Python for Pentesters TryHackMe Walkthrough

5 min readJan 29, 2024

TL;DR Walkthrough of the TryHackMe Python for Pentesters room, part of the Pentest+ pathway.

A full list of our TryHackMe walkthroughs and cheatsheets is here.


Unlike the PowerShell for Pentesters room, TryHackMe provided all the Python code to complete the tasks and find the answers. Hence I just skimmed through THM’s Python code, used the normal tools like nmap and hydra, and found the answers. I then wrote some PowerShell to do some of the tasks because I like Powershell.

As always, if this walkthrough skips over a question or task it is because no answer is needed.

— — Task 1 — -

What other tool can be used to convert Python scripts to Windows executables?


— — Task 2 — -

What other protocol could be used for subdomain enumeration?


What function does Python use to get the input from the command line?


— — Task 3 — -

How many directories can your script identify on the target system? (extensions are .html)

Download the wordlist2.txt in Task Files, then in PowerShell:

$Lines = Get-Content .\wordlist2.txt
ForEach($Line in $Lines)
{$Line + ".html" | Add-Content .\wordlist3.txt}

copy/paste that to Kali and:

dirb ./wordlist3.txt

I get 4:

Alt PowerShell method:

$Target = ""
$Pages = Get-Content ".\THM stuff\THM Writeups\Python Basics\wordlist3.txt"
ForEach($Page in $Pages)
If((Invoke-WebRequest -Uri "$Target/$Page").StatusCode -eq 200)
{Write-Host "/$Page"}

What is the location of the login page?


Where did you find a cryptic hash?


The hash, BTW, is cd13b6a6af66fb774faa589a9d18f906. I used and got that it’s MD5, and is “rainbow”.

Where are the usernames located?


What is the password assigned to Rabbit?

Notes for Matt

Passwords set are:
Password for Madhatter set to MyCupOfTea
Password for Rabbit set to LOUSYRABBO
Password for Alice set to OnWithTheirHeads

Users created are:

— — Task 4 — -

What module was used to create the ARP request packets?


Which variable would you need to change according to your local IP block?


What variable would you change to run this code on a system with the network interface named ens33?


— — Task 5 — -

What protocol will most likely be using TCP port 22?


What module did we import to be able to use sockets?


What function is likely to fail if we didn’t import sys?


How many ports are open on the target machine?

sudo nmap -Pn -p-

22/tcp open ssh

80/tcp open http

2100/tcp open amiganetfs

Alt PowerShell method:

$ErrorActionPreference -eq "SilentlyContinue"
$Target -eq ""
$LowEnd = 0
$HighEnd = 2048
$X = 0

$CurrentPort = $LowEnd + $X
if((Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).TcpTestSucceeded)
{$CurrentPort | Out-File .\OpenPorts.txt -Append}
$X = $X + 1
While($CurrentPort -lt $HighEnd)

What is the highest port number open on the target system?


— — Task 6 — -

What is the function used to connect to the target website?


Alt PowerShell method to download the file

Invoke-WebRequest -Uri “" -OutFile .\

What step of the Unified Cyber Kill Chain can PSexec be used in?

lateral movement

— — Task 7 — -

What is the hash you found during directory enumeration?


What is the cleartext value of this hash?

MD5 / rainbow

Modify the script to work with SHA256 hashes.

No answer needed

Using the modified script find the cleartext value for 5030c5bd002de8713fef5daebd597620f5e8bcea31c603dccdfcdf502a57cc60


— — Task 8 — -

What package installer was used?


What line in this code would you change to stop the result from being printed on the screen?

Alternatively, there is a simple keylogger in PowerShell here.

— — Task 9 — -

What username starting with the letter “t” did you find earlier?


What is the SSH password of this user?

hydra -l tiffany -P /home/kali/Downloads/Wordlists/wordlist2.txt ssh://


What is the content of the flag.txt file?



I took CompTIA Pentest+ back in late 2019. It was a good exam overall, and the material was a great introduction to hydra, Metasploit, Meterpreter, Burp Suite, and all the other common tools that are included on Kali. CompTIA did a good job pounding in the background theory to what we do on TryHackMe.

One does not have to know how to write PowerShell or Python to pass Pentest+, only how to read and understand a simple function in either. I certainly didn’t know PowerShell well at all back when I took that exam.

Pentest+ got me interested in this stuff and learning the red teamer/pentester/attacker side of things. I like to think that it made me a better auditor and more security minded overall.

I highly recommend eJPT after taking Pentest+, followed by a hands on exam that’s focused on the specific environment you work in. I worked auditing in a Windows domain, so I did CRTP.


Error handling in PowerShell:

Cyber Kill Chain:




I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.