TryHackMe - Basic Pentesting

Recon

Nmap Scan

# nmap 10.10.22.7 -sV
[](<PORT     STATE SERVICE     REASON         VERSION
22/tcp   open  ssh         syn-ack ttl 60 OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http        syn-ack ttl 60 Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_  Supported Methods: OPTIONS GET HEAD POST

139/tcp  open  netbios-ssn syn-ack ttl 60 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)

445/tcp  open  netbios-ssn syn-ack ttl 60 Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)

8009/tcp open  ajp13?      syn-ack ttl 60
| ajp-methods:
|_  Supported methods: GET HEAD POST OPTIONS

8080/tcp open  http        syn-ack ttl 60 Apache Tomcat (language: en)
|_http-title: Apache Tomcat/9.0.7
|_http-favicon: Apache Tomcat
|_  Supported Methods: GET HEAD POST OPTIONS

Running default scripts we get lot of info

nmap -sC 10.10.22.71 -p 22,80,139,445,8009,8080

[](<Host script results:
| smb-os-discovery:
|   OS: Windows 6.1 (Samba 4.3.11-Ubuntu)
|   Computer name: basic2
|   NetBIOS computer name: BASIC2\x00
|   Domain name: \x00
|   FQDN: basic2
|_  System time: 2025-03-26T13:41:09-04:00
| p2p-conficker:
|   Checking for Conficker.C or higher...
|   Check 1 (port 22152/tcp): CLEAN (Couldn't connect)
|   Check 2 (port 55519/tcp): CLEAN (Couldn't connect)
|   Check 3 (port 59721/udp): CLEAN (Failed to receive data)
|   Check 4 (port 61111/udp): CLEAN (Failed to receive data)
|_  0/4 checks are positive: Host is CLEAN or ports are blocked
| smb-security-mode:
|   account_used: guest
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time:
|   date: 2025-03-26T17:41:09
|_  start_date: N/A
| nbstat: NetBIOS name: BASIC2, NetBIOS user: %3Cunknown%3E, NetBIOS MAC: <unknown> (unknown)
| Names:
|   BASIC2<00>           Flags: <unique><active>
|   BASIC2<03>           Flags: <unique><active>
|   BASIC2<20>           Flags: <unique><active>
|   \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|   WORKGROUP<00>        Flags: <group><active>
|   WORKGROUP<1d>        Flags: <unique><active>
|   WORKGROUP<1e>        Flags: <group><active>
| Statistics:
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|   00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00
|_  00:00:00:00:00:00:00:00:00:00:00:00:00:00
| smb2-security-mode:
|   3:1:1:
|_    Message signing enabled but not required
|_clock-skew: mean: 1h20m00s, deviation: 2h18m34s, median: 0s>)

Directory enum

We find a directory /development. Visiting /development: There are 2 files

• Checking dev.txt
• j.txt conversation hints that user J has a weak password.

SMB enumeration

Listing shares using smbclient. We find a Anonymous named share. Enumerating the Anonymous share we find a name(most probably a username)

Now that we have the username, we can try brute-forcing as the password used is weak.

hydra -l jan -P ./rockyou.txt ssh://10.10.22.71 -t 4

We do find a match!

SSH into the box via found creds

Using the above found credentials we were able to login to the box.

Further enumerating the box we find /home/kay directory where we find kay’s readable private ssh key.

We copy it to our main machine and try to login with the kay, but it asks for a passphrase. To crack this we can use john the ripper

First we transform the private key into format john can understand. Then we use rockyou for cracking.

Now we log in with kay and find the final Flag!