Try Hack Me - ccpentesting
Pentesting Crash Course
The Pentesting Crash Course room on Try Hack Me is a great place to start learning about common tools and methodologies used in penetration testing.
This write up documents the “final exam” machine that is presented as the last task in the room.
ping
VMs can sometimes take a minute or two to come up. We can monitor the state of the box with ping.
Enumeration
nmap
nmap -A -T4 --open --top-ports 1000 -sV -oN nmap.out 10.10.125.198
Looks like ssh and Apache.
GoBuster
GoBuster has shown us there is a /secret
page we can visit, but when we navigate there in chrome it is an empty body. We can tell at the very least that secret is a directory, so lets gobuster it again.
Hmm nothing, lets check for files with .txt
extensions.
Read the contents of secret.txt
with a browser or cURL, and use the credentials to connect to ssh.
Hashed?
hashID
Run the hash through hashid to see what kind of hash it is. Use the -m
flag to see the correlating hashcat mode
hashcat
hashid thinks it is most likely a SHA1 hash. Crack the hash with hashcat using the mode provided by hashid.
ssh
Connect with the cracked credentials and you’ll find the user flag in nyan’s home directory.
PrivEsc
sudo -l
Check the users sudo privileges.
You should know what to do from here…