Tryhackme – Basic Pentesting

In this walk through, we will be going through the Basic Pentesting room from Tryhackme. It is one of the best beginner level box which can hone your pentesting skills if you are new in this field. The room covers basic enumeration, directory bruteforcing, getting shell with online password attacks and basic privilege escalation to get the root. So without any delay, let’s get started.

Basic Pentesting

Machine Info:

TitleBasic Pentesting
ObjectiveThis is a machine that allows you to practice web app hacking and privilege escalation

Task 1 – Web App Testing and Privilege Escalation

Question 1 – Deploy the machine and connect to our network


Question 2 – Find the services exposed by the machine


  • We will start off with a regular nmap scan to reveal open ports and services.

sudo nmap -sS -sV

nmap scan

Question 3 – What is the name of the hidden directory on the web server(enter name without /)?

  • Fire up gobuster on the webserver found on port 80 to reveal juicy endpoints and directories.

gobuster dir -u -w ~/Desktop/common.txt

gobuster scan

found directory - development


Question 4 – User brute-forcing to find the username & password


Question 5 – What is the username?

  • We will use the nmap scripts for enumerating smb shares and users with the following command.

sudo nmap -p 445 --script=smb-enum-shares.nse,smb-enum-users.nse

nmap SMB script

  • Finds anonymous access. Using Smbclient to access the share. Got staff.txt

smbclient //


  • Use smbget to download the file.

smbget -R smb://

smbget get files

  • Got the Username – Jan

Got the username - Jan


Question 6 – What is the password?

  • Bruteforcing SSH password of username jan with hydra

sudo hydra -l jan -P ~/Desktop/rockyou.txt ssh://

hydra SSH bruteforce


Question 7 – What service do you use to access the server(answer in abbreviation in all caps)?


SSH login

Question 8 – Enumerate the machine to find any vectors for privilege escalation


  • Downloading linpeas using wget and using it find privilege escalation vectors

SSH keys

Question 9 – What is the name of the other user you found(all lower case)?


Question 10 – If you have found another user, what can you do with this information?


  • Copy the SSH key into a file named id_rsa.

copy id_rsa

  • Use SSH2John to convert the file into a file understandable by john the ripper.
~/Tools/john/run/ id_rsa > privhash.txt

  • Bruteforcing the hash file to get the private key.

sudo ~/Tools/john/run/john privhash.txt

john cracking ssh password

ssh -i id_rsa kay@

SSH login for user kay

Question 11 – What is the final password you obtain?

final password


Answer set 1

Answer set 2

Also Read: Tryhackme – Anonymous



So that was the “Basic Pentesting” room for you. Summing it up, First we start with a basic nmap port and service scan. We found SMB, SSH and HTTP service running. Then we try directory bruteforcing with gobuster, found hidden directory “developments”. From there we found out about the shares and an Apache struts version running (Rabbit hole). We tried nmap NSE SMB scripts to gather info about Samba shares. With that, we found a Anonymous share. Next, accessed share using smbclient. There we found file “staff.txt” and user “Jan”. Moving on, Bruteforced SSH password for user Jan using hydra. Later, found the Priv esc vectors by running linpeas and getting the final flag by bruteforcing the SSH key using john. On that note, let me be free from the grips of information warlords and you until then, “Keep Hacking!!!”

Leave a Reply

Your email address will not be published. Required fields are marked *