Posts CC: Pentesting - TryHackMe
Post
Cancel

CC: Pentesting - TryHackMe

Crash Course: Pen Testing from TryHackMe

Task 1 - Introduction

sounds exciting, lezz go

Task 2 - [Section 1 - Network Utilities] - nmap

most of the questions in this section can be answered by running nmap -h

  1. What does nmap stand for?

    Network Mapper

  2. How do you specify which port(s) to scan?

    -p

  3. How do you do a “ping scan”(just tests if the host(s) is up)?

    -sn

  4. What is the flag for a UDP scan?

    -sU

  5. How do you run default scripts?

    -sC

  6. How do you enable “aggressive mode”(Enables OS detection, version detection, script scanning, and traceroute)?

    -A

  7. What flag enables OS detection?

    -O

  8. How do you get the versions of services running on the target machine?

    -sV

  9. Deploy the machine

    nmap scan

  10. How many ports are open on the machine?

    1

  11. What service is running on the machine?

    Apache

  12. What is the version of the service?

    2.4.18

  13. What is the output of the http-title script(included in default scripts)

    Apache2 Ubuntu Default Page: It Works

Task 3 - [Section 1 - Network Utilities] - Netcat

nc -h will do the job

  1. How do you listen for connections?

    -l

  2. How do you enable verbose mode(allows you to see who connected to you)?

    -v

  3. How do you specify a port to listen on?

    -p

  4. How do you specify which program to execute after you connect to a host(One of the most infamous)?

    -e

  5. How do you connect to udp ports

    -u

Task 4 - [Section 2 - Web Enumeration] - gobuster

gobuster -h and gobuster dir --help

  1. How do you specify directory/file brute forcing mode?

    dir

  2. How do you specify dns bruteforcing mode?

    dns

  3. What flag sets extensions to be used? Example: if the php extension is set, and the word is “admin” then gobuster will test admin.php against the webserver

    -x

  4. What flag sets a wordlist to be used?

    -w

  5. How do you set the Username for basic authentication(If the directory requires a username/password)?

    -U

  6. How do you set the password for basic authentication?

    -P

  7. How do you set which status codes gobuster will interpret as valid? Example: 200,400,404,204

    -s

  8. How do you skip ssl certificate verification?

    -k

  9. How do you specify a User-Agent?

    -a

  10. How do you specify a HTTP header?

    -H

  11. What flag sets the URL to bruteforce?

    -u

  12. Deploy the machine

    gobuster

  13. What is the name of the hidden directory?

    secret

  14. What is the name of the hidden file with the extension xxa?

    password

Task 5 - [Section 2 - Web Enumeration] - nikto

nikto -H will be enough

  1. How do you specify which host to use?

    -h

  2. What flag disables ssl?

    -nossl

  3. How do you force ssl?

    -ssl

  4. How do you specify authentication(username + pass)?

    -id

  5. How do you select which plugin to use?

    -plugins

  6. Which plugin checks if you can enumerate apache users?

    apacheusers

  7. How do you update the plugin list?

    -update

  8. How do you list all possible plugins to use

    --list-plugins

Task 6 - [Section 3 - Metasploit]: Intro

generic idea (don’t know why sections like these exist, could just add this to the next section)

Task 7 - [Section 3 Metasploit]: Setting Up

enter msfconsole to open the interactive console and then type help

  1. What command allows you to search modules?

    search

  2. How do you select a module?

    use

  3. How do you display information about a specific module?

    info

  4. How do you list options that you can set?

    options

  5. What command lets you view advanced options for a specific module?

    advanced

  6. How do you show options in a specific category?

    show

Task 8 - [Section 3 - Metasploit]: - Selecting a module

  1. How do you select the eternalblue module?

    use exploit/windows/smb/ms17_010_eternalblue

  2. What option allows you to select the target host(s)?

    RHOSTS

  3. How do you set the target port?

    RPORT

  4. What command allows you to set options?

    set

  5. How would you set SMBPass to “username”?

    set SMBPass username

  6. How would you set the SMBUser to “password”?

    set SMBUser password

  7. What option sets the architecture to be exploited?

    arch

  8. What option sets the payload to be sent to the target machine?

    payload

  9. Once you’ve finished setting all the required options, how do you run the exploit?

    exploit

  10. What flag do you set if you want the exploit to run in the background?

    -j

  11. How do you list all current sessions?

    sessions

  12. What flag allows you to go into interactive mode with a session? (“drops you either into a meterpreter or regular shell”)

    -i

Task 9 - [Section 3 - Metasploit]: meterpreter

  1. What command allows you to download files from the machine?

    download

  2. What command allows you to upload files to the machine?

    upload

  3. How do you list all running processes?

    ps

  4. How do you change processes on the victim host? (Ideally it will allow you to change users and gain the perms associated with that user)

    migrate

  5. What command lists files in the current directory on the remote machine?

    ls

  6. How do you execute a command on the remote host?

    execute

  7. What command starts an interactive shell on the remote host?

    shell

  8. How do you find files on the target host? (Similar function to the linux command “find”)

    search

  9. How do you get the output of a file on the remote host?

    cat

  10. How do you put a meterpreter shell into “background mode”(allows you to run other msf modules while also keeping the meterpreter shell as a session)?

    background

Task 10 - [Section 3 - Metasploit]: Final Walkthrough

  1. Select the module that needs to be exploited

    use xploit/multi/http/nostromo_code_exec

  2. What variable do you need to set, to select the remote host

    RHOSTS

  3. How do you set the port to 80?

    set RPORT 80

  4. How do you set listening address(Your machine)

    LHOST

  5. Exploit the machine!

    we are in

  6. What is the name of the secret directory in the /var/nostromo/htdocs directory?

    s3cretd1r

  7. What are the contents of the file inside of the directory?

    nice

Task 11 - [Section 4 - Hash Cracking]: Intro

:thumbsup:

Task 12 - [Section 4 - Hash Cracking]: Salting and Formatting

uhh ok

Task 13 - [Section 4 - Hash Cracking]: hashcat

the 1st 3 questions can be done using hashcat -h and grepping it for the reqd word

  1. What flag sets the mode?

    -m

  2. What flag sets the “attack mode”?

    -a

  3. What is the attack mode number for Brute-force?

    3

  4. What is the mode number for SHA3-512?

    17600

  5. Crack This Hash : 56ab24c15b72a457069c5ea42fcfc640 ; Type: MD5

    you can run hashcat -m 0 -a 3 56ab24c15b72a457069c5ea42fcfc640 /usr/share/wordlists/rockyou.txt to brute-force through the given wordlist for the hash

    since i had already run the above command, the word and it’s hash are stored in a pot file for quicker access

    hashcatuh

  6. Crack this hash : 4bc9ae2b9236c2ad02d81491dcb51d5f ; Type: MD4

    running hashcat -m 900 -a 3 4bc9ae2b9236c2ad02d81491dcb51d5f /usr/share/wordlists/rockyou.txt did not fetch me quick results, so i ran the hash through Crackstation and i found it.

Task 14 - [Section 4 - Hash Cracking]: John The Ripper

  1. What flag let’s you specify which wordlist to use?

    --wordlist

  2. What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?

    --format

  3. How do you specify which rule to use?

    --rules

  4. Crack this hash: 5d41402abc4b2a76b9719d911017c592 ; Type: MD5

    johnny md5

  5. Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 ; Type: SHA1

    johnny sha1

Task 15 - [Section 5 - SQL Injection]: Intro

:metal:

Task 16 - [Section 5 - SQL Injection]: sqlmap

  1. How do you specify which url to check?

    -u

  2. What about which google dork to use?

    -g

  3. How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.)

    -p

  4. What flag sets which database is in the target host’s backend? (Example: If the flag is set to mysql then sqlmap will only test mysql injections)

    --dbms

  5. How do you select the level of depth sqlmap should use? (Higher = more accurate and more tests in general)

    --level

  6. How do you dump the table entries of the database?

    --dump

  7. Which flag sets which db to enumerate? (Case sensitive)

    -D

  8. Which flag sets which table to enumerate? (Case sensitive)

    -T

  9. Which flag sets which column to enumerate? (Case sensitive)

    -C

  10. How do you ask sqlmap to try to get an interactive os-shell?

    --os-shell

  11. What flag dumps all data from every table

    --dump-all

Task 17 - [Section 5 - SQL Injection]: A Note on Manual SQL Injection

yea, i get it

Task 18 - [Section 5 - SQL Injection]: Vulnerable Web Application

  1. Set the url to the machine ip, and run the command

    curl-ing the page shows us that the page contains a form which maybe be susceptible for SQLi

    curl

    so, running sqlmap with --forms flag, we get

    sqlmap

  2. How many types of sqli is the site vulnerable too?

    3

  3. Dump the database.

    running ./sqlmap.py -u http://10.10.176.119 --forms --current-db --dump gives us,

    db dump

  4. What is the name of the database?

    tests

  5. How many tables are in the database?

    running ./sqlmap.py -u http://10.10.176.119 --forms --tables gives us this, so 2

    num tables

  6. What is the value of the flag?

    yesss flag

Task 19 - [Section 6 - Samba]: Intro

:thumbsup:

Task 20 - [Section 6 - Samba]: smbmap

smbmap -h

  1. How do you set the username to authenticate with?

    -u

  2. What about the password?

    -p

  3. How do you set the host?

    -H

  4. What flag runs a command on the server(assuming you have permissions that is)?

    -x

  5. How do you specify the share to enumerate?

    -s

  6. How do you set which domain to enumerate?

    -d

  7. What flag downloads a file?

    --download

  8. What about uploading one?

    --upload

  9. Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine?

    smbmap -u "admin" -p "password" -H "10.10.10.10" -x "ipconfig"

Task 21 - [Section 6 - Samba]: smbclient

smbclient -h

  1. How do you specify which domain(workgroup) to use when connecting to the host?

    -W

  2. How do you specify the ip address of the host?

    -I

  3. How do you run the command “ipconfig” on the target machine?

    -c "ipconfig"

  4. How do you specify the username to authenticate with?

    -U

  5. How do you specify the password to authenticate with?

    -P

  6. What flag is set to tell smbclient to not use a password?

    -N

  7. While in the interactive prompt, how would you download the file test, assuming it was in the current directory?

    get test

  8. In the interactive prompt, how would you upload your /etc/hosts file

    put /etc/hosts

Task 22 - [Section 6 - Samba]: A note about impacket

hmmmm

Task 23 - [Miscellaneous]: A note on privilege escalation

have i told you about how golden github is?

Task 24 - [Section 7 - Final Exam]: Good Luck :D

ooh, exciting! (in christopher waltz’s voice)

starting with the nmap scan gives us,

nmap again

so, a server is running at port 80 - so we MUST run gobuster against this

not so secret

a directory named secret, there exists. so now, on running gobuster again for http://$MACHINE_IP/secret we don’t get satisfactory resulsts

so, i tried again with -x .txt flag on

secret.txt huh

and i got some credentials - username:passswordhash

creds in

so running john on this, gave us

johnny yes

so, these are probably the ssh credentials for nyan and now, (whispers) we’re in

yesss user flag

we have the user flag now, so moving on for the root flag, which’ll probably be in /root/root.txt

so, first things first, running sudo -l gave us this, which makes privesc ezpz

yesss root flag

*v v nice challenge, liked the last section

This post is licensed under CC BY 4.0 by the author.
Contents