CC: Pen Testing - THM Walkthrough

 

Welcome back one and all! I hope you have had a great weekend full of malware, ducky scripts and reverse shells. Today we are going to be looking at the CC: Pen Testing box from TryHackMe. This room is huge, and covers a whole range of Pentesting tools including:

  • Nmap
  • Netcat
  • Gobuster
  • Nikto
  • Metasploit
  • Meterpreter
  • Hashcat
  • John The Ripper
  • Sqlmap
  • Smbmap
  • Smbclient
  • Impacket
There are several questions relating to every tool listed, and the answers to almost all of these questions can be found using the tools 'man' or '--help' pages, so I won't go into all the answers for these. I am instead going to concentrate on the "Final Exam", which is a CTF at the end of the room, combining all your freshly absorbed hacking knowledge. So without further ado, get yourself comfy and caffeinated and lets go!

As always, we start with an nmap scan. We need to know what we are dealing with here. No firewalls or pesky admins checking logs to deal with, so we can go full aggressive and also scan all ports with a full TCP connect, be as loud as you want since nobody is looking!




SSH running on the standard port 22, and an Apache webserver running on port 80. No usernames to try and brute SSH so we can start with the webserver. Set gobuster running and let it do it's thing whilst we have a gander at the webpage.


Webpage is just a boring Apache2 Default page with nothing interesting hidden in the source code. Nothing more to do or say about that. Looking at the Gobuster results though, we do seem to have a hidden directory:


When will people learn that just calling something "secret" doesn't actually make it secret...
Browsing to the secret directory we are hit with what looks like a dead end. Nothing, nill, nada. Not even an opening html tag in the source code, this is literally a blank page.


This directory wouldn't be here for no reason. Let's dig a little deeper by running another gobuster scan against the hidden directory, and also look for some standard file types (php, txt, html).


Bingo. /secret/secret.txt looks more like it. Lets have a little look shall we?



That's a username and a hashed password right there. Due to the lack of... well... anything, on the webserver side of things, my guess is that this is for SSH. We need to find out how the password has been hashed and then we can pass all the info to John The Ripper to give us the details we need. There are many ways to identify a hash, personally I like to use hashes.com for fast results.


Passing the hash and format to john cracks the password almost instantly. Not even time for a brew break unfortunately!


Ok, so we have a username, and we have a password. What are you waiting for? Get yourself logged in and grab that user flag!


You know what's coming next. We want the power. We want root! I like to start with enumerating sudo, this is often the quickest and easiest way to privilege escalation.


We can run su with sudo. We might as well be root already. No need for GTFOBins for an explanation, you know what to do. Grab that root flag, and close your box. Log off your computer and go hide, the CIA are now onto you as one of the greatest hackers that has ever lived!


Massive thanks to Paradox for this room. Not just for the bit we have covered, but the rest of the room was a wealth of information that is indispensable for anybody aspiring to become a penetration tester. And as always, a huge shout out to TryHackMe for what is probably the best learning platform on the WWW. 

Take care everyone, and happy hacking!

Comments

Post a Comment

Popular posts from this blog

THM RootMe Walkthrough

Image
Welcome back geeks (a term of endearment I assure you). Today we are going to do a quick guided walkthrough of the RootMe box by  TryHackMe . Without further ado, start your engines and get ready for the nmap scan. This answers the first two questions: Scan the machine, how many ports are open? What version of Apache is running? It then tells us to perform a directory list scan on the box, and find the hidden directory. Easy enough! Browsing to our secret directory, we find a landing page with what looks to be an upload form. Im going to go straight for gold and see if it will take a php reverse shell. The one we are going to be using is the PentestMonkey PHP-Reverse-Shell. Make sure to edit the shell to contain your IP and listening port before uploading. Nope. Not sure what language that is, but I'm pretty certain it translates as "Nice try, not going to happen". I'm guessing it's a file extension filter, we can try and bypass that by changing our shell to php5.
Read more

Defending against physical intrusion attacks - The under door tool.

Image
Good morning all, how are we doing today? Watch anything good on Netflix recently? Many plans for the bank holiday weekend? Did you remember to deadbolt the office before you left yesterday? Wait… what? Yesterday the postman came. And this is what he brought me: What the hell is that?   Well it’s an under door tool (UDT) of course. A thin piece of flexible metal attached to a string, that can be folded away and neatly concealed in a rucksack, belt, or there are even versions that can be dismantled and stored in a pocket  (great video by the notsocivilengineer - showing a homemade collapsable UDT). So what does it do? And why should I care about your stupid bendy metal rubbish? This tool is designed to bypass the type of doors that are locked from the outside, but open with just an operation of the handle from the inside. They are usually accompanied by an RFID entry system or a code. This means you need to have the authentication to get in, but anyone can get out. And herein lies the f
Read more

THM Brooklyn Nine Nine Walkthrough

Image
Welcome to my walkthrough of the Brooklyn Nine Nine box from TryHackMe.com. This is my first writeup, so apologies in advance for any mistakes. I will try to keep things spoiler free whilst also showing as much information as possible. So without further delay, lets begin. First things first, start both the machine and the Attack Box, this takes a few minutes, so I'm going to grab a brew in the meantime. Hacking doesn't work without caffeine (and a black hoodie of course)! Ok. so coffee is sorted and box is loaded. Lets begin with an nmap scan, we're not trying to be stealthy here so I use aggressive mode with a full TCP connect and scan all ports. THM are known to hide things on obscure ports so best to check them all even if it does take a little longer. Scan results are in! We have port 21 running an FTP server, anonymous login is allowed and looks like we have an interesting file called "note_to_****.txt" . We are also running SSH on port 22 and HTTP on port 8
Read more