TryHackMe WriteUp-CC:PenTesting

Hello everyone this time am going share one of the walkthrough of tryhackme which i felt quite exciting and learn new things from this room is crash course on various topics in penetration testing which will give taste of penetration testing and gives you confident move forward towards your cybersecurity career.

Lets Start

[Task 1] [Introduction]

No answer required just read instructions and select Question Done :)

[Task 2] [Section 1 — Network Utilities] — nmap

What does nmap stand for?

Ans. Nmap stands for Network Mapper

How do you specify which port(s) to scan?

Ans. -p is one of the way to specify ports to scan

How do you do a “ping scan”(just tests if the host(s) is up)?

Ans. “ping scan” can be done by using -sn

What is the flag for a UDP scan?

Ans. Flag for UDP scan is -sU

How do you run default scripts?

Ans.To run default scripts -sC

How do you enable “aggressive mode”(Enables OS detection, version detection, script scanning, and traceroute)

Ans. To enable “aggressive mode” is using -A

What flag enables OS detection

Ans.To enable OS detection -O

How do you get the versions of services running on the target machine

Ans. The versions of services running on the target machine is -V

Deploy the machine

Ans. No answer required

How many ports are open on the machine?

Ans.1

Note: If you don’t know how many ports are open on the machine use nmap -A -T4 -p- <target ip address>

What service is running on the machine?

Ans.Apache

What is the version of the service?

Ans.2.4.18

What is the output of the http-title script(included in default scripts)

Ans.The http-title script produce the result of Apache2 Ubuntu Default Page: It Works

[Task 3] [Section 1 — Network Utilities] — Netcat

How do you listen for connections?

Ans. -l

How do you enable verbose mode(allows you to see who connected to you)?

Ans. To enable verbose mode -v

How do you specify a port to listen on

Ans.To specify a port which is listen on -p

How do you specify which program to execute after you connect to a host(One of the most infamous)?

Ans.To execute after you connect to a host is using -e

How do you connect to udp ports

Ans.-u

[Task 4] [Section 2— Web Enumeration] — gobuster

How do you specify directory/file brute forcing mode?

Ans.dir

How do you specify dns bruteforcing mode?

Ans.dns

What flag sets extensions to be used?

Ans.-x

What flag sets a wordlist to be used?

Ans.wordlist flag is used -w

How do you set the Username for basic authentication(If the directory requires a username/password)?

Ans.To set the Username for basic authentication is -U

How do you set the password for basic authentication?

Ans.To set the password for basic authentication -P

How do you set which status codes gobuster will interpret as valid?

Ans.-s

How do you skip ssl certificate verification?

Ans.To skip ssl certificate verification -k

How do you specify a User-Agent?

Ans.To specify a User-Agent -a

How do you specify a HTTP header?

Ans.To specify a HTTP header -H

What flag sets the URL to bruteforce?

Ans.To sets the URL to bruteforce is -u

Deploy the machine

Ans.No answer required

How to run gobuster command gobuster dir -u http://<Machine IP> -w /usr/share/wordlists/dirb/common.txt -t 64

What is the name of the hidden directory

Ans.The hidden directory is secret

What is the name of the hidden file with the extension xxa

Ans.The name of the hidden file with the extension xxa is password

[Task 5] [Section 2— Web Enumeration] — nikto

How do you specify which host to use?

Ans. To specify which host to use is using -h command

What flag disables ssl?

Ans.To disable ssl -nossl

How do you force ssl?

Ans.To force ssl using -ssl

How do you specify authentication(username + pass)?

Ans.To specify auth is using -id

How do you select which plugin to use?

Ans.-plugins

Which plugin checks if you can enumerate apache users?

Ans.You can enumerate apache users is using apacheusers command

How do you update the plugin list

Ans.-update

How do you list all possible plugins to use

Ans.- - list-plugins

[Task 6] [Section 3— Metasploit]:intro

No answer required

[Task 7] [Section 3 — Metasploit]:Setting Up

What command allows you to search modules?

Ans.To search modules by using command search

How do you select a module?

Ans. To select module by using use command

How do you display information about a specific module?

Ans.To display information about a specific module is by using command info

How do you list options that you can set?

Ans.By using options command

What command lets you view advanced options for a specific module?

Ans.By using advanced command

How do you show options in a specific category

Ans.By using show command

[Task 8] [Section 3 — Metasploit]:Selecting a module

How do you select the eternalblue module?

Ans.use exploit/windows/smb/ms17_010_eternalblue

What option allows you to select the target host(s)?

Ans.RHOSTS

How do you set the target port?

Ans.RPORT

What command allows you to set options?

Ans.By using Set command

How would you set SMBPass to “username”?

Ans.set SMBPass username

How would you set the SMBUser to “password”?

Ans.set SMBUser password

What option sets the architecture to be exploited?

Ans.arch

What option sets the payload to be sent to the target machine?

Ans.Payload

Once you’ve finished setting all the required options, how do you run the exploit?

Ans.exploit

What flag do you set if you want the exploit to run in the background?

Ans. -j

How do you list all current sessions?

Ans.sessions

What flag allows you to go into interactive mode with a session(“drops you either into a meterpreter or regular shell”)

Ans.-i

[Task 9] [Section 3 — Metasploit]:meterpreter

What command allows you to download files from the machine?

Ans.By using download

What command allows you to upload files to the machine?

Ans.Upload

How do you list all running processes?’

