Notes about the solution:
· Target IP varies between screenshots because I restarted the machine many times
· Tools we will use: Nmap, Hydra, John the Ripper, Smbclient, SSH, Crackmapexec, ssh2john
· My machine: kali-linux 2023.2
· You can find failed attempts as well
Let's start 1- Start the target machine
2- Log in to Kali Linux as a root user
3- Connect via OpenVPN to the room:
4- Start reconnaissance of the target machine
5- List All nmap scripts > ls /usr/share/nmap/scripts/
6- List the available ftp, SSH, and Nmap scripts to shorten the list:
7- Ok, now according to step 6, we found many common service http, SSH, SMB"445", so let's try to enumerate http first:
8- We found many results, so let's shorten the results by a specific HTTP enumeration script:
9- Let's use this script to enumerate > nmap — script http-enum -p80 TargetIP
10- Now we found a subpage "devlopment", let's try to connect it via browser > http://10.82.129.95/development/
11- Let's browse the 2 files on that page:
12 We can extract the following:
— There is an app that uses version 2.5.12 — 2 people's names start with J, K — Apache server set up — J has weak credentials and is easily cracked by K
13- Let's try to check SMB via Nmap:
14- Let's try to enumerate SMB using smb-enum. Note the target IP changed because I restarted the room
15- We didn't find any script that can enumerate SMB
16- Let's use the smbclient tool > 'smbclient -L' to list all available SMB shares
17- Let's try > 'smbclient //targetIP/location -N', which -N tells the smbclient tool to try login without asking for a password
18- Now we are logged in to the Anonymous share, so let's list and download the content
19- Open the staff.txt file to search for any valuable information's
20- Now we can know that J is Jan and K is Kay
21- Browse to the RockYou list to use it
22- Put jan and kay in a Word file to use them as usernames in the process
23- let's try crackmap tool > 'crackmapexec smb 10.82.134.149 -u user.txt -p rockyou.txt'
24- We found a password for user jan, so let's to connect via the smbclient tool > smbclient -L //10.81.141.219 -U jan
25- Enter password (123456), it works, but unfortunately, we didn't find any valuable information's
26- Now, after we failed to find any valuable information in shares via SMB, we should move to another service like SSH
27- Let's try SSH using the Hydra tool to brute force SSH as follows:
28- 1- We found a user and a password matching
29- Let's log in using SSH by them
30- Enter password (armando) and log in, then browse files
31- Let's try to access any valuable file
32- Let's go deeper into the files:
33- Open file "id_rsa", which contains the private key to log in via SSH for user Kay
34- Open any text editor and copy the key to it
35- Let's see the key file permission because it needs to be (-rw — — — -)
36- We need now to change the file permission as follows > 'chmod 600 filename'
37- Now let's log in by the private key via SSH > 'ssh -i key.txt kay@targetIP'
38- It needs a passphrase, which is a password for the private key, so we need to crack this passphrase
39- Let's use the ssh2john tool to try to crack the passphrase
40- Let's save the output into text file
41- Next we will try to crack this passphrase using the John the Ripper tool > 'john — wordlist=/usr/share/wordlists/rockyou.txt key.txt'
42- We found the passphrase now, let's use it
43- Log in and browse for the flag > the flag is (heresareallystrongpasswordthatfollowsthepasswordpolicy$$)
44- Good room, here is the room answer
CTF is now solved
Conclusion:
In this walkthrough, we completed the Basic Pentesting TryHackMe room by applying a step-by-step enumeration and exploitation approach. Using tools like Nmap, smbclient, Hydra, CrackMapExec, and John the Ripper, we identified weak credentials, misconfigured services, and exposed SSH keys that led to full system access.
This room is a great example of how simple misconfigurations and poor password practices can be chained together during a real-world pentest. It's an excellent starting point for beginners looking to strengthen their skills in enumeration, credential attacks, and SSH exploitation.