CC: Pen Testing WriteUp – TryHackMe

In this article, I tried to prepare a write-up for the “CC: Pen Testing” room on tryhackme.


[Task 1] Introduction

The idea behind this room is to provide an introduction to various tools and concepts commonly encountered in penetration testing.

#1 Read the above.

ANSWER: No answer needed


[Task 2] [Section 1 – Network Utilities] – nmap

nmap is one of the most important tools for pentesting.

#1 What does nmap stand for?

ANSWER: Network Mapper

#2 How do you specify which port(s) to scan?

ANSWER: -p

#3 How do you do a “ping scan”(just tests if the host(s) is up)?

ANSWER: -sn

#4 What is the flag for a UDP scan? 

ANSWER: -sU

#5 How do you run default scripts?

ANSWER: -sC

#6 How do you enable “aggressive mode”?

ANSWER: -A

#7 What flag enables OS detection

ANSWER: -O

#8 How do you get the versions of services running on the target machine

ANSWER: -sV

#9 Deploy the machine

After deploy the machine, you can run this nmap command:

nmap -A -sC -sV -O <IP Address>

You can see my nmap result. All answer can be seen.

ANSWER: No answer needed

#10 How many ports are open on the machine? 

ANSWER: 1

#11 What service is running on the machine?  

ANSWER: Apache

#12 What is the version of the service?

ANSWER: 2.4.18

#13 What is the output of the http-title script(included in default scripts)

ANSWER: Apache2 Ubuntu Default Page: It Works


[Task 3] [Section 1 – Network Utilities] – Netcat

You can see netcat help page:

#1 How do you listen for connections?

ANSWER: -l

#2 How do you enable verbose mode(allows you to see who connected to you)?

ANSWER: -v

#3 How do you specify a port to listen on

ANSWER: -p

#4 How do you specify which program to execute after you connect to a host(One of the most infamous)?

ANSWER: -e

#5 How do you connect to udp ports

ANSWER: -u


[Task 4] [Section 2 – Web Enumeration] – gobuster

You can see gobuster help page:

#1 How do you specify directory/file brute forcing mode?

ANSWER: dir

#2 How do you specify dns bruteforcing mode? 

ANSWER: dns

#3 What flag sets extensions to be used?

ANSWER: -x

#4 What flag sets a wordlist to be used?

ANSWER: -w

#5 How do you set the Username for basic authentication?

ANSWER: -U

#6 How do you set the password for basic authentication?

ANSWER: -P

#7 How do you set which status codes gobuster will interpret as valid?

ANSWER: -s

#8 How do you skip ssl certificate verification?

ANSWER: -k

#9 How do you specify a User-Agent?

ANSWER: -a

#10 How do you specify a HTTP header?

ANSWER: -H

#11 What flag sets the URL to bruteforce?

ANSWER: -u

#12 Deploy the machine

After deploy the machine, you can run this command:

gobuster dir -u http://<Machine IP> -w /usr/share/wordlists/dirb/common.txt -t 64

#13 What is the name of the hidden directory

You can see the answer above picture.

ANSWER: secret

#14 What is the name of the hidden file with the extension xxa

You can see my answer:

ANSWER: password


[Task 5] [Section 2 – Web Enumeration] – nikto

You can use nikto help page:

#1 How do you specify which host to use? 

ANSWER: -h

#2 What flag disables ssl?

ANSWER: -nossl

#3 How do you force ssl?

ANSWER: -ssl

#4 How do you specify authentication(username + pass)?

ANSWER: -id

#5 How do you select which plugin to use?

ANSWER: -plugins

#6 Which plugin checks if you can enumerate apache users? 

You have to run this command:

nikto --list-plugins

Then you can show the answer:

ANSWER: apacheusers

#7 How do you update the plugin list ?

ANSWER: -update

#8 How do you list all possible plugins to use?

ANSWER: –list-plugins


[Task 6] [Section 3 – Metasploit]: Intro

#1

ANSWER: No answer needed


[Task 7] [Section 3 Metasploit]: Setting Up

#1 What command allows you to search modules?

ANSWER: search

#2 How do you select a module? 

ANSWER: use

#3 How do you display information about a specific module?

ANSWER: info

#4 How do you list options that you can set?

ANSWER: options

#5 What command lets you view advanced options for a specific module?

