Basic Pentesting

 BASIC PENTESTING

First of all, we have to see if the communication between attacker machine and compromised machine are in the same IP Address with this command which is:
  • ping -c3 10.10.239.59
And we can observe in the picture below the communication between these are well

Now, let’s go to execute nmap toolkit and we,ll be able to start the enumeration of the ports as you can see in the picture below with this command:
  • sudo nmap -n -Pn 10.10.239.59 -p- - -min-rate 40000 -vvv -sS

Now, let’s go to execute nmap to start the enumeration of the ports as you can see in the picture below with this command:
  • sudo nmap -n -Pn 10.10.239.59 -p 80,139,22,8080,445,8009 -sV -vvv

In addition, let’s go to execute and we can discover ports and OS(OPERATIVE SYSTEM) as you can see in the picture below.

But now we’re going to use dirsearch toolkit to discover the hide directories with this command that you can observe at the bottom of the picture which is:
  • dirsearch -u 10.10.239.59

And now, we can observe in the picture below the path which is /development/.

Just after, we can see a login panel which you can try writing username and password but as we can’t username and password we can intent to do the other way.

Right now, we have to see if the files has an important information such as password, username or whatever it can have.
  • dev.txt
  • j.txt

In the first file name, you can see what there is in the picture below.

In the second file name you can see what there’s in the picture below.

In addition, we should try attack to smb service and for it, we’ve to run this command to identify anything information about this service with this command:
smbclient -L //10.10239.59

Now, we have to see more information such as the Sharename Anonymous with this command that we can use it with this command: smbclient -N //10.10.239.59/Anonymous
And now, we’re going to execute ls command and we can see staff.txt.

Now we’re going to use the command which is: get staff.txt

In addition, we’ll have to execute this both commands which are:
  • ls(to listing the staff.txt text)
  • cat staff.tx(to discover the inner of staff file where we can find out an username whose name is Jan.

As we know an username let’s go to attack with hydra toolkit to get the password and we’ll have run this command:
  • hydra -L jan -P /usr/share/wordlist/rockyou.txt ssh://10.10.239.59 -t 64

The work has been done thus, we have caught the username password which is: armando you can see in the picture at the top of the picture.

Now, let’s go to discover an file because we,d like to become an user root and we’ll write the command:

  • find / -perm /4000 2>/dev/null

We’ve obtained the file which is located in path /usr/bin/vim.basic. For it, we should be able to execute this script to perform the privilege escalation and we will become root user as you know in the picture below with this command:
  • vim -c ‘:py import os; os.exec (“/bin/sh”, “sh”, “-pc”, “reset; exec sh -p”)’


In addition, we can be able to get the root user the other same with this next steps that you can see in the picture below:
  • cd /home/kay/ (to pivoting in comprometed machine to path of  kay)
  • ls -la (to list the files and hide files)
  • cd .ssh(to enter inner .ssh which if we can obtain, we'll be able to become root user)

Now, let's go to look the id_rsa to become root user with both commands ls and cat id_rsa you can see in both pictures below.

Moreover, we have to use ssh2john toolkit to convert the format and with password cracking get it.
For it, we've to run this command which you can see at the bottom of the picture:
  • ssh2john id_rsa> hash.txt

Also, we have to see in the picture below as we´ve listed to observe filename if it has been corrected execute and create.

Just after, we must run john toolkit what to us will give the password with this command which you can see in the picture below: 
  • john hash.txt - -wordlist=/usr/share/wordlist/rockyou.txt

Yes the process has been successful because we've got the password which is besswax as you can see at the top of the picture.
But now, when we introduce the process to enter into the compromised machine we can see a mistake, but it should have been useful with this command:
  • ssh kay@10.10.239.59 -i id_rsa

Now if we want to constrain, we should change the perms with this command which is:
  • chmod 600 id_rsa

Now, we can observe in the picture below the ssh loging has been successful.

To sum up, this compromised machine we have to list the username password with the command cat as you can in the picture below.

