Crash Course: Pen Testing from TryHackMe
Task 1 - Introduction
sounds exciting, lezz go
Task 2 - [Section 1 - Network Utilities] - nmap
most of the questions in this section can be answered by running nmap -h
What does nmap stand for?
Network Mapper
How do you specify which port(s) to scan?
-p
How do you do a “ping scan”(just tests if the host(s) is up)?
-sn
What is the flag for a UDP scan?
-sU
How do you run default scripts?
-sC
How do you enable “aggressive mode”(Enables OS detection, version detection, script scanning, and traceroute)?
-A
What flag enables OS detection?
-O
How do you get the versions of services running on the target machine?
-sV
Deploy the machine
How many ports are open on the machine?
1
What service is running on the machine?
Apache
What is the version of the service?
2.4.18
What is the output of the http-title script(included in default scripts)
Apache2 Ubuntu Default Page: It Works
Task 3 - [Section 1 - Network Utilities] - Netcat
nc -h
will do the job
How do you listen for connections?
-l
How do you enable verbose mode(allows you to see who connected to you)?
-v
How do you specify a port to listen on?
-p
How do you specify which program to execute after you connect to a host(One of the most infamous)?
-e
How do you connect to udp ports
-u
Task 4 - [Section 2 - Web Enumeration] - gobuster
gobuster -h
and gobuster dir --help
How do you specify directory/file brute forcing mode?
dir
How do you specify dns bruteforcing mode?
dns
What flag sets extensions to be used? Example: if the php extension is set, and the word is “admin” then gobuster will test admin.php against the webserver
-x
What flag sets a wordlist to be used?
-w
How do you set the Username for basic authentication(If the directory requires a username/password)?
-U
How do you set the password for basic authentication?
-P
How do you set which status codes gobuster will interpret as valid? Example: 200,400,404,204
-s
How do you skip ssl certificate verification?
-k
How do you specify a User-Agent?
-a
How do you specify a HTTP header?
-H
What flag sets the URL to bruteforce?
-u
Deploy the machine
What is the name of the hidden directory?
secret
What is the name of the hidden file with the extension xxa?
password
Task 5 - [Section 2 - Web Enumeration] - nikto
nikto -H
will be enough
How do you specify which host to use?
-h
What flag disables ssl?
-nossl
How do you force ssl?
-ssl
How do you specify authentication(username + pass)?
-id
How do you select which plugin to use?
-plugins
Which plugin checks if you can enumerate apache users?
apacheusers
How do you update the plugin list?
-update
How do you list all possible plugins to use
--list-plugins
Task 6 - [Section 3 - Metasploit]: Intro
generic idea (don’t know why sections like these exist, could just add this to the next section)
Task 7 - [Section 3 Metasploit]: Setting Up
enter msfconsole
to open the interactive console and then type help
What command allows you to search modules?
search
How do you select a module?
use
How do you display information about a specific module?
info
How do you list options that you can set?
options
What command lets you view advanced options for a specific module?
advanced
How do you show options in a specific category?
show
Task 8 - [Section 3 - Metasploit]: - Selecting a module
How do you select the eternalblue module?
use exploit/windows/smb/ms17_010_eternalblue
What option allows you to select the target host(s)?
RHOSTS
How do you set the target port?
RPORT
What command allows you to set options?
set
How would you set SMBPass to “username”?
set SMBPass username
How would you set the SMBUser to “password”?
set SMBUser password
What option sets the architecture to be exploited?
arch
What option sets the payload to be sent to the target machine?
payload
Once you’ve finished setting all the required options, how do you run the exploit?
exploit
What flag do you set if you want the exploit to run in the background?
-j
How do you list all current sessions?
sessions
What flag allows you to go into interactive mode with a session? (“drops you either into a meterpreter or regular shell”)
-i
Task 9 - [Section 3 - Metasploit]: meterpreter
What command allows you to download files from the machine?
download
What command allows you to upload files to the machine?
upload
How do you list all running processes?
ps
How do you change processes on the victim host? (Ideally it will allow you to change users and gain the perms associated with that user)
migrate
What command lists files in the current directory on the remote machine?
ls
How do you execute a command on the remote host?
execute
What command starts an interactive shell on the remote host?
shell
How do you find files on the target host? (Similar function to the linux command “find”)
search
How do you get the output of a file on the remote host?
cat
How do you put a meterpreter shell into “background mode”(allows you to run other msf modules while also keeping the meterpreter shell as a session)?
background
Task 10 - [Section 3 - Metasploit]: Final Walkthrough
Select the module that needs to be exploited
use xploit/multi/http/nostromo_code_exec
What variable do you need to set, to select the remote host
RHOSTS
How do you set the port to 80?
set RPORT 80
How do you set listening address(Your machine)
LHOST
Exploit the machine!
What is the name of the secret directory in the /var/nostromo/htdocs directory?
s3cretd1r
What are the contents of the file inside of the directory?
