TryHackMe WriteUp-CC:PenTesting
Hello everyone this time am going share one of the walkthrough of tryhackme which i felt quite exciting and learn new things from this room is crash course on various topics in penetration testing which will give taste of penetration testing and gives you confident move forward towards your cybersecurity career.
Lets Start
[Task 1] [Introduction]
No answer required just read instructions and select Question Done :)
[Task 2] [Section 1 — Network Utilities] — nmap
What does nmap stand for?
Ans. Nmap stands for Network Mapper
How do you specify which port(s) to scan?
Ans. -p is one of the way to specify ports to scan
How do you do a “ping scan”(just tests if the host(s) is up)?
Ans. “ping scan” can be done by using -sn
What is the flag for a UDP scan?
Ans. Flag for UDP scan is -sU
How do you run default scripts?
Ans.To run default scripts -sC
How do you enable “aggressive mode”(Enables OS detection, version detection, script scanning, and traceroute)
Ans. To enable “aggressive mode” is using -A
What flag enables OS detection
Ans.To enable OS detection -O
How do you get the versions of services running on the target machine
Ans. The versions of services running on the target machine is -V
Deploy the machine
Ans. No answer required
How many ports are open on the machine?
Ans.1
Note: If you don’t know how many ports are open on the machine use nmap -A -T4 -p- <target ip address>
What service is running on the machine?
Ans.Apache
What is the version of the service?
Ans.2.4.18
What is the output of the http-title script(included in default scripts)
Ans.The http-title script produce the result of Apache2 Ubuntu Default Page: It Works
[Task 3] [Section 1 — Network Utilities] — Netcat
How do you listen for connections?
Ans. -l
How do you enable verbose mode(allows you to see who connected to you)?
Ans. To enable verbose mode -v
How do you specify a port to listen on
Ans.To specify a port which is listen on -p
How do you specify which program to execute after you connect to a host(One of the most infamous)?
Ans.To execute after you connect to a host is using -e
How do you connect to udp ports
Ans.-u
[Task 4] [Section 2— Web Enumeration] — gobuster
How do you specify directory/file brute forcing mode?
Ans.dir
How do you specify dns bruteforcing mode?
Ans.dns
What flag sets extensions to be used?
Ans.-x
What flag sets a wordlist to be used?
Ans.wordlist flag is used -w
How do you set the Username for basic authentication(If the directory requires a username/password)?
Ans.To set the Username for basic authentication is -U
How do you set the password for basic authentication?
Ans.To set the password for basic authentication -P
How do you set which status codes gobuster will interpret as valid?
Ans.-s
How do you skip ssl certificate verification?
Ans.To skip ssl certificate verification -k
How do you specify a User-Agent?
Ans.To specify a User-Agent -a
How do you specify a HTTP header?
Ans.To specify a HTTP header -H
What flag sets the URL to bruteforce?
Ans.To sets the URL to bruteforce is -u
Deploy the machine
Ans.No answer required
How to run gobuster command gobuster dir -u http://<Machine IP> -w /usr/share/wordlists/dirb/common.txt -t 64
What is the name of the hidden directory
Ans.The hidden directory is secret
What is the name of the hidden file with the extension xxa
Ans.The name of the hidden file with the extension xxa is password
[Task 5] [Section 2— Web Enumeration] — nikto
How do you specify which host to use?
Ans. To specify which host to use is using -h command
What flag disables ssl?
Ans.To disable ssl -nossl
How do you force ssl?
Ans.To force ssl using -ssl
How do you specify authentication(username + pass)?
Ans.To specify auth is using -id
How do you select which plugin to use?
Ans.-plugins
Which plugin checks if you can enumerate apache users?
Ans.You can enumerate apache users is using apacheusers command
How do you update the plugin list
Ans.-update
How do you list all possible plugins to use
Ans.- - list-plugins
[Task 6] [Section 3— Metasploit]:intro
No answer required
[Task 7] [Section 3 — Metasploit]:Setting Up
What command allows you to search modules?
Ans.To search modules by using command search
How do you select a module?
Ans. To select module by using use command
How do you display information about a specific module?
Ans.To display information about a specific module is by using command info
How do you list options that you can set?
Ans.By using options command
What command lets you view advanced options for a specific module?
Ans.By using advanced command
How do you show options in a specific category
Ans.By using show command
[Task 8] [Section 3 — Metasploit]:Selecting a module
How do you select the eternalblue module?
Ans.use exploit/windows/smb/ms17_010_eternalblue
What option allows you to select the target host(s)?
Ans.RHOSTS
How do you set the target port?
Ans.RPORT
What command allows you to set options?
Ans.By using Set command
How would you set SMBPass to “username”?
Ans.set SMBPass username
How would you set the SMBUser to “password”?
Ans.set SMBUser password
What option sets the architecture to be exploited?
Ans.arch
What option sets the payload to be sent to the target machine?
Ans.Payload
Once you’ve finished setting all the required options, how do you run the exploit?
Ans.exploit
What flag do you set if you want the exploit to run in the background?
Ans. -j
How do you list all current sessions?
Ans.sessions
What flag allows you to go into interactive mode with a session(“drops you either into a meterpreter or regular shell”)
Ans.-i
[Task 9] [Section 3 — Metasploit]:meterpreter
What command allows you to download files from the machine?
Ans.By using download
What command allows you to upload files to the machine?
Ans.Upload
How do you list all running processes?’
