Objective
Practice an entry-level internal pentest flow: enumerate exposed services, extract useful information from SMB, obtain initial access, and identify a local privilege escalation path.
Environment
- Target: TryHackMe Basic Pentesting
- Attacker host: Kali Linux
- Primary tools: Nmap, enum4linux, Hydra, John/wordlists, GTFOBins
- Learning goal: Show how small enumeration findings compound into access
Reconnaissance
Started with an Nmap scan to identify open ports and services.
nmap -sC -sV -oN nmap/initial 10.10.x.xOpen ports discovered:
- 22/tcp — OpenSSH 7.2p2
- 80/tcp — Apache httpd 2.4.18
- 139/tcp — Samba smbd
- 445/tcp — Samba smbd
Browsing to port 80 revealed a simple web app under construction.
Enumeration
Used enum4linux to enumerate SMB shares:
enum4linux -a 10.10.x.xFound an anonymous share named Anonymous with a staff.txt file containing usernames.
Exploitation
Brute-forced SSH with hydra using the discovered username and rockyou.txt:
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.x.xLogged in and captured the user flag.
Privilege Escalation
Checked for SUID binaries — found vim with SUID bit set. Used GTFOBins technique for privilege escalation to root and captured the root flag.
Evidence Summary
| Evidence | Finding | Analyst Note |
|---|---|---|
| Nmap | SSH, HTTP, SMB exposed | SMB became the strongest enumeration path |
| SMB share | Anonymous access | Misconfiguration leaked useful information |
| Usernames | Found in staff.txt | Enabled targeted password attack |
| SUID binary | vim | Misconfigured privilege boundary |
Defensive Takeaway
Anonymous SMB access and unsafe SUID binaries are preventable. A basic hardening checklist should cover share permissions, exposed service review, password policy, and periodic SUID audits.
Key Takeaways
- Always enumerate SMB shares during internal pentests
- Anonymous SMB shares are a goldmine for user enumeration
- SUID binaries should be audited —
vimis a common escalation vector