If the process has been successful, we shoul be able to that we are root user with both commands which are:
  • sudo -l (to see the root perms)
  • sudo su(it'll give root perms)
  • whoami(to know the people who we are)

Thank you for reading this article
I hope you like it and something new
Good Hack

Comments

Post a Comment

Entradas Populares

INTERNAL

Image
 INTERNAL(TRYHACKME) First of all, let's go execute nmap command to identify alives ports and version with this host 192.168.88.6 as you can see below. Key open ports and services include: Web Servers: Port 80 (HTTP):  Running  Apache2 Ubuntu Default Page . It supports  OPTIONS ,  TRACE  (flagged as potentially risky),  GET ,  HEAD , and  POST  methods. The webpage title is " INTERNAL ". SSH Protocol Port 22 (SSH): Running Linux . ┌──(root㉿kali)-[/home/luis/Descargas] └─# nmap -n -Pn -p- --min-rate 5000 -sC 10.10.216.78 -vvv Starting Nmap 7.95 ( https://nmap.org ) at 2025-08-07 12:06 CEST NSE: Loaded 126 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed NSE: Starting runlevel 2 (of 2) scan. Initiating NSE at 12:06 Completed NSE at 12:06, 0.00s elapsed Initiating SYN Stealth Scan at 12:06 Scanning 10.10.216.78 [65535 ports] Discove...
Read more »

TOR WEB BROWSER

Image
  TOR WEB BROWSER TOR INSTALLATION First of all; we're going to this link from the oficial webpage: https://www.torproject.org/es/download/   where we have to download this version our laptop, Windows and Linux but in my case I've had to download for Windows 10. When the program is installed we will press execute and we'll follow step by step:   We'll open and we'll see this image where you have to select the language and select ok to continue the instal l ation. In addition, we'll select the location wherever you want install the program, but in my case I prefer the default location and you'll able to select wherever you want. Now, we will be started the installation process and when it finished you will be able to see the picture below: TOR CONNECT If the process has been successful, you will be able to connect with the connect button which you can observe in both pictures below: ADD A BRIDGE ...
Read more »

activedirectory

Image
ACTIVEDIRECTORY (TRYHACKME) First of all, let’s go to execute nmap toolkit and we'll be able to start the enumeration of the ports as you can see below with this command: sudo nmap -n -Pn -p- --min-rate 5000 10.10.135.154 -vvv -sC -sV This revealed several open TCP ports with associated services, including: DNS (53),  HTTP  (80),  Kerberos (88),  RPC (135),  NetBIOS-SSN (139),  SMB (445),  RDP (3389),  WS-Management (5985)  LDAP (389, 636, 3268, 3269) Moreover, service and NSE script detection provided valuable information about the services running on these ports, such as IIS 10.0, Microsoft Windows Kerberos , Active Directory LDAP , and Microsoft Terminal Services . The SSL/TLS certificate information on port 3389 indicated the common name AttacktiveDirectory.spookysec.local, reinforcing the target as an Active Directory server. rdp-ntlm-info also provided details about the domain (THM-AD) and computer name (ATTACKTIVEDIREC) as you can se...
Read more »

PICKLE RICK

Image
  PICKLE RICK I'm going to realize the resolution of the machine Level Easy from Tryhackme called  Pickle Rick  which is a machine so easy to realize. First of all,  we can observe that in the picture bellow we have some inforamtion and I'm going to execute control +u  and we can see in the second picture below that we've obtained a  Username. I'm going to gathering information about machine and I have to enter in the Linux terminal and I must introduce this command which you canobserve in the picture below:   gobuster dir -u(url) http://10.10.99.188/ -w(password dictionary)  /usr/share/wordlist/dirb/common.txt -x (formato que quereos que busque) .txt*, .php, .login,  In this case, we can observe that scan has discovered this 4 webpages: /assests /denied.php /index.html /login.php /robots.txt Now, we can see such as the web page from /robots.txt   it seems the password in the picture below. Now, we've discovered this login web page...
Read more »

