Library
In this post, we will look into the room “Library” from TryHackMe, which can be found on https://tryhackme.com
MASSCAN & NMAP
Port scanning tcp / udp and their services.
catsec@kali:~/trymehack/library# masscan -p1-65535,U:1-65535 10.10.184.190 --rate=1000 -e tun0
Starting masscan 1.0.4 (http://bit.ly/14GZzcT) at 2019-09-03 08:19:17 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.10.184.190
Discovered open port 80/tcp on 10.10.184.190
Starting Nmap 7.70 ( https://nmap.org ) at 2019-09-03 04:22 EDT
Nmap scan report for 10.10.184.190
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c4:2f:c3:47:67:06:32:04:ef:92:91:8e:05:87:d5:dc (RSA)
| 256 68:92:13:ec:94:79:dc:bb:77:02:da:99:bf:b6:9d:b0 (ECDSA)
|_ 256 43:e8:24:fc:d8:b8:d3:aa:c2:48:08:97:51:dc:5b:7d (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Welcome to Blog - Library Machine
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.64 seconds
HTTP
website on port 80.
GOBUSTER
We use gobuster to search for directories and files.
catsec@kali:~/trymehack/library# gobuster dir -u 10.10.184.190 -w /usr/share/wordlists/dirb/common.txt -n -x php,html,txt -t 15
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.184.190
[+] Threads: 15
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Status codes: 200,204,301,302,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Extensions: php,html,txt
[+] No status: true
[+] Timeout: 10s
===============================================================
2019/09/03 04:25:57 Starting gobuster
===============================================================
/images
/index.html
/index.html
/robots.txt
/robots.txt
/server-status
===============================================================
2019/09/03 04:31:35 Finished
===============================================================
ROBOTS.TXT
We find a clue in robots.txt
which indicates the name of the “wordlist rockyou”.
ENUM USERS - SSH
We use OpenSSH 7.2p2 - Username Enumeration to enumerate the users within the SSH service, the users that we list are those that appear as comments on the main page and the author of the first post.
root
www-data
meliodas
anonymous
Anonymous
HYDRA
We use hydra with the rockyou wordlist and our small user wordlist, managing to obtain the password for the user Meliodas
.
USER - MELIODAS
We get our user.txt
flag when logging into the ssh service with the credentials found.
login: meliodas
password: iloveyou1