Every exploit leaves a scar.
The Basic Pentesting room on TryHackMe wasn’t just a challenge — it was a battlefield.
I walked in with curiosity, and walked out with root… and a few lessons carved deep.
Let me tell you how I have survived the battle
Reconnaissance — The First Glance at the Enemy
Like any battle, I started with reconnaissance. A full Nmap scan revealed the battlefield:
_
22/tcp open ssh
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
8009/tcp open ajp13_
Each open port is like a wound in the armor. Some small. Some lethal.
SSH for remote access. HTTP for web content. Samba (139 & 445) for file sharing. And AJP13 — a rare find, often linked to Apache Tomcat.
Web Probing — The First Clues
The port 80 web service looked too plain on the surface, but I wasn’t fooled. I deployed Gobuster to enumerate hidden directories:
gobuster dir -u http://target_ip -w /usr/share/wordlists/dirb/common.txt
It didn’t take long before the loot dropped:
/development/
Inside, a few HTML comments whispered secrets — two names: K and J.
The hunt now had faces.
Samba Enumeration — Into the Shadows
With ports 139 and 445 open, Samba was the next step. I fired up enum4linux:
enum4linux -a target_ip
The scan confirmed anonymous SMB access — no password required. Using smbclient, I connected:
smbclient //target_ip/anonymous
Inside, I found staff.txt. Opening it revealed the players:
_Jan
Kay_
Two usernames. Two potential doors.
Password Hunting — Cracking the Gate
With a name like Jan, it was time for brute force. Hydra was my weapon of choice:
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://target_ip
After a few tense minutes, the password emerged from the digital fog:
armando
One key down. One lock to pick.
Foothold — Becoming Jan
SSH gave me a way in:
ssh jan@target_ip
password: armando
Now, I had a shell inside enemy territory. But Jan wasn’t root — and I wasn’t leaving without the crown.
Privilege Escalation — Climbing the Ladder
Time to hunt for privilege escalation paths. I searched for SUID binaries — files that run with elevated permissions:
find / -perm -4000 2>/dev/null
Every unusual binary was a potential weapon.
One led me deeper into the system until I found it — the path to Kay’s files. Kay’s home directory was locked, but persistence pays. Eventually, I cracked it open and found the final password.
Victory — Claiming the Flag
With Kay’s credentials, I escalated to root.
The final flag was mine — the proof that the system had fallen.
Lessons from the Field
This wasn’t just a challenge; it was a blueprint for real-world pentesting:
Enumeration is king — every detail counts.
Brute force is noisy but effective when paired with good intel.
Privilege escalation requires patience and a sharp eye for misconfigurations.
The flag was just proof.
The real win? Leaving that machine broken
Onto the next hunt!
~ Swetha Jagannathan
Top comments (0)