Try Hack Me - ccpentesting

Pentesting Crash Course

The Pentesting Crash Course room on Try Hack Me is a great place to start learning about common tools and methodologies used in penetration testing.

This write up documents the “final exam” machine that is presented as the last task in the room.

ping

VMs can sometimes take a minute or two to come up. We can monitor the state of the box with ping.



Enumeration

nmap

nmap -A -T4 --open --top-ports 1000 -sV -oN nmap.out 10.10.125.198




Looks like ssh and Apache.

GoBuster



GoBuster has shown us there is a /secret page we can visit, but when we navigate there in chrome it is an empty body. We can tell at the very least that secret is a directory, so lets gobuster it again.


Hmm nothing, lets check for files with .txt extensions.


Read the contents of secret.txt with a browser or cURL, and use the credentials to connect to ssh.



Hashed?

hashID

Run the hash through hashid to see what kind of hash it is. Use the -m flag to see the correlating hashcat mode

hashcat

hashid thinks it is most likely a SHA1 hash. Crack the hash with hashcat using the mode provided by hashid.

ssh

Connect with the cracked credentials and you’ll find the user flag in nyan’s home directory.

PrivEsc

sudo -l

Check the users sudo privileges.


You should know what to do from here…