- Write-Up

Basic Pentesting

·Linux

In this challenge, we are tasked with gaining unauthorised access to a machine by exploiting weak service configurations, brute-forcing credentials, and escalating privileges to retrieve the final flag.

Challenge Setup

Tools Used:

  • Nmap — Port scanning and service enumeration
  • Gobuster — Directory brute-forcing
  • Enum4linux — SMB enumeration
  • Hydra — Brute-forcing SSH credentials
  • LinEnum — Local privilege escalation enumeration
  • ssh2john / John the Ripper — Cracking a passphrase-protected SSH private key
  • scp — Secure file transfer

Environment:

  • TryHackMe hosted target machine (via VPN connection)
  • Kali Linux (attacker machine)

Initial Recon

I deployed the machine and ran an Nmap scan to identify open ports and services:

nmap -sV <target-ip>

The scan revealed the following services:

  • SSH on port 22
  • HTTP (Apache) on port 80
  • NetBIOS-SSN on port 139
  • Microsoft-DS (SMB) on port 445

Exploitation / Solution

Step One — Web Enumeration

Visiting the IP address in a browser showed a basic "under maintenance" landing page with nothing immediately exploitable. I ran Gobuster to enumerate hidden directories:

gobuster dir -u http://<target-ip> -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

This returned a /development path. Navigating to it revealed two files:

  • dev.txt — notes referencing Apache and SMB configuration details
  • j.txt — a message hinting that credentials might be stored in /etc/shadow and referencing two users by their initials: J and K

Step Two — SMB Enumeration

With two likely usernames and an SMB service exposed, I used Enum4linux to enumerate the target:

enum4linux -a <target-ip>

This confirmed the two usernames on the machine: jan and kay.

Step Three — Brute-Forcing SSH

j.txt had hinted that Jan's password was weak, so I ran Hydra against the SSH service using the rockyou.txt wordlist:

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://<target-ip>

Hydra returned a valid password. I logged in via SSH as jan:

ssh jan@<target-ip>

Step Four — Privilege Escalation

From jan's session, I navigated to /home/kay and found two items of interest: a pass.bak file (permission denied as jan) and a .ssh directory containing kay's RSA private key (id_rsa). The .ssh directory had misconfigured world-readable permissions, allowing jan to read the key despite not being kay.

To assist with broader enumeration, I transferred LinEnum to the target using scp:

scp LinEnum.sh jan@<target-ip>:/tmp/

Running LinEnum confirmed that the private key in kay's .ssh directory was the intended escalation vector.

I copied the contents of kay's id_rsa to my local machine, set the correct permissions, and attempted to use it for SSH login:

chmod 600 id_rsa
ssh -i id_rsa kay@<target-ip>

The key was passphrase-protected, so I used ssh2john to convert it to a crackable hash, then cracked it with John the Ripper:

ssh2john id_rsa > id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash

John cracked the passphrase as beeswax. I logged in as kay using the private key and passphrase:

ssh -i id_rsa kay@<target-ip>

Step Five — Retrieving the Flag

With shell access as kay, I listed the home directory and found pass.bak. Opening it revealed the final flag.

Flag

heresareallystrongpasswordthatfollowsthepasswordpolicy$$

Tools Used

  • Nmap — Port scanning and service enumeration
  • Gobuster — Directory brute-forcing
  • Enum4linux — SMB user enumeration
  • Hydra — Brute-forcing SSH credentials
  • LinEnum — Local privilege escalation enumeration
  • ssh2john — Converting SSH private key to crackable hash
  • John the Ripper — Cracking the SSH key passphrase
  • scp — Secure file transfer

Notes / Lessons Learned

  • Hidden directories found through Gobuster can contain plaintext notes that leak usernames and hint at weak credentials — always enumerate before attempting to exploit.
  • SMB enumeration with Enum4linux is a quick way to confirm valid usernames on Linux hosts, even when SMB itself isn't the attack surface.
  • Misconfigured file permissions on .ssh directories can expose private keys to other users on the same system — a common and often overlooked misconfiguration.
  • SSH private keys can be passphrase-protected, but ssh2john + John the Ripper handles this well when the passphrase is weak.
  • LinPEAS is a modern and more actively maintained alternative to LinEnum for local privilege escalation enumeration.

Screenshots

Screenshot 1

1 / 13

Screenshot 2

2 / 13

Screenshot 3

3 / 13

Screenshot 4

4 / 13

Screenshot 5

5 / 13

Screenshot 6

6 / 13

Screenshot 7

7 / 13

Screenshot 8

8 / 13

Screenshot 9

9 / 13

Screenshot 10

10 / 13

Screenshot 11

11 / 13

Screenshot 12

12 / 13

Screenshot 13

13 / 13