Basic PenTesting – TryHackMe

Basic PenTesting – TryHackMe

Mark February 15, 2021

I am working through some of the rooms to help develop my skills on TryHackMe, below is a walk through for this room https://tryhackme.com/room/basicpentestingjt

Find open services

Use NMAP to find open ports

sudo nmap IP ADDRESS

Look for Hidden directories

To look for hidden directories, we will be using OWASP DirBuster, to start the application in a terminal type: –

sudo dirbuster

/usr/share/dirbuster/wordlist

Using the above information we can see there is a hidden directory called “development”

Find a username via SMB

We will be using enum4linux for to try and find user names, from a terminal to launch type:-

sudo enum4linux IPADDRESS

Brute Force SSH for credentials

We can try and brute force SSH by using Hyrdra and the basic password list on Kali (“rockyou.txt”), in the above example we use found the username “jan”

To launch hydra and use the default list in Kali –

hydra -V -f -t 4 -l jan -P /usr/share/wordlists/rockyou.txt ssh://192.168.60.50

-V — to display a couple login+password while the password mining;

-f — is a stop as soon as the password for specified login will be found;

-P — is a path to the password dictionary;

ssh://192.168.60.50 — is a service and victim IP address.

https://pentestit.medium.com/brute-force-attacks-using-kali-linux-49e57bb89259

Connection via SSH

In a terminal type …

sudo ssh -l jan IPADDRESS

-l = username 

Cracking a public key

In this example, I found the user “kay” home folder and with in there is a public key in the .ssh folder which has a hash.

I created a new file on my Kali maching and named it id_rsa, then use

Now we have the cracked hash of the user kay, it is not the users password. So logged in as Jan we can use Kay’s private key to login in.

We can now ssh as kay