THM Room CC: Pentesting

Here I solve the last part of CC: Pentesting Room from TryHackMe. All the previous part are well educated with step by step guide so I didn't add that here but the final task is an exam.

Task: 24 Final Exam

First export the Machine IP to a shell variable like the following so we don't need to remember it.

export ip=10.10.181.166

Nmap Scan

Now we do a Nmap scan to know which services are running to the system using the following command.

$ sudo nmap -sCV  -v -oN nmap/initial $ip

After the scan, we got the following result.

Total Open Ports

Port       Service     Version

22          ssh        OpenSSH 7.2p2 Ubuntu 4ubuntu2.8(Ubuntu Linux; protocol 2.0)

80          http       Apache httpd 2.4.18 ((Ubuntu))

From the result, we came to know there are 2 services running on the target. ssh and http both are very useful. The http service is open which means the target is hosting a website and ssh is open it means we can remotely login into the system if we know valid credentials.

We don't have valid credentials yet so we focus on http service first. Browse the site and there we didn't find any interesting results so we can start directory fuzzing to get any hidden directory.

Directory Scan on web server Result

We can use ffuf tool to fuzz for the hidden directories using the following command.

ffuf -w /usr/share/wordlist/dirbuster/directory-list-2.3-small.txt:FUZZ -u http://$ip/FUZZ -e .txt,.html

• -w is used to specify a wordlist

• -u is used to specify the target site URL

• -e is used to specify the file extension to search

Using the above command we found the following Interesting Hidden Directories and file.

Hidden Directory

/secret
secret.txt

We also found the server has the following file extensions in use.

Common extension found

html
txt

You can also use gobuster to find hidden directories using the following command

$ gobuster dir -x html,php,phtml,txt,json,md -u http://$ip/secret -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

• dir is used to specify we are doing directory fuzzing

• -x is used to specify file extensions to look at

• -u is used to specify the target URL

• -w is used to specify a wordlist

so we found the secret.txt file by gobustor directory scan with extensions html, php, txt etc we can browse to the secret.txt file using the URL.

The secret.txt file has the following content.

nyan:046385855FC9580393853D8E81F240B66FE9A7B8

This looks like a username and password hash that we can use to connect with ssh if we crack it. we crack the hash from the crackstaion website or we can do this with john or hashcat

So after cracking we found that the hash is nyan so now we have a username and password

Username = nyan
password = nyan

so we ssh to the target with

$ ssh nyan@$ip

So now have initial access to the target machine, we can read the user.txt the file that is our first flag.

$ cat user.txt

Now we have initial access the next step is to do privilege escalation, and it's time to do privilege escalation. when we use the following command to check if the current user has any sudo permission.

$ sudo -l

They show we can use the su command without a password, the su the command is used to switch to another user. So by knowing this we can now get the root user without any problem just by using the following command

$ sudo su

we change our current user to root so after becoming a root user we can now see the content of the root.txt file from this path /root/root.txt.

$ cat /root/root.txt

We got both flags user.txt and root.txt and submit them and finish the room.