Listen to this Post

Introduction:
Penetration testing is a methodical discipline built on a foundation of core enumeration and exploitation techniques. The TryHackMe Voyage room provides a perfect simulated environment to practice these essential skills, moving from reconnaissance to initial access. This guide breaks down the critical steps demonstrated in a recent successful foothold, providing the verified commands and methodology to replicate this success.
Learning Objectives:
- Master service enumeration and discovery using tools like Nmap and RustScan.
- Understand and execute a secure SSH connection to a target machine.
- Identify, access, and interrogate hidden internal services and applications.
You Should Know:
- The Art of Service Enumeration with Nmap and RustScan
Service enumeration is the critical first step in any penetration test, revealing the attack surface of a target.
Verified Commands:
nmap -sC -sV -oA initial_scan 10.10.10.10 rustscan -a 10.10.10.10 -- -sC -sV nmap -p- --min-rate 1000 10.10.10.10
Step-by-Step Guide:
The first command performs a basic Nmap scan with default scripts (-sC), version detection (-sV), and outputs results in all major formats (-oA). For faster results on ports, RustScan is used to quickly find open ports, which are then piped to Nmap for deeper scripting and version detection. The final command is a full TCP port scan, using `-p-` to scan all 65535 ports at a aggressive rate (--min-rate 1000) to speed up the process. Together, these commands paint a complete picture of what ports are open and what services are running on them.
2. Establishing a Secure SSH Foothold
Once an SSH service is identified, connecting to it is the next step. Secure Shell (SSH) is a common protocol for secure remote login.
Verified Commands:
ssh [email protected] ssh -i private_key.key [email protected] ssh -v [email protected]
Step-by-Step Guide:
The primary command is `ssh` followed by the username and IP address of the target. If the service requires a private key for authentication, use the `-i` flag to specify its location. The `-v` (verbose) flag is incredibly useful for troubleshooting connection issues, as it provides detailed output about the connection process, helping to identify authentication or protocol errors.
3. Local Port Forwarding for Hidden Services
Discovering a service like port 5000 bound to localhost (127.0.0.1) on the target is common. To access it from your machine, you must tunnel the traffic through your SSH connection.
Verified Commands:
ssh -L 5000:localhost:5000 [email protected]
Step-by-Step Guide:
This command sets up local port forwarding. The `-L` flag specifies that the given port on the local (client) host is to be forwarded to the given host and port on the remote side. The syntax is -L
:[bash]:[bash]</code>. In this case, traffic to your machine's port 5000 is forwarded to the target machine's localhost on port 5000. After establishing this connection, you can open your browser and navigate to `http://localhost:5000` to view the hidden service. <h2 style="color: yellow;">4. Internal Enumeration and Process Discovery</h2> After gaining access, you must understand the environment. This involves checking running processes and network connections from inside the host. <h2 style="color: yellow;">Verified Commands:</h2> [bash] ps aux netstat -tulpn ss -tulpn lsof -i
Step-by-Step Guide:
The `ps aux` command provides a snapshot of all running processes. `netstat -tulpn` and the newer `ss -tulpn` list all listening ports and the processes that own them, which is crucial for finding services like the one on port 5000. The `lsof -i` command lists all open network files (sockets), providing another view of active network connections. These tools help you map the internal network landscape of the compromised host.
5. Interrogating Web Applications with cURL
When you discover a web service, you need to interact with it to understand its functionality. cURL is a powerful command-line tool for transferring data with URLs.
Verified Commands:
curl http://localhost:5000
curl -v http://localhost:5000/api/v1
curl -X POST -H "Content-Type: application/json" -d '{"user":"admin"}' http://localhost:5000/login
Step-by-Step Guide:
The first command performs a simple GET request to the specified URL. Adding the `-v` (verbose) flag provides the HTTP request and response headers, which often contain critical information like cookies or server tokens. The third command demonstrates a POST request, setting a JSON Content-Type header (-H) and including a data payload (-d). This is essential for testing API endpoints and login functionality.
6. Basic File System Navigation and Inspection
Navigating the Linux file system is a fundamental skill. Knowing where to look can reveal configurations, user data, and flags.
Verified Commands:
ls -la cat /etc/passwd find / -name "flag.txt" 2>/dev/null grep -r "password" /var/www/html/ 2>/dev/null
Step-by-Step Guide:
`ls -la` lists all files in a directory, including hidden ones. `cat /etc/passwd` displays the user account details. The `find` command searches the entire filesystem (/) for a file named "flag.txt", suppressing permission denied errors (2>/dev/null). The `grep -r` command recursively searches for the string "password" within a specific directory like a web root, which is invaluable for finding hardcoded secrets.
7. Maintaining Access and Backgrounding SSH Sessions
A stable testing process often requires putting your SSH session in the background to use your local terminal.
Verified Commands:
~Ctrl-Z~ bg disown
Step-by-Step Guide:
This is a sequence, not a single command. After establishing an SSH session, pressing `Enter` followed by `~` and then `Ctrl-Z` will background the session. You can then type `bg` to ensure it runs in the background. The `disown` command detaches the process from your current shell, preventing it from being terminated if you close the terminal. You can return to the session later using fg.
What Undercode Say:
- Methodical Enumeration is Non-Negotiable: The difference between a failed attempt and a successful foothold is often a single missed port or service. Comprehensive scanning with multiple tools is not optional; it is the bedrock of penetration testing.
- SSH is Your Swiss Army Knife: Beyond simple remote access, SSH is a powerful tool for tunneling, port forwarding, and securely proxying traffic into a target network. Mastering its flags unlocks deeper testing capabilities.
- The Inside View is Everything: Initial access is just the beginning. The real discovery happens from within, using basic system administration commands to understand user privileges, running services, and sensitive data locations.
The systematic approach demonstrated—enumeration, access, internal discovery, and application testing—is a microcosm of a professional penetration test. The focus wasn't on fancy exploits but on thoroughly understanding the environment using fundamental tools. This builds the rigorous mindset required to find vulnerabilities that automated tools miss. The journey from external attacker to internal user is the most critical transition in offensive security.
Prediction:
The techniques showcased—particularly SSH tunneling and internal service enumeration—will become even more critical as cloud and microservices architectures dominate. Attack surfaces are shifting inward into internal networks and containerized environments, making the ability to pivot and discover hidden services a paramount skill for future cybersecurity professionals. Mastery of these fundamentals will be the differentiator between script kiddies and skilled penetration testers.
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Kishore S - Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