Ans.ps
How do you change processes on the victim host(Ideally it will allow you to change users and gain the perms associated with that user)
Ans.migrate
What command lists files in the current directory on the remote machine?
Ans.ls
How do you execute a command on the remote host?
Ans.execute
What command starts an interactive shell on the remote host?
Ans.shell
How do you find files on the target host(Similar function to the linux command “find”)
Ans.By using search command
How do you get the output of a file on the remote host?
Ans.cat command
How do you put a meterpreter shell into “background mode”(allows you to run other msf modules while also keeping the meterpreter shell as a session)?
Ans.By using background command
[Task 10] [Section 3 — Metasploit]:Final Walkthrough
Select the module that needs to be exploited
Ans.By using use exploit/multi/http/nostromo_code_exec
What variable do you need to set, to select the remote host
Ans.rhosts
How do you set the port to 80
Ans.set rport 80
How do you set listening address(Your machine)
Ans.By using lhost command
Exploit the machine!
Ans.No answer required
What is the name of the secret directory in the /var/nostromo/htdocs directory?
Ans.s3cretd1r
What are the contents of the file inside of the directory?
Ans.Woohoo!
[Task 11][Section 4 — Hash Cracking]: Intro
No answer required
[Task 12][Section 4 — Hash Cracking]: Salting and Formatting
No answer required
[Task 13][Section 4 — Hash Cracking]: hashcat
What flag sets the mode.
Ans.The flag sets the mode is -m command
What flag sets the “attack mode”
Ans.The flag that sets the “attack mode” is -a
What is the attack mode number for Brute-force
Ans.The attack mode number for brute-force is 3
What is the mode number for SHA3–512
Ans.17600
Crack This Hash:56ab24c15b72a457069c5ea42fcfc640
Type: MD5
Ans.nootnoot
[Task 14][Section 4 — Hash Cracking]: John The Ripper
What flag let’s you specify which wordlist to use?
Ans.- -wordlist
What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?
Ans.- -format(there is no space between dashes)
How do you specify which rule to use?
Ans.- -rules
Crack this hash: 5d41402abc4b2a76b9719d911017c592
Type: MD5
Ans.hello
Crack this hash:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
Type: SHA1
Ans.password
[Task 15][Section 5 — SQL Injection]: Intro
No answer required
[Task 16][Section 5 — SQL Injection]: sqlmap
How do you specify which url to check?
Ans.To specify which url to check by using -u
What about which google dork to use?
Ans.-g
How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.)
Ans.-p
What flag sets which database is in the target host’s backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections).
Ans.- -dbms
How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general).
Ans.- -level
How do you dump the table entries of the database?
Ans.By using - -Dump command
Which flag sets which db to enumerate?
Ans.-D
Which flag sets which table to enumerate?
Ans.-T
Which flag sets which column to enumerate?
Ans.-C
How do you ask sqlmap to try to get an interactive os-shell?
Ans.- -os-shell command
What flag dumps all data from every table
Ans.- -dump-all
[Task 17][Section 5 — SQL Injection]: A Note on Manual SQL Injection
No answer required
[Task 18][Section 5 — SQL Injection]: Vulnerable Web Application
Set the url to the machine ip, and run the command
Ans.No answer required
How many types of sqli is the site vulnerable to?
Ans.3
Dump the database.
Ans.No answer required
What is the name of the database?
Ans.The name of the database is tests
How many tables are in the database?
Ans.2
What is the value of the flag?
Ans.The value of the flag is found_me
[Task 19][Section 6 — Samba]: Intro
No answer required
[Task 20][Section 6 — Samba]: smbmap
How do you set the username to authenticate with?
Ans.To set the username to authenticate with is by using -u
What about the password?
Ans.-p
How do you set the host?
Ans.To set the host by using -H command
What flag runs a command on the server(assuming you have permissions that is)?
Ans.-x command
How do you specify the share to enumerate?
Ans.By using -s command
How do you set which domain to enumerate?
Ans.By using -d command
What flag downloads a file?
Ans.By using- -download command
What about uploading one?
Ans.- -upload
Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine
Ans.smbmap -u “admin” -p “password” -H 10.10.10.10 -x “ipconfig”
[Task 21][Section 6 — Samba]: smbclient
How do you specify which domain(workgroup) to use when connecting to the host?
Ans.By using -w command
How do you specify the ip address of the host?
Ans.-l
How do you run the command “ipconfig” on the target machine?
Ans.-c “ipconfig”
How do you specify the username to authenticate with?
Ans.The username to authenticate with by using -u command
How do you specify the password to authenticate with?
Ans.By using -P command
What flag is set to tell smbclient to not use a password?
Ans.-N
While in the interactive prompt, how would you download the file test, assuming it was in the current directory?
Ans.get test
In the interactive prompt, how would you upload your /etc/hosts file
Ans.put /etc/hosts
[Task 22][Section 6 — Samba]: A note about impacket
No answer required
[Task 23] [Miscellaneous]: A note on privilege escalation
No answer required
[Task 24][Section 7 — Final Exam]: Good Luck :D
What is the user.txt
Ans.supernootnoot
To find the user.txt first run the nmap scan command nmap -T4 -A -p- <target-ip> after this find hidden files by using dirbuster tool you will find secret name folder where it contain name and hash value after this login ssh by using the name which you find in secret folder and password is also same as name contains.
What is the root.txt
Ans.congratulations!!!