Basic Pentesting 0x01

infosecwriteups.com · Cyb0rgBytes · 9 days ago · tutorial
quality 7/10 · good
0 net
Tags
pentesting basic
Basic Pentesting 0x01 | by Cyb0rgBytes | in InfoSec Write-ups - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original Basic Pentesting 0x01 As always in every penetration testing practice, we start by gathering information about the target and enumerating the services and entry… Cyb0rgBytes Follow InfoSec Write-ups · ~3 min read · December 13, 2022 (Updated: April 2, 2026) · Free: Yes As always in every penetration testing practice, we start by gathering information about the target and enumerating the services and entry points thoroughly. we go about that in the following commands : nmap -sC -sV ip-target -oA basic sC : Default Scripts -sV : Enumerate Versions -oA : Output all formats Open ports are: ```` 80 22 139 445 8009 8080 ```` The question asks the following : What is the name of the hidden directory on the web server(enter name without /)? Usually when we enumerate web servers we can use a various of tools, my choice is gobuster and using the following command we can find the hidden directory which is called development. Using the following command we can find the hidden directory: gobuster dir -u http://10.10.14.221/ -w /usr/share/wordlists/dirb/common.txt "Finding the Development directory." Next it's asking us to bruteforce it, and get the username and password. For more enumeration we can use Enum4Linux : and by running Enum4linux we found out two users as follows : "Finding Two users : kay & jan". trying the username in the question " What is the username" jan turns out to be correct. Next is to crack the password, we can try to crack it using hydra and the service we are going to use is SSH! using hydra in the following command: hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.14.221 after waiting a bit we successfully found a match for the password associated with jan ! The password of jan, found by Hydra. after getting the foothold and searching a bit using linpeas for privilege escalation i found out a ssh file for another user : Finding the hidden SSH file for user "Kay" by enumerating for priviliege escalation using linpeas but the id_rsa is password protected, here we use john the ripper for getting the password. by cracking the password we get the credentials for the second user, the password is beeswax cracking the SSH File and finding the correct credentials for user "kay". by getting the foothold on the system using the other user, we find the last password. #cyber-security-awareness #information-security #ctf-writeup #ctf #tryhackme Reporting a Problem Sometimes we have problems displaying some Medium posts. If you have a problem that some images aren't loading - try using VPN. Probably you have problem with access to Medium CDN (or fucking Cloudflare's bot detection algorithms are blocking you).
← Back to stories