{"id":185,"date":"2023-06-14T06:06:46","date_gmt":"2023-06-14T06:06:46","guid":{"rendered":"https:\/\/justatrainingblog.co.uk\/?p=185"},"modified":"2023-06-14T06:06:46","modified_gmt":"2023-06-14T06:06:46","slug":"practice1-thm-easy-basic-pentesting","status":"publish","type":"post","link":"https:\/\/justatrainingblog.co.uk\/?p=185","title":{"rendered":"[PRACTICE1] &#8211; [THM EASY] &#8211; Basic Pentesting"},"content":{"rendered":"\n<p>Now we have a basic understanding of enumeration and basic exploiting, I will be starting on some practice sessions. This one of the <a href=\"https:\/\/tryhackme.com\/room\/basicpentestingjt\" title=\"\">basic offering by TryHackMe<\/a> and provides an end goal but not instructions. <\/p>\n\n\n\n<p><strong>Target IP: 10.10.92.53<\/strong><\/p>\n\n\n\n<p class=\"has-text-align-left\"><strong>Objectives:<\/strong><br>1. Find the services exposed by the machine<br>2. Find the hidden directory<br>3. Brute force the username\/password<br>4. Locate privilege Escalation<br>5. Action privilege Escalation <\/p>\n\n\n\n<p><strong><span style=\"text-decoration: underline;\">Lessons Learnt<\/span><\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Introduced to the concept of privlidge escalation &#8211; area to note and improve<\/li>\n\n\n\n<li>Wasted a lot of time looking up commands. This will improve with practice but more effective note taking will help. <\/li>\n\n\n\n<li>Needed to look up for the hash decoding. More practice required. <\/li>\n<\/ul>\n\n\n\n<p class=\"has-text-align-left\"><br><strong><span style=\"text-decoration: underline;\">Process<\/span><\/strong><\/p>\n\n\n\n<p><strong>Objective 1 &#8211; Find the services exposed by the machine<\/strong><\/p>\n\n\n\n<p>To start we&#8217;ll run a scan of the target IP to see what this unearths. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" width=\"805\" height=\"853\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-36.png\" alt=\"\" class=\"wp-image-192\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-36.png 805w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-36-283x300.png 283w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-36-768x814.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-36-300x318.png 300w\" sizes=\"(max-width: 805px) 100vw, 805px\" \/><\/figure>\n\n\n\n<p>Looks like we have the following ports open:<br>22 &#8211; SSH<br>80 &#8211;  HTTP<br>139 &#8211; Netbios (Samba)<br>445 &#8211; Netbios (Samba)<br>8009 &#8211; Apache Server<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong><span style=\"text-decoration: underline;\">Objective 2<\/span> &#8211; Find the hidden directory<\/strong><\/p>\n\n\n\n<p>Our likely targets will be either the Apache or Samba server. Lets check out the Samba one first. <br><strong>enum4linux 10.10.92.53<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"681\" height=\"161\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-37.png\" alt=\"\" class=\"wp-image-193\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-37.png 681w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-37-300x71.png 300w\" sizes=\"(max-width: 681px) 100vw, 681px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" width=\"669\" height=\"369\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-38.png\" alt=\"\" class=\"wp-image-194\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-38.png 669w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-38-300x165.png 300w\" sizes=\"(max-width: 669px) 100vw, 669px\" \/><\/figure>\n\n\n\n<p>So based on the above we now have the following information:<br>Usernames: kay &amp; jan<br>Workgroup: WORKGROUP<br>Share: Anonymous<\/p>\n\n\n\n<p>The Anonymous share name looks a little suspicious so lets try and see if they&#8217;ve failed to disable anonymous access.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"748\" height=\"187\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-39.png\" alt=\"\" class=\"wp-image-195\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-39.png 748w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-39-300x75.png 300w\" sizes=\"(max-width: 748px) 100vw, 748px\" \/><\/figure>\n\n\n\n<p>Okay, so that worked and we can see a file named staff.txt.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"660\" height=\"535\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-35.png\" alt=\"\" class=\"wp-image-191\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-35.png 660w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-35-300x243.png 300w\" sizes=\"(max-width: 660px) 100vw, 660px\" \/><\/figure>\n\n\n\n<p>Seems like Kay isn&#8217;t too happy with Jan but it does suggest that Jan doesn&#8217;t follow best practice in terms of security. Based on this and the poor share configuration it suggests there may not be a password policy enforced and Jan&#8217;s password may be susceptible to brute forcing. <\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Objective 3 &#8211; Brute Forcing the username\/password<\/span><\/p>\n\n\n\n<p><strong>NOTE: At this point I had to renew the machine which changes the host IP. New IP working with is: 10.10.32.163<\/strong><\/p>\n\n\n\n<p>So we now have a username and a user that practices poor IPsec. Loading up Hydra<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"824\" height=\"125\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-40.png\" alt=\"\" class=\"wp-image-196\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-40.png 824w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-40-300x46.