ANSWER: advanced

#6 How do you show options in a specific category

ANSWER: show


[Task 8] [Section 3 – Metasploit]: – Selecting a module

This task will take you through selecting and setting options for one of the most popular metasploit modules “eternalblue“. All basic commands that could be run before selecting a module can also be done while a module is selected.

#1 How do you select the eternalblue module?

ANSWER: use exploit/windows/smb/ms17_010_eternalblue

#2 What option allows you to select the target host(s)?

ANSWER: RHOSTS

#3 How do you set the target port?

ANSWER: RPORT

#4 What command allows you to set options?

ANSWER: set

#5 How would you set SMBPass to “username”?

ANSWER: set SMBPass username

#6 How would you set the SMBUser to “password”?

ANSWER: set SMBUser password

#7 What option sets the architecture to be exploited?

ANSWER: arch

#8 What option sets the payload to be sent to the target machine?

ANSWER: payload

#9 Once you’ve finished setting all the required options, how do you run the exploit?

ANSWER: exploit

#10 What flag do you set if you want the exploit to run in the background?

ANSWER: -j

#11 How do you list all current sessions?

ANSWER: sessions

#12 What flag allows you to go into interactive mode with a session?

ANSWER: -i


[Task 9] [Section 3 – Metasploit]: meterpreter

#1 What command allows you to download files from the machine?

ANSWER: download

#2 What command allows you to upload files to the machine?

ANSWER: upload

#3 How do you list all running processes?

ANSWER: ps

#4 How do you change processes on the victim host?

ANSWER: migrate

#5 What command lists files in the current directory on the remote machine?

ANSWER: ls

#6 How do you execute a command on the remote host?

ANSWER: execute

#7 What command starts an interactive shell on the remote host?

ANSWER: shell

#8 How do you find files on the target host?

ANSWER: search

#9 How do you get the output of a file on the remote host?

ANSWER: cat

#10 How do you put a meterpreter shell into “background mode”

ANSWER: background


[Task 10] [Section 3 – Metasploit]: Final Walkthrough

Let’s select the “exploit/multi/http/nostromo_code_exec” module and list the options:

#1 Select the module that needs to be exploited

ANSWER: use exploit/multi/http/nostromo_code_exec

#2 What variable do you need to set, to select the remote host

ANSWER: rhosts

#3 How do you set the port to 80

ANSWER: set rport 80

#4 How do you set listening address(Your machine)

ANSWER: lhost

#5 Exploit the machine!

Let’s set the parameters then exploit this machine 🙂

#6 What is the name of the secret directory in the /var/nostromo/htdocs directory?

You can do like me:

ANSWER: s3cretd1r

#7 What are the contents of the file inside of the directory?

ANSWER: Woohoo!


[Task 11] [Section 4 – Hash Cracking]: Intro

#1

ANSWER: No answer needed


[Task 12] [Section 4 – Hash Cracking]: Salting and Formatting

#1

ANSWER: No answer needed


[Task 13] [Section 4 – Hash Cracking]: hashcat

#1 What flag sets the mode.

ANSWER: -m

#2 What flag sets the “attack mode”

ANSWER: -a

#3 What is the attack mode number for Brute-force

ANSWER: 3

#4 What is the mode number for SHA3-512  

ANSWER: 17600

#5 Crack This Hash:56ab24c15b72a457069c5ea42fcfc640

You can use this web site.

ANSWER: happy

#6 Crack this hash: 4bc9ae2b9236c2ad02d81491dcb51d5f

You can use this web site.

ANSWER: nootnoot


[Task 14] [Section 4 – Hash Cracking]: John The Ripper

#1 What flag let’s you specify which wordlist to use?

ANSWER: –wordlist

#2 What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?  

ANSWER: –format

#3 How do you specify which rule to use?

ANSWER: –rules

#4 Crack this hash: 5d41402abc4b2a76b9719d911017c592

You can use this command in “/root/Desktop” directory.

ANSWER: hello

#5 Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

You can use this command in “/root/Desktop” directory.

ANSWER: password


[Task 15] [Section 5 – SQL Injection]: Intro

#1

ANSWER: No answer needed


[Task 16] [Section 5 – SQL Injection]: sqlmap

Sqlmap is arguably the most popular automated SQL injection tool out there.

You can see the sqlmap help menü:

#1 How do you specify which url to check?

You can see the answer above the picture.

ANSWER: -u

#2 What about which google dork to use?

You can see the answer above the picture

ANSWER: -g

#3 How do you select(lol) which parameter to use?

ANSWER: -p

#4 What flag sets which database is in the target host’s backend?

