.png)
3 years ago
333 BOOK THIS SPACE FOR AD
ARTICLE ADSo, Let’s get started
Step-1 ~ Deploy The Machine using Start Machine Button
Step-2 ~ Connect to TryHackMe Network using AttackBox or Your own Kali-Machine using OpenVPN Configuration File
Step-3 ~ Scan the machine using NMAP
nmap -A -T5 10.10.36.109
A: to enable OS and version detection, script scanning, and traceroute;T5: for faster execution;10.10.36.109: Machine_ip;
NOTE:- SMB is configured , Port-22 (SSH) is open {which we can use to login if we have username and password }
Step-4:- Using GoBuster to find hidden directories
gobuster dir -w /usr/share/dirb/wordlists/common.txt -u http://10.10.36.109
dir: Uses directory/file enumeration modew: path to wordlistu: URL
There is a directory named “/development”. Let us navigate to that now.
There are some files, let us try to open each one and see what’s there.
dev.txt
j.txt
By reading the conversation between two users (J and K) we can figure out that they are using SMB service and the password for user-J is easy to crack
Step-5:- using enum4linux to enumerate usernames
enum4linux 10.10.36.109
Now grab a coffee and relax as this may take some time
We can see that there are two users named jan and kay.
SMBCLIENT
using smb client as we saw that port-139 and port-445 are used for SMB
smbclient //10.10.36.109/anonymous
Try to log in using no password and see we are in, let’s see what we can find here. There is a text file “staff.txt”, download it using get staff.txt and read it
We see jan and kay again .
Now, we have the username so all we need to do is to crack the password for user Jan. We will be using Hydra for this purpose
Step-6:- use hydra to crack password for jan
|hydra -l jan -P rockyou.txt -t 4 ssh://10.10.36.109
-l: usernameP: wordlist for password cracking (rockyou.txt)t: no. of parallel threads to run
Step-7:- use ssh to log in using jan’s credentials
This directory is empty. so use cd .. and then here we change the directory to kay.
ls -l
there is a file pass.bak but we don't have permissions to open it
ls -al
here we can see a file “.ssh”
Inside “.ssh” we see RSA files
Here we can download them to our device by starting an HTTP server on the target machine but what I did was to open the files and copy them using simple CTRL+C and CTRL+V into our device and name them the same to avoid confusion
Step-8:-Crack the Private Key on the Local Machine
python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
Step-9:- Cracking Hash using JohnTheRipper
john --wordlist=rockyou.txt id_rsa.hash
and almost in no time, we have the output passphrase
Step-10:-Use the RSA key to login as kay
ssh -i id_rsa kay@10.10.36.109
i: identity fileWAIT ! we get an error. It won’t allow us to use the key if permissions are too open, so all we have to do is set the permissions to be more restricted
chmod 400 id_rsa
Now , Proceed →
use the passphrase which we obtained from JTR to login
Open “pass.bak”
It was my first write-up.I hope you guys liked this. If you learned something from my article then give it claps.
Bengali (Bangladesh) · 
English (United States) ·