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-40-768x117.png 768w\" sizes=\"(max-width: 824px) 100vw, 824px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"675\" height=\"78\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-41.png\" alt=\"\" class=\"wp-image-197\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-41.png 675w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-41-300x35.png 300w\" sizes=\"(max-width: 675px) 100vw, 675px\" \/><\/figure>\n\n\n\n<p>Successful result. <\/p>\n\n\n\n<p><strong>Password is: armando<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"644\" height=\"137\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-42.png\" alt=\"\" class=\"wp-image-198\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-42.png 644w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-42-300x64.png 300w\" sizes=\"(max-width: 644px) 100vw, 644px\" \/><\/figure>\n\n\n\n<p>From there checked SSH, there&#8217;s plenty there but nothing that Jan has read \/write permissions to. <\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">Apache Server<\/span><\/p>\n\n\n\n<p>Next checking the web server for hidden directories using Gobuster<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"697\" height=\"277\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-43.png\" alt=\"\" class=\"wp-image-199\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-43.png 697w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-43-300x119.png 300w\" sizes=\"(max-width: 697px) 100vw, 697px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-44.png\" alt=\"\" class=\"wp-image-200\" width=\"584\" height=\"388\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-44.png 584w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-44-300x199.png 300w\" sizes=\"(max-width: 584px) 100vw, 584px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"724\" height=\"247\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-45.png\" alt=\"\" class=\"wp-image-201\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-45.png 724w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-45-300x102.png 300w\" sizes=\"(max-width: 724px) 100vw, 724px\" \/><\/figure>\n\n\n\n<p>Seems like Kay reallly isn&#8217;t happy with Jan!<\/p>\n\n\n\n<p><span style=\"text-decoration: underline;\">4. Privilege Escalation <\/span><\/p>\n\n\n\n<p>Next up is checking for any vulnerabilities we can use to privilege escalate. For this we will be using LinPeas. <\/p>\n\n\n\n<p>At this point I&#8217;ve been at this for 6+ hours so apologies if I didn&#8217;t scroll up for the permissions change, transfer and running of the script. The results tell us a lot but the most interesting this is: <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"429\" height=\"73\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-47.png\" alt=\"\" class=\"wp-image-203\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-47.png 429w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-47-300x51.png 300w\" sizes=\"(max-width: 429px) 100vw, 429px\" \/><\/figure>\n\n\n\n<p>Looks like a private key for Kay. <\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"45\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-48-1024x45.png\" alt=\"\" class=\"wp-image-204\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-48-1024x45.png 1024w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-48-300x13.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-48-768x34.png 768w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-48-1536x67.png 1536w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-48-850x37.png 850w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-48.png 1890w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<p>The key is password protected so it&#8217;s time to crack the hash<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"351\" height=\"66\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-49.png\" alt=\"\" class=\"wp-image-205\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-49.png 351w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-49-300x56.png 300w\" sizes=\"(max-width: 351px) 100vw, 351px\" \/><\/figure>\n\n\n\n<p>Ran sshjohn.py and created a new text file for the hash. Then plugged it through John. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"772\" height=\"206\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-50.png\" alt=\"\" class=\"wp-image-206\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-50.png 772w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-50-300x80.png 300w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-50-768x205.png 768w\" sizes=\"(max-width: 772px) 100vw, 772px\" \/><\/figure>\n\n\n\n<p>and we now have a password! Plug it into SSH with the RSA_ID and we&#8217;ll have full access to a sudo account. <\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"538\" height=\"240\" src=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-51.png\" alt=\"\" class=\"wp-image-207\" srcset=\"https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-51.png 538w, https:\/\/justatrainingblog.co.uk\/wp-content\/uploads\/2023\/06\/image-51-300x134.png 300w\" sizes=\"(max-width: 538px) 100vw, 538px\" \/><\/figure>\n","protected":false},"excerpt":{"rendered":"<p>Now we have a basic understanding of enumeration and basic exploiting, I will be starting on some practice sessions. This&#8230;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_mi_skip_tracking":false,"footnotes":""},"categories":[6,3],"tags":[],"class_list":["post-185","post","type-post","status-publish","format-standard","hentry","category-practice","category-tryhackme"],"acf":[],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/185","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=185"}],"version-history":[{"count":1,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/185\/revisions"}],"predecessor-version":[{"id":208,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/185\/revisions\/208"}],"wp:attachment":[{"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=185"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=185"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/justatrainingblog.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=185"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}