial access to the target system.
Exploitation
In this phase, we will try to exploit the potential attack vectors found during the enumeration phase.
The goal of the exploitation phase is to gain an initial access to the target system. In other words, we’ll try to find an entry point to the target system.
To do that, we can try to brute-force an account or exploit a web application vulnerabilities (SQL injection, Cross Site Scripting, etc…).
Knowing that the target’s SSH port is open and that we have a pair of usernames we can first try to perform a brute force attack.
Brute-Forcing SSH credentials
One of the most reliable ways to gain SSH access to servers is by brute-forcing credentials.
This can be done using various ways: Metasploit’s ssh_login module (auxilliary/scanner/ssh/ssh_login), Hydra or Nmap NSE.
To learn more about SSH brute-force techniques, you can check out this article.
In our case, we are going to use Nmap Sacripting Engine in order to learn about Nmap other features. Feel free to use the method with which you are comfortable.
NOTE📝: I used this method only for demonstration purposes. However, it takes lots of time before cracking the password. Generally, it could be better to use tools such Hydra (hydra -t 20 -L users.lst -P $wordlist -vV -f ssh://$TARGET_IP) which allows you to specify the number of threads.
Here we can see that we found a NSE ssh script called ssh-brute.nse.
Let’s see how it works, using nmap --script-help ssh-brute or nmap --script-help ssh-brute.nse commands:
Now, let’s launch our brute-forcing attack.
I used here jan and kay as our user list and rockyou.txt as our password list.
WooHoo \o/ !! We got a pair of valid SSH credentials. Let’s answer the following questions.
4°) User brute-forcing to find the username & password ✅
5°) What is the username?
Answer: Jan ✅
6°) What is the password?
Answer: Armando ✅
7°) What service do you use to access the server(answer in abbreviation in all caps)?
Answer: SSH ✅
The question now, is to know what we can do with that?
Well, let’s first try to get an initial foothold to the target system.
An initial foothold is when an attacker gains access to a target system or network. This stage is often referred to as the “entry point” or “initial access” stage.
For that, we’ll use the following ssh command:
ssh jan@$TARGET_IP , then hit enter and specify the password we found.
After specifying the password, you may notice that the prompt changed, as you can see on the figure below:
Excellent! Now, let’s see what juicy information we can get from this account. For that we need to perform a new enumeration on the target system. This can help us to discover software vulnerabilities or security misconfigurations or even non protected sensitive information.
For instance, we can manually enter some basic commands like:
Hmmm :/
Seems that jan doesn’t have enough privileges. We can even notice that his own home directory is owned by root. In addition to that, he is only member of his own group (jan).
Therefore, we need to find other ways to escalate our privileges.
That’s what we are going to explore in the next section.
Privilege Escalation
A privilege escalation is a post-exploitation step that consists of obtaining higher levels of access to a computer system or network than what is normally intended or allowed by the system administrator.
Privilege escalation can be split into two types:
- Vertical Privilege Escalation: A threat actor tries to gain access to account with higher privileges than the account he‘s already compromised. For instance, getting access to root account using a standard account.
- Horizontal Privilege Escalation: A threat actor tries to gain access to accounts with similar or lower privileges than the account he’s already compromised. For instance, getting access to another standard account from a standard account.
To learn more about privilege escalation, you can check out this article.
That was lots of talk. Let’s now start interesting things.
Knowing that the target system is running GNU/Linux (Ubuntu), we will look for well-known privileges escalation related to this OS.
NOTES📝:
- Privilege escalation can be done manually by looking for kernel exploits, writable files inside the PATH variable, Cron jobs misconfiguration, set SUID and GUID special bits and so on.
- However, knowing that time is money, we can rather opt for automated tools such as LinEnum, LinPeas, WinPeas which are going to check all these information automatically for us. That’s what we are going to use in our case. Nevertheless, if you want to learn manual privilege escalation, you can check out this TryHackMe room.