You can see the answer previous picture 🙂

ANSWER: –dbms

#5 How do you select the level of depth sqlmap should use

ANSWER: –level

#6 How do you dump the table entries of the database?

ANSWER: –dump

#7 Which flag sets which db to enumerate?

You can see the answer previous picture 🙂

ANSWER: -D

#8 Which flag sets which table to enumerate?

You can see the answer previous picture 🙂

ANSWER: -T

#9 Which flag sets which column to enumerate?

You can see the answer previous picture 🙂

ANSWER: -C

#10 How do you ask sqlmap to try to get an interactive os-shell?

ANSWER: –os-shell

#11 What flag dumps all data from every table

ANSWER: –dump-all


[Task 17] [Section 5 – SQL Injection]: A Note on Manual SQL Injection

#1

ANSWER: No answer needed


[Task 18] [Section 5 – SQL Injection]: Vulnerable Web Application

To demonstrate how to use sqlmap to check for vulnerabilities and dump table data, I will be walking you through an example web app. Deploy the machine and let’s get started!

#1 Set the url to the machine ip, and run the command

ANSWER: No answer needed

#2 How many types of sqli is the site vulnerable too?

ANSWER: 3

#3 Dump the database.

You can use this command: You should answer all question with “Y”.

ANSWER: No answer needed

#4 What is the name of the database? 

ANSWER: tests

#5 How many tables are in the database?

Their names are “msg” and “flag”.

ANSWER: 2

#6 What is the value of the flag?

ANSWER: found_me


[Task 19] [Section 6 – Samba]: Intro

#1

ANSWER: No answer needed


[Task 20] [Section 6 – Samba]: smbmap

You can use the help menu.

#1 How do you set the username to authenticate with?

ANSWER: -u

#2 What about the password?    

ANSWER: -p

#3 How do you set the host?

ANSWER: -H

#4 What flag runs a command on the server?

ANSWER: -x

#5 How do you specify the share to enumerate?

ANSWER: -s

#6 How do you set which domain to enumerate?

ANSWER: -d

#7 What flag downloads a file?

ANSWER: –download

#8 What about uploading one?

ANSWER: –upload

#9 Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine

ANSWER: smbmap -u “admin” -p “password” -H 10.10.10.10 -x “ipconfig”


[Task 21] [Section 6 – Samba]: smbclient

You can use the help menu.

#1 How do you specify which domain(workgroup) to use when connecting to the host?

ANSWER: -w

#2 How do you specify the ip address of the host?

ANSWER: -I

#3 How do you run the command “ipconfig” on the target machine?

ANSWER: -c “ipconfig”

#4 How do you specify the username to authenticate with?

ANSWER: -U

#5 How do you specify the password to authenticate with?

ANSWER: -P

#6 What flag is set to tell smbclient to not use a password?

ANSWER: -N

#7 While in the interactive prompt, how would you download the file test, assuming it was in the current directory?

ANSWER: get test

#8 In the interactive prompt, how would you upload your /etc/hosts file

ANSWER: put /etc/hosts


[Task 22] [Section 6 – Samba]: A note about impacket

#1

ANSWER: No answer needed


[Task 23] [Miscellaneous]: A note on privilege escalation

#1

ANSWER: No answer needed


Task 24 [Section 7 – Final Exam]: Good Luck 😀

First, you have to use search the directory with “gobuster”. I used the “directory-list-2.3-medium.txt” wordlist.

I found the “/secret” directory. Then again I searched the this directory with “.txt, .php, .html” extensions.

I found the “secret.txt” directory.

I got some information. I tried to crack the hash value.

Then I connected with ssh.

User name: nyan

Password: nyan

#1 What is the user.txt

ANSWER: supernootnoot

#2 What is the root.txt

ANSWER: congratulations!!!!


So far, I have tried to explain the solutions of the questions as detailed as I can. I hope it helped you. See you in my next write-up.

Bir Cevap Yazın

Aşağıya bilgilerinizi girin veya oturum açmak için bir simgeye tıklayın:

WordPress.com Logosu

WordPress.com hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Google fotoğrafı

Google hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Twitter resmi

Twitter hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Facebook fotoğrafı

Facebook hesabınızı kullanarak yorum yapıyorsunuz. Çıkış  Yap /  Değiştir )

Connecting to %s

WordPress.com'da Blog Oluşturun.

Yukarı ↑

%d blogcu bunu beğendi: