Basic Pentesting room beginner friendly walkthrough

Hi! I'm Adbin Magar, the researcher behind TheGreyLens. If you’ve seen my previous blogs, you know I’m currently tackling a daily CTF challenge where I complete TryHackMe rooms and document the process. Today is Day 3, and I'll be walking you through the Basic Pentesting room.

🛠 Tools Used

Nmap: Network scanning and service enumeration.
FFuF: Web directory brute-forcing.
Enum4linux: Samba and Windows enumeration.
Hydra: SSH credential brute-forcing.
SSH2John: Preparing SSH keys for cracking.
John the Ripper: Password/Passphrase cracking.

Question 1: Deploy the machine and connect to our network

Answer: No answer needed

Question 2: Find the services exposed by the machine

The first phase of ethical hacking is Information gathering, so to find exposed services my go-to tool is Nmap.

Answer: No answer needed

Question 3: What is the name of the hidden directory on the web server(enter name without /)?

For brute forcing, I prefer FFUF over Gobuster. So, here I used ffuf tool with a simple worldlist common.txt to find the name of hidden directory of my current target.

development is the hidden directory. When, I open it in the browser it show me two files such as dev.txt and j.txt.

Answer: development

Question 4: User brute-forcing to find the username & password

Before jumping into brute-forcing, I analyzed the two files. j.txt a first file contained a message stating that credentials were weak and easily crackable by "K." This hinted that "J" and "K" were likely usernames.

In seconddev.txt file there was mentioned about SMB and again referenced K and J. Since I found hints of a Samba service, I used enum4linux to gather more information.

enum4linux -a 10.49.154.30

Answer: jan

Question 5: What is the password?

After identifying jan as a user I used Hydra to brute-force the ssh service.

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.49.154.30 -t 4 -V

Answer: armando

Question 6: What service do you use to access the server(answer in abbreviation in all caps)?

Answer: SSH

Question 7: Enumerate the machine to find any vectors for privilege escalation

Answer: No answer needed

Question 8: What is the name of the other user you found(all lower case)?

Answer: kay

Question 9: If you have found another user, what can you do with this information?

Answer: No answer needed

Question 10: What is the final password you obtain?

Upon successfully logging in as jan through SSH, I began exploring the file system. In the /home directory, I identified a user folder named kay. After navigating into this directory, I discovered a file named pass.bak. Given the naming convention, I suspected this file might contain sensitive credentials or a flag.

So, inside the kay folder when i use ls -la command i get to see there was .ssh folder. When reading the file inside .ssh folder there was id_rsa wich was a Private key.

After discovering the private key, I copied it and saved it to my local machine as id_rsa.txt. To prepare the key for decryption, I used the ssh2john to convert it into a format compatible with John the Ripper. This allowed me to proceed with the brute-force cracking process.

After successfully running the cracking process, I was able to recover the passphrase for the private key which is a beeswax in plain text.

With the passphrase 'beeswax' in hand, I was ready to escalate my access. Using the private key and the discovered passphrase, I authenticated as the user kay via SSH:

ssh -i /path/to/id_rsa kay@<IP_address>

Boom! I was successfully logged in. So, I navigated to the /home/kay directory and read the pass.bak file. As expected, it contained the flag I needed to complete the final stage of the challenge.

Answer: heresareallystrongpasswordthatfollowsthepasswordpolicy$$

🎯 Day 3 Mission Accomplished

Flag captured! That concludes Day 3 of my daily CTF journey. Today was a great learning experience. I hope you learned something too. See you on Day .

Happy hacking! :)