Easy Boxes - CC: Pen Testing (THM)

TryHackMe – CC: Pen Testing Write-Up

topics:

1. Plan

2. Enumeration

3. Local Privilege Escalation (Exploitation)

4. Root Privilege Escalation

new tools:

tools: nmapAutomator, dirseaarch, gobuster, ssh, sudo, su, hash-identifier, hashes.com

Plan

This is a walkthrough room that outlines common tools and services used in penetration testing. I will be demonstrating the final exam box.

Enumeration

Initial nmap scan ./nmapAutomator.sh $ip Basic

ssh and http are open

There is a webserver with only a default Apache page, lets dirsearch python3 dirsearch.py -u $ip -e php,html,txt

There appears to be a /secret subdirectory. Navigating to this reveals a blank page, lets dirsearch further

This is odd. Usually dirsearch would have returned something further. It has not missed another subdirectory before. Because there are only two ports open this must be our way in. Lets try using gobuster instead.

gobuster dir -u http://10.10.154.230/secret -w /usr/share/dirb/wordlists/common.txt

We see there is a text file on the subdirectory. Navigating to /secret.txt yields a username and hashed password

Local Privilege Escalation

Using hash-identifier, we know this is a SHA1 hash. We can enter this in hashes.com to get the password

Password is also nyan

From here, we can SSH into the machine with the credentials nyan:nyan

And read the user file cat /home/nyan/user.txt

Root Privilege Escalation

As this is a Linux machine, first things first, check sudo permissions sudo -l

Very misconfigured settings here, as any user can elevate themselves to root using su

sudo su