July 4, 2026
Basic Pentesting: 2
VulnHub Walkthrough
By Prasanth Pusarla
6 min read
Basic Pentesting: 2 -VulnHub Walkthrough
Topics Covered:
· Reconnaissance — Identify the target machine and gather initial information.
· Enumeration — Explore services, directories, and users to uncover useful information.
· SMB Enumeration — Discover shared resources and user-related details.
· Credential Discovery — Find valid usernames and passwords.
· Initial Access — Use the discovered credentials to gain access to the target.
· Privilege Escalation — Identify and exploit misconfigurations to obtain root access.
Environment:
Platform VulnHub
OS Linux
Target Basic Pentesting — 2
Difficulty Easy
Network Host-only/NAT network
Target Machine:
- After importing the VM into VirtualBox, I powered it on and confirmed that the target machine had booted successfully.
- With the machine up and running, I was ready to begin discovering IP addresses
Finding the Target:
· I started by scanning my local network to identify the target machine.
· After comparing the active hosts, I identified 10.0.2.8 as the target IP
nmap -sn 10.0.2.0/24
Checking Open Ports:
- After finding the target, I ran a detailed Nmap scan to see which services were available.
nmap -O 10.0.2.8
- The scan revealed open ports — SSH (22), HTTP (80), NetBIOS (139), SMB (445), AJP13 (8009) and HTTP Proxy (8080).
- Since both web and SMB services were available, I decided to start with web enumeration.
Identifying Running Services:
- To learn more about the open ports, I ran a service version scan on the discovered services.
- The scan confirmed that the target was running OpenSSH, Apache HTTP Server, Samba, Apache JServ (AJP13), and Apache Tomcat.
- Since both the web server and SMB looked interesting, I started exploring the web application first.
nmap -sV -p 22,80,139,445,8009,8080 10.0.2.8
Exploring the Web Application:
- I started by visiting the web server running on port 80.
- The page only displayed a simple "Undergoing maintenance" message, so I checked the page source to see if anything had been left behind.
- In the source code, I found a developer comment mentioning a dev note, which looked like a useful clue for the next step.
- But as mentioned there some dev note is hidden there, I will try to find any hidden directories of that target by using dirbuster tool
- I used DIRB to enumerate common directories.
- The scan discovered a directory named /development/, which looked like the clue I was looking for
dirb http://10.0.2.8/
Exploring the Development Directory:
- I opened the /development/ directory to see what was inside.
- The directory listing was enabled, and I found two interesting files: dev.txt and j.txt.
dev.txt:
- The first note contained updates from the developer about the server configuration.
- It mentioned that SMB had been configured and also referenced a Struts application running on the server.
- These details suggest me to move forward.
j.txt:
- The second note was written for a user named J.
- It mentioned that J's password had been cracked because it was weak and advised changing it immediately.
- This confirmed that weak credentials might be the key to gaining access, so I decided to enumerate the SMB service next.
Enumerating SMB Users:
- Since the developer notes mentioned SMB, I decided to enumerate it for users and other useful information.
- During enumeration, I found two usernames: kay and jan.
Finding Valid Credentials:
- I already had the username jan, so I tried a password attack against the SSH service.
- After a short time, Hydra found a valid password for the account.
- The credentials were:
o Username: jan
o Password: armando
- With SSH credentials, I was ready to log in to the target machine.
hydra -l jan -P /usr/share/wordlists/rockyou.txt 10.0.2.8 ssh
Getting Initial Access:
- With valid SSH credentials, I connected to the target machine.
- After entering the password, I successfully logged in as the jan user.
- I now had an interactive shell on the target and could continue with post-exploitation.
ssh jan@10.0.2.8
Exploring User Home Directories:
- After getting a shell as jan, I checked the current user information and verified the working directory.
- I then explored the /home directory to see what other user accounts were available.
- Another user named kay was present, so I inspected Kay's home directory for files and permissions.
- While I am verifying files, I found interest on .ssh file as it may contain any ssh keys or authentication files.
SSH Directory:
· I moved into the .ssh directory to inspect the files stored there.
· Inside, I found an id_rsa file, which is an SSH private key. Private keys are commonly used for passwordless SSH authentication
· I viewed the contents of the file and noticed that the private key was encrypted, meaning it could not be used directly, so I copied the key from beginning to ending and I saved in my file
·The next step was to extract the hash from this key and try cracking its passphrase.
Extracting the SSH Key Hash:
· Since the SSH private key was encrypted, I first copied its contents into a file on my Kali machine.
· To crack the passphrase with John the Ripper, I needed to convert the private key into a hash format that John could understand.
· I used ssh2john to extract the hash and saved the output into a new file named john.hash, to use john the ripper the final file format should be in hash format.
· Finally, I verified that the hash was generated successfully before attempting to crack it.
ssh2john ssh_hash > john.hash
Cracking the SSH Key Passphrase:
- After extracting the hash, I used John the Ripper with the rockyou.txt wordlist to crack the passphrase protecting the SSH private key.
- Within a few seconds, John successfully recovered the passphrase as beeswax.
- With the passphrase available, I could now use the private key to authenticate as the kay user.
john john.hash — wordlist=/usr/share/wordlists/rockyou.txt
Accessing the Kay User Account:
· After recovering the passphrase, I used the id_rsa private key to authenticate as the kay user over SSH.
· During the login process, SSH prompted me for the passphrase protecting the private key. I entered the cracked passphrase beeswax. Authentication was successful
ssh -i id_rsa kay@10.0.2.8
Discovering Kay's Password:
· After logging in as kay, I listed the files in the home directory to continue my enumeration.
· As we already know that back up files will be stored in .bak so I verified pass.bak as I got the access.
· Inside the file, I found what appeared to be Kay's password stored in plain text.
· This password could be useful in the next privilege escalation step.
Privilege Escalation to Root:
· The passphrase found in pass.bak looked like password to enter into root, so I tried using it with the sudo command.
· After entering the password, authentication was successful, and I obtained a root shell.
sudo su
This machine was a great practice lab for understanding the complete penetration testing workflow, from enumeration and credential discovery to SSH access and privilege escalation. Every step indicates the importance of enumeration and following the clues left behind during the process.
NOTE:
This walkthrough is created strictly for educational purposes