THM Room CC: Pentesting
Here I solve the last part of CC: Pentesting Room from TryHackMe. All the previous part are well educated with step by step guide so I didn't add that here but the final task is an exam.

Task: 24 Final Exam
First export the Machine IP to a shell variable like the following so we don't need to remember it.
export ip=10.10.181.166
Nmap Scan
Now we do a Nmap scan to know which services are running to the system using the following command.
$ sudo nmap -sCV -v -oN nmap/initial $ip
After the scan, we got the following result.
Total Open Ports
Port Service Version
22 ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8(Ubuntu Linux; protocol 2.0)
80 http Apache httpd 2.4.18 ((Ubuntu))
From the result, we came to know there are 2 services running on the target. ssh
and http
both are very useful. The http
service is open which means the target is hosting a website and ssh
is open it means we can remotely login into the system if we know valid credentials.
We don't have valid credentials yet so we focus on http
service first. Browse the site and there we didn't find any interesting results so we can start directory fuzzing to get any hidden directory.
Directory Scan on web server Result
We can use ffuf
tool to fuzz for the hidden directories using the following command.
ffuf -w /usr/share/wordlist/dirbuster/directory-list-2.3-small.txt:FUZZ -u http://$ip/FUZZ -e .txt,.html
-w
is used to specify a wordlist-u
is used to specify the target site URL-e
is used to specify the file extension to search
Using the above command we found the following Interesting Hidden Directories and file.
Hidden Directory
/secret
secret.txt
We also found the server has the following file extensions in use.
Common extension found
html
txt
You can also use gobuster to find hidden directories using the following command
$ gobuster dir -x html,php,phtml,txt,json,md -u http://$ip/secret -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
dir
is used to specify we are doing directory fuzzing-x
is used to specify file extensions to look at-u
is used to specify the target URL-w
is used to specify a wordlist
so we found the secret.txt
file by gobustor
directory scan with extensions html
, php
, txt
etc we can browse to the secret.txt
file using the URL.
The secret.txt
file has the following content.
nyan:046385855FC9580393853D8E81F240B66FE9A7B8
This looks like a username and password hash that we can use to connect with ssh if we crack it. we crack the hash from the crackstaion
website or we can do this with john
or hashcat
So after cracking we found that the hash is nyan
so now we have a username and password
Username = nyan
password = nyan
so we ssh to the target with
$ ssh nyan@$ip
So now have initial access to the target machine, we can read the user.txt
the file that is our first flag.
$ cat user.txt
Now we have initial access the next step is to do privilege escalation, and it's time to do privilege escalation. when we use the following command to check if the current user has any sudo
permission.
$ sudo -l
They show we can use the su
command without a password, the su
the command is used to switch to another user. So by knowing this we can now get the root
user without any problem just by using the following command
$ sudo su
we change our current user to root
so after becoming a root
user we can now see the content of the root.txt
file from this path /root/root.txt
.
$ cat /root/root.txt
We got both flags user.txt
and root.txt
and submit them and finish the room.
Last updated
Was this helpful?