# THM Room CC: Pentesting

<figure><img src="https://tryhackme-images.s3.amazonaws.com/room-icons/508c722566ba8b693513ebf1fb37b379.png" alt=""><figcaption></figcaption></figure>

## Task: 24 Final Exam

First export the Machine IP to a shell variable like the following so we don't need to remember it.

```bash
export ip=10.10.181.166
```

**Nmap Scan**

Now we do a Nmap scan to know which services are running to the system using the following command.

```bash
$ sudo nmap -sCV  -v -oN nmap/initial $ip
```

After the scan, we got the following result.

**Total Open Ports**

```
Port       Service     Version

22          ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8(Ubuntu Linux; protocol 2.0)

80          http       Apache httpd 2.4.18 ((Ubuntu))
```

From the result, we came to know there are 2 services running on the target. `ssh` and `http` both are very useful. The `http` service is open which means the target is hosting a website and `ssh` is open it means we can remotely login into the system if we know valid credentials.

We don't have valid credentials yet so we focus on `http` service first. Browse the site and there we didn't find any interesting results so we can start directory fuzzing to get any hidden directory.

**Directory Scan on web server Result**

We can use `ffuf` tool to fuzz for the hidden directories using the following command.

```bash
ffuf -w /usr/share/wordlist/dirbuster/directory-list-2.3-small.txt:FUZZ -u http://$ip/FUZZ -e .txt,.html
```

* `-w` is used to specify a wordlist
* `-u` is used to specify the target site URL
* `-e` is used to specify the file extension to search

Using the above command we found the following Interesting Hidden Directories and file.

**Hidden Directory**

```
/secret
secret.txt
```

We also found the server has the following file extensions in use.

**Common extension found**

```
html
txt
```

You can also use gobuster to find hidden directories using the following command

```bash
$ gobuster dir -x html,php,phtml,txt,json,md -u http://$ip/secret -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
```

* `dir` is used to specify we are doing directory fuzzing
* `-x` is used to specify file extensions to look at
* `-u` is used to specify the target URL
* `-w` is used to specify a wordlist

so we found the `secret.txt` file by `gobustor` directory scan with extensions `html`, `php`, `txt` etc we can browse to the `secret.txt` file using the URL.

The `secret.txt` file has the following content.

```txt
nyan:046385855FC9580393853D8E81F240B66FE9A7B8
```

This looks like a username and password hash that we can use to connect with ssh if we crack it. we crack the hash from the `crackstaion` website or we can do this with `john` or `hashcat`

So after cracking we found that the hash is `nyan` so now we have a username and password

```
Username = nyan
password = nyan
```

so we ssh to the target with

```
$ ssh nyan@$ip
```

So now have initial access to the target machine, we can read the `user.txt` the file that is our first flag.

```
$ cat user.txt
```

Now we have initial access the next step is to do privilege escalation, and it's time to do privilege escalation. when we use the following command to check if the current user has any `sudo` permission.

```bash
$ sudo -l
```

They show we can use the `su` command without a password, the `su` the command is used to switch to another user. So by knowing this we can now get the `root` user without any problem just by using the following command

```bash
$ sudo su
```

we change our current user to `root` so after becoming a `root` user we can now see the content of the `root.txt` file from this path `/root/root.txt`.

```bash
$ cat /root/root.txt
```

We got both flags `user.txt` and `root.txt` and submit them and finish the room.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://w4h33d.gitbook.io/hack-notes/writeups/tryhackme/thm-room-cc-pentesting.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.