Basic Pentesting Writeup - TryHackMe

Getting Started#

This machine is designed to help you practice web application exploitation and Linux privilege escalation. After deploying the machine, you’ll be provided with a vulnerable machine IP. This is a grey-box assessment; the only information provided is the company name and the server’s IP.

Start by pinging the deployed machine or use an Nmap host discovery scan to ensure it’s up.

ping

Use the following Nmap scan to enumerate services:

nmap_scan

Scan reveals 7 open ports:

nmap_result

Web Enumeration#

Visit port 80, and you’ll see:

port_80

Inspect the page source and find a comment:

comment

Run directory busting on port 80 to find hidden files:

directory_busting

Discovered files: dev.txt and j.txt

page_development

dev.txt content:

dev.txt

j.txt gives a hint that J uses a weak password:

j.txt

Q1: What is the name of the hidden directory on the web server (enter name without /)? Ans: development

SMB Enumeration#

List available shares using smbclient:

LIST_SHAREFOLDER

Connect to the anonymous share and download staff.txt:

Anonymous folder

staff.txt reveals J’s username: jan

staff.txt

Q2: What is the username? Ans: jan

Use Hydra to brute force Jan’s SSH password:

1
hydra -l jan -P rockyou.txt ssh://<MACHINE_IP> -I -F -V

Successful login found:

result hydra

Q3: What is the password? Ans: armando

SSH into the machine as Jan, check /etc/passwd to find another user: kay

password_file

Q4: What service do you use to access the server? (abbreviation, all caps) Ans: SSH Q5: What is the name of the other user you found? (all lowercase) Ans: kay