Task 11 - [Section 4 - Hash Cracking]: Intro
:thumbsup:
Task 12 - [Section 4 - Hash Cracking]: Salting and Formatting
uhh ok
Task 13 - [Section 4 - Hash Cracking]: hashcat
the 1st 3 questions can be done using hashcat -h
and grep
ping it for the reqd word
What flag sets the mode?
-m
What flag sets the “attack mode”?
-a
What is the attack mode number for Brute-force?
3
What is the mode number for SHA3-512?
17600
Crack This Hash : 56ab24c15b72a457069c5ea42fcfc640 ; Type: MD5
you can run
hashcat -m 0 -a 3 56ab24c15b72a457069c5ea42fcfc640 /usr/share/wordlists/rockyou.txt
to brute-force through the given wordlist for the hashsince i had already run the above command, the word and it’s hash are stored in a pot file for quicker access
Crack this hash : 4bc9ae2b9236c2ad02d81491dcb51d5f ; Type: MD4
running
hashcat -m 900 -a 3 4bc9ae2b9236c2ad02d81491dcb51d5f /usr/share/wordlists/rockyou.txt
did not fetch me quick results, so i ran the hash through Crackstation and i found it.
Task 14 - [Section 4 - Hash Cracking]: John The Ripper
What flag let’s you specify which wordlist to use?
--wordlist
What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?
--format
How do you specify which rule to use?
--rules
Crack this hash: 5d41402abc4b2a76b9719d911017c592 ; Type: MD5
Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8 ; Type: SHA1
Task 15 - [Section 5 - SQL Injection]: Intro
:metal:
Task 16 - [Section 5 - SQL Injection]: sqlmap
How do you specify which url to check?
-u
What about which google dork to use?
-g
How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.)
-p
What flag sets which database is in the target host’s backend? (Example: If the flag is set to mysql then sqlmap will only test mysql injections)
--dbms
How do you select the level of depth sqlmap should use? (Higher = more accurate and more tests in general)
--level
How do you dump the table entries of the database?
--dump
Which flag sets which db to enumerate? (Case sensitive)
-D
Which flag sets which table to enumerate? (Case sensitive)
-T
Which flag sets which column to enumerate? (Case sensitive)
-C
How do you ask sqlmap to try to get an interactive os-shell?
--os-shell
What flag dumps all data from every table
--dump-all
Task 17 - [Section 5 - SQL Injection]: A Note on Manual SQL Injection
yea, i get it
Task 18 - [Section 5 - SQL Injection]: Vulnerable Web Application
Set the url to the machine ip, and run the command
curl
-ing the page shows us that the page contains a form which maybe be susceptible for SQLiso, running
sqlmap
with--forms
flag, we getHow many types of sqli is the site vulnerable too?
3
Dump the database.
running
./sqlmap.py -u http://10.10.176.119 --forms --current-db --dump
gives us,What is the name of the database?
tests
How many tables are in the database?
running
./sqlmap.py -u http://10.10.176.119 --forms --tables
gives us this, so2
What is the value of the flag?
Task 19 - [Section 6 - Samba]: Intro
:thumbsup:
Task 20 - [Section 6 - Samba]: smbmap
smbmap -h
How do you set the username to authenticate with?
-u
What about the password?
-p
How do you set the host?
-H
What flag runs a command on the server(assuming you have permissions that is)?
-x
How do you specify the share to enumerate?
-s
How do you set which domain to enumerate?
-d
What flag downloads a file?
--download
What about uploading one?
--upload
Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine?
smbmap -u "admin" -p "password" -H "10.10.10.10" -x "ipconfig"
Task 21 - [Section 6 - Samba]: smbclient
smbclient -h
How do you specify which domain(workgroup) to use when connecting to the host?
-W
How do you specify the ip address of the host?
-I
How do you run the command “ipconfig” on the target machine?
-c "ipconfig"
How do you specify the username to authenticate with?
-U
How do you specify the password to authenticate with?
-P
What flag is set to tell smbclient to not use a password?
-N
While in the interactive prompt, how would you download the file test, assuming it was in the current directory?
get test
In the interactive prompt, how would you upload your /etc/hosts file
put /etc/hosts
Task 22 - [Section 6 - Samba]: A note about impacket
hmmmm
Task 23 - [Miscellaneous]: A note on privilege escalation
have i told you about how golden github is?
Task 24 - [Section 7 - Final Exam]: Good Luck :D
ooh, exciting! (in christopher waltz’s voice)
starting with the nmap scan gives us,
so, a server is running at port 80 - so we MUST run gobuster
against this
a directory named secret, there exists. so now, on running gobuster again for http://$MACHINE_IP/secret we don’t get satisfactory resulsts
so, i tried again with -x .txt
flag on
and i got some credentials - username:passswordhash
so running john
on this, gave us
so, these are probably the ssh credentials for nyan and now, (whispers) we’re in
we have the user flag now, so moving on for the root flag, which’ll probably be in /root/root.txt
so, first things first, running sudo -l
gave us this, which makes privesc ezpz
*v v nice challenge, liked the last section