Metasploit Framework

Image
 METASPLOIT FRAMEWORK USE TO  AUXILIARY MODULE FROM METASPLOIT First of all, I have used the auxiliary modules from Metasploit-Framework which could allow me Scanning, see ports, SO version, vulnerability in applications etc, where you can see at the bottom of the picture if  I use this module whose name is: auxiliary/scanner/discovery/arp_sweep  (To verify the IPs listening in the network) Now, we can observe that when I have selected in the auxiliary module I have had to do this set up  that we can observe in the second page below: INTERFACE : This I've set up the network interface that in my case is the eth0 interface. RHOSTS :This I've set up the IP Address which I am finding out that in my case is 192.168.100.0/24 (all the IP Address from network that could be possible which I am analyzing). THREADS : Are the threads; it's the fast  that I want to analyze the IP Addresses but in my case there are 15 threads because I want to analize as fast as possible...
Read more »

HOSTING

Image
HOSTING First of all, let's go to hosting machine from active directory, for it  using arp-scan to discover active hosts on the local network, identifying 192.168.88.8 as you can see in below. ┌──(kali㉿kali)-[~] └─$ sudo arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:43:73:bc, IPv4: 192.168.88.5 Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.8 08:00:27:98:d4:bf PCS Systemtechnik GmbH 192.168.88.9 00:e0:4c:69:66:4a REALTEK SEMICONDUCTOR CORP. 3 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 2.075 seconds (123.37 hosts/sec). 3 responded ┌──(kali㉿kali)-[~] └─$ ping -c1 192.168.88.8 PING 192.168.88.8 (192.168.88.8) 56(84) bytes of data. 64 bytes from 192.168.88.8: icmp_seq=1 ttl=128...
Read more »

LOVE

Image
BUSCALOVE First of all, I am going to do this machine from cybersecurity labs called BuscaLove which is easy Level. For it, let’s go to open Linux terminal and we have to write the command when we can see in the picture below. cd Descargas In addition, we have to depress the unzip file whose name’s buscalove.zip you can see in the picture below. Now we have to deploy the vulnerability machine whose command is sudo bash auto_deploy.sh buscalove.tar we can see in the picture below. On the other hand, to start the attack at virtual machine, we must verify if the attacker machine is in the same range of IP Address and we have to introduce this command which is ping -c 3 172.18.0.2 we can see in the picture below. As I,ve just seen the IP Address it’s in the same range of my IP Address we have to introduce the command with nmap tool which is nmap -n -Pn 172.18.0.2 -p- - -min-rate 4000 -vvv( here you can see in this picture the scanner) but I’ve got it 2 ports: 22: open ssh 80: open http No...
Read more »

CHANGE MACHINE

Image
CHANGE  First of all, let's go to hosting machine from active directory, for it  using  arp-scan  to discover active hosts on the local network, identifying  192.168.88.8   as you can see in below . ┌──(root㉿kali)-[/home/luis] └─# arp-scan -I eth0 --localnet Interface: eth0, type: EN10MB, MAC: 08:00:27:4d:8a:0f, IPv4: 192.168.88.6 WARNING: Cannot open MAC/Vendor file ieee-oui.txt: Permission denied WARNING: Cannot open MAC/Vendor file mac-vendor.txt: Permission denied Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan) 192.168.88.1 d8:44:89:50:2d:a3 (Unknown) 192.168.88.4 00:e0:4c:97:01:a7 (Unknown) 192.168.88.5 00:d8:61:fa:c0:4a (Unknown) 192.168.88.7 08:00:27:b1:ae:9f (Unknown) 4 packets received by filter, 0 packets dropped by kernel Ending arp-scan 1.10.0: 256 hosts scanned in 1.848 seconds (138.53 hosts/sec). 4 responded Now, let's go execute nmap command to identify alives ports and version with this host  192.168.88...
Read more »