skip to content
Annette Shajan Annette Shajan

CTF Writeup - THM: Basic Pentesting

/ 2 min read

security, pentesting

Setup

So I used the default AttackBox machines that TryHackMe provides for this CTF. It is pretty straightforward to start up.

After logging in I first add the IP address 10.10.121.46 to the /etc/hosts file as basic.thm. This is so I can easily access this IP address.

Enumeration

Nmap

I started an nmap scan with some filters on basic.thm : nmap -sC -sV basic.thm

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 (RSA)
|   256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce (ECDSA)
|_  256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 (EdDSA)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods:
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
MAC Address: 02:8B:26:3B:23:2B (Unknown)
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

It shows a few ports open running services of note - SSH, HTTP, Samba.

Web

On visiting the website basic.thm , it seems to be down and no links seem to be provided. I thought of using gobuster to find any sublinks using directory sublistiing. I found /development: Accessing basic.thm/development… There were two files : dev.txt and j.txt It has some info about SMB j.txt talks about /etc/shadow not being secure

Samba

Let’s check out Samba

use enum4linux → a tool to enumerate samba logins

we find kay and jan as usernames

Now we know that Jan’s password is weak so we can try to crack into it with ssh using hydra

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.121.46

[22][ssh] host: 10.10.121.46 login: jan password: armando

SSH

We have the SSH password of jan!

After logging in as jan: you don’t find too many accessible files

You see other users when you cd..

You can enter the user kay.

On doing ls you see pass.bak

But you can’t open it as jan

You also see .viminfo file this makes you wonder…

vi pass.bak

voila!

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Alternate method : find the SSH key of kay and try to login to kay’s ssh with the key. there is a passphrase required- use john the ripper for that.

Login and open pass.bak