8°) Enumerate the machine to find any vectors for privilege escalation ✅
LinEnum
LinEnum is a bash script used to automate privilege escalation process on GNU/Linux systems.
To use it, we need first to download it.
Warning ⚠️: Knowing that jan’s machine doesn’t have access to the Internet, we are going to first download LinEnum on our system, then use a Python HTTP web server to make it downloadable by jan. Here is how we must proceed:
Super! Let’s now execute LinEnum on the jan’s system.
In the USER/GROUP section, the following information caught my eye:
Indeed, there is a second user named kay who is member of the sudo group. This sounds very interesting.
However, let’s take a few minutes to the following questions before moving forward.
9°) What is the name of the other user you found(all lower case)?
Answer: kay ✅
10°) If you have found another user, what can you do with this information?
Answer: We can try bunch of things like brute forcing the user’s account, try to find interesting information stored in his home directory and so on.
Knowing that this is not /home/kay is not our home directory, we’ll first use the find command to get all the files and directories inside kay’s home directory (/home/kay), that are readable by other users like us.
Hmmm, sounds great! We got some interesting files and directories such as .bashrc, .ssh, and .ssh/id_rsa.
Whatttttttt? .ssh/id_rsa ????
Yeah, yeah, you are not hallucinating guys 😁.
Now we need to make a plan.
First, we’ll copy kay’s ssh private key on our attacking machine, then we’ll try to access kay’s account using his private key and finally from his account, we’ll try to get access to root privileges knowing that he is part of the sudo group.
Let’s get our hands dirty :)
We will use scp to copy the ssh private key in our machine.
To display the IP address of the target machine, you can use the following command:
ip addr show eth0/tun0
Excellent! Let’s now try to log in to kay’s account:
It seems that ssh doesn’t take our private key into consideration during the authentication phase. This happens because normally the private key should only be readable and writable by the owner of the key. In our case, you can see that though the private key is readable by the owner it is also readable by the group and other users.
Therefore, we need to use the chmod command to change that in order to be able to use SSH private key authentication:
Too bad, the key is protected by a password. This requires us to brute-force the ssh private key’s password in order to get access to jay’s account.
To do that, we are going to use a tool called JohnTheRiper.
Hoorah 🎉, we’ve been able to crack the private key’s password. Let’s try now to log in to jay’s account:
After successfully logged in to Jay’s account, we can take a look to the different files by using ls -la or ls commands. After doing that, we can see a file with an interesting name: pass.bak. When taking a look at this file’s content, we can see a text which is nothing else than the flag for the last question.
10°) What is the final password you obtain?
Answer: heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Well done guys 👏👏!!!
Let’s now sum up all the things we’ve seen in this article.
Let’s recap!
In this article, we learnt the basics of how a penetration testing works.
For that, we went through the following steps:
- Enumeration: In this step we tried to find the exposed services on the target machine using Nmap and perform further enumeration on these services using tools such as Nikto, Gobuster (for web server) and enum4linux (for SMB server).
- Exploitation: Once we’ve done with the enumeration phase, we used Nmap Script Engine (NSE) to brute force SSH credentials.
- Privilege Escalation: After gaining our initial access to the target system, we automated our privilege escalation process using LinEnum. We got some interesting information like kay’s ssh private key that we then cracked the password using JohnTheRiper in order to get access to his account. After we got access to his account, we found the flag that allowed to complete this CTF.
Overall, this is really a good start with penetration testing. However in real scenario, you will first sign a Rule Of Engagement (ROE) with the company that hired you. This is an official document that can be used to prove that you were allowed to perform a penetration testing on a specific perimeter of the company’s information system.
Last but not least, as a pentester, you need to write a vulnerability report in order to detail the security weaknesses you discovered during your vulnerability assessment. Indeed, this will help the company to fix these vulnerabilities.
That’s all guys! Hope you learnt something guys!
Do not forget to click on the the little clap icon below if you enjoyed the content.
Furthermore, thanks for subscribing to my newsletter to keep up with my latest articles.