Ans.ps

How do you change processes on the victim host(Ideally it will allow you to change users and gain the perms associated with that user)

Ans.migrate

What command lists files in the current directory on the remote machine?

Ans.ls

How do you execute a command on the remote host?

Ans.execute

What command starts an interactive shell on the remote host?

Ans.shell

How do you find files on the target host(Similar function to the linux command “find”)

Ans.By using search command

How do you get the output of a file on the remote host?

Ans.cat command

How do you put a meterpreter shell into “background mode”(allows you to run other msf modules while also keeping the meterpreter shell as a session)?

Ans.By using background command

[Task 10] [Section 3 — Metasploit]:Final Walkthrough

Select the module that needs to be exploited

Ans.By using use exploit/multi/http/nostromo_code_exec

What variable do you need to set, to select the remote host

Ans.rhosts

How do you set the port to 80

Ans.set rport 80

How do you set listening address(Your machine)

Ans.By using lhost command

Exploit the machine!

Ans.No answer required

What is the name of the secret directory in the /var/nostromo/htdocs directory?

Ans.s3cretd1r

What are the contents of the file inside of the directory?

Ans.Woohoo!

[Task 11][Section 4 — Hash Cracking]: Intro

No answer required

[Task 12][Section 4 — Hash Cracking]: Salting and Formatting

No answer required

[Task 13][Section 4 — Hash Cracking]: hashcat

What flag sets the mode.

Ans.The flag sets the mode is -m command

What flag sets the “attack mode”

Ans.The flag that sets the “attack mode” is -a

What is the attack mode number for Brute-force

Ans.The attack mode number for brute-force is 3

What is the mode number for SHA3–512

Ans.17600

Crack This Hash:56ab24c15b72a457069c5ea42fcfc640

Type: MD5

Ans.nootnoot

[Task 14][Section 4 — Hash Cracking]: John The Ripper

What flag let’s you specify which wordlist to use?

Ans.- -wordlist

What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?

Ans.- -format(there is no space between dashes)

How do you specify which rule to use?

Ans.- -rules

Crack this hash: 5d41402abc4b2a76b9719d911017c592

Type: MD5

Ans.hello

Crack this hash:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

Type: SHA1

Ans.password

[Task 15][Section 5 — SQL Injection]: Intro

No answer required

[Task 16][Section 5 — SQL Injection]: sqlmap

How do you specify which url to check?

Ans.To specify which url to check by using -u

What about which google dork to use?

Ans.-g

How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.)

Ans.-p

What flag sets which database is in the target host’s backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections).

Ans.- -dbms

How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general).

Ans.- -level

How do you dump the table entries of the database?

Ans.By using - -Dump command

Which flag sets which db to enumerate?

Ans.-D

Which flag sets which table to enumerate?

Ans.-T

Which flag sets which column to enumerate?

Ans.-C

How do you ask sqlmap to try to get an interactive os-shell?

Ans.- -os-shell command

What flag dumps all data from every table

Ans.- -dump-all

[Task 17][Section 5 — SQL Injection]: A Note on Manual SQL Injection

No answer required

[Task 18][Section 5 — SQL Injection]: Vulnerable Web Application

Set the url to the machine ip, and run the command

Ans.No answer required

How many types of sqli is the site vulnerable to?

Ans.3

Dump the database.

Ans.No answer required

What is the name of the database?

Ans.The name of the database is tests

How many tables are in the database?

Ans.2

What is the value of the flag?

Ans.The value of the flag is found_me

[Task 19][Section 6 — Samba]: Intro

No answer required

[Task 20][Section 6 — Samba]: smbmap

How do you set the username to authenticate with?

Ans.To set the username to authenticate with is by using -u

What about the password?

Ans.-p

How do you set the host?

Ans.To set the host by using -H command

What flag runs a command on the server(assuming you have permissions that is)?

Ans.-x command
How do you specify the share to enumerate?

Ans.By using -s command

How do you set which domain to enumerate?

Ans.By using -d command

What flag downloads a file?

Ans.By using- -download command

What about uploading one?

Ans.- -upload

Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine

Ans.smbmap -u “admin” -p “password” -H 10.10.10.10 -x “ipconfig”

[Task 21][Section 6 — Samba]: smbclient

How do you specify which domain(workgroup) to use when connecting to the host?

Ans.By using -w command

How do you specify the ip address of the host?

Ans.-l
How do you run the command “ipconfig” on the target machine?

Ans.-c “ipconfig”

How do you specify the username to authenticate with?

Ans.The username to authenticate with by using -u command

How do you specify the password to authenticate with?

Ans.By using -P command

What flag is set to tell smbclient to not use a password?

Ans.-N

While in the interactive prompt, how would you download the file test, assuming it was in the current directory?

Ans.get test

In the interactive prompt, how would you upload your /etc/hosts file

Ans.put /etc/hosts

[Task 22][Section 6 — Samba]: A note about impacket

No answer required

[Task 23] [Miscellaneous]: A note on privilege escalation

No answer required

[Task 24][Section 7 — Final Exam]: Good Luck :D

What is the user.txt

Ans.supernootnoot

To find the user.txt first run the nmap scan command nmap -T4 -A -p- <target-ip> after this find hidden files by using dirbuster tool you will find secret name folder where it contain name and hash value after this login ssh by using the name which you find in secret folder and password is also same as name contains.

What is the root.txt

Ans.congratulations!!!