CTF: Basic Penetration Testing
The Setup
For sometime I have been playing around on TryHackMe and Hack the Box. I have gone through some of their learning modules and a few basic Capture the Flag (CTF) challenges. After working with both I have come to appreciate TryHackMe. Both TryHackMe and Hack the Box are valuable resources; however, I find TryHackMe easier to work with especially for beginners. Below is my first write-up on my experience and lessons learned from the TryHackMe CTF: Basic Penetration Testing. Side note, I did this CTF over muliple days and you may notice changes in the IP addresses.
My Process
My first step after launching the CTF was to see if I could ping the target machine. Pinging of the target machine was successful so I moved onto an Nmap scan. The scan was a as follow: Nmap -sV -O 10.10.239.194. I wanted to understand what ports were open and enable OS detection. The following ports were open:
- 22 — SSH
- 80 — HTTP
- 139 — SMB
- 445 — SMB
- 8009 — Apache jServ Protocol (AJP)
- 8080 — Alternative HTTP
I know port 80 is unsecure so I wanted to access that webpage. I went to Firefox and typed in 10.10.239.194:80. Website stated, “Undergoing maintenance. Please check back alter”. Page source had a comment about our dev note section. I then tried 10.10.239.194:80/dev, but that was dead-end.
At this point I looked at the prompts to understand what I was trying to accomplish. Based on the prompts I was to try and find some directories, usernames, passwords, and possibly decrypt some hashes. I also noted some tools and wordlists available in a folder. To understand what directories might exist I utilized Gobuster. Below is the command I used:
gobuster dir -w /root/Tools/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt -u http://10.10.239.194/
I found a /development & /server-status. This really didn’t lead anywhere so I utilized Enum4linux. This would allow me to see if there were any users or other information hiding. I ran enum4linux -a 10.10.39.144 and found users Jan and Kay.
Next step was to try Hyrdra for password cracking. I used the following command: hydra -l jan -p /root/Desktop/Tools/wordlists/rockyou.txt 10.10.39.144. This allowed me to find the password for Jan (armando). I did run the same command except for Kay; however, Hydra prompted me that this password might be too complex and may take hours to brute force.
The last section I did not take very good notes. To get Kay’s password I utilized John the Ripper. Through this I was able to get Kay’s password and last flag.
Lessons Learned
- Take notes! I found it helpful to write down IP addresses, open ports, credentials, and methods tried in a Google Doc.
- Ensure tools within the virtual machine (VM) environment are updated prior to performing tasks. I wasted time trying to understand why certain tools gave error codes only for Google to tell me my tool was not updated.
- In a pre-configured VM, look for clues in the files. This might give you an idea into how the creator of the CTF wants you to complete the CTF. For example, if you see a folder labeled John the Ripper along with a dictionary password file, it may indicate a route to take in order to complete the CTF.
- Look at the prompts (if they exist) for clues on what to do! For example, if a prompt says, “What directories did you find?” one should probably look for directories in a system. These prompts are great at giving clues on where to look and how to attack.
- Learned more about SSH and how it can be used in real-world situations.
Wrap-up
I found planning to do write-up and doing it at the same time a bit odd at first. I did peak at a few other CTF write-ups to get a sense of how one is done. I plan to provide more detail and pictures in future write-ups. Even if I don’t post many write-ups I do find it helpful for me to document my process to look back at it when doing other CTFs.
While this write-up does not have all of the detail associated with the CTF, I hope it gives you insight into my thought process and what I learned. I know my process and documentation skills will improve as I do more. Until next time…
Cheers!
