Let’s start with a basic nmap scan:
nmap -T4 -A --top-ports 1000 10.10.8.9
We also are provided with a few scripts’ information, but we are told to try and find the hidden directory on the web server. Let’s take a look at the webserver first:
Sick. Let’s try and find hidden directories using dirbuster.
dirbuster &
Simple small word list, also at least from Wappalyzer we don’t know if the site is running php, so we’ll also search for txt files, although probably not needed.
We find a folder called development that has two files, dev.txt and j.txt
dev.txt:
j.txt
From this content we can figure out how to get into J’s password, since K explains his password to be very weak.
From the tutorial of the YouTube video, we are asked to try and use SMB to find a username, which I am going to do with the following script: enum4linux -a 10.10.8.9 which attempts to scan everything and therefore look for users.
When we look at our scan, we can see two users at the bottom named jan and kay that are from the development notes. We know that jan has a weak password, and since tryhackme said to use brute-forcing, we can try to SSH using a brute force method.
Using hydra, hydra -l jan -P rockyou.txt ssh://10.10.114.154