TryHackMe: CC Pen Testing Writeup
7 min readApr 1, 2022
This room is a crash course on various topics in penetration testing. The room can be accessed using the link: https://tryhackme.com/room/ccpentesting
Task 1: Introduction
- Read the above. Answer: No answer needed
Task 2: [Section 1 — Network Utilities] — nmap
- What does nmap stand for? Answer: Network Mapper
- How do you specify which port(s) to scan? Answer: -p
- How do you do a “ping scan”(just tests if the host(s) is up)? Answer: -sn
- What is the flag for a UDP scan? Answer: -sU
- How do you run default scripts? Answer: -sC
- How do you enable “aggressive mode”(Enables OS detection, version detection, script scanning, and traceroute). Answer: -A
- What flag enables OS detection. Answer: -O
- How do you get the versions of services running on the target machine. Answer: -sV
- Deploy the machine. Answer: No answer needed.
- How many ports are open on the machine? Answer: 1
- What service is running on the machine? Answer: Apache
- What is the version of the service? Answer: 2.4.18
- What is the output of the http-title script(included in default scripts). Answer: Apache2 Ubuntu Default Page: It Works
Task 3: [Section 1 — Network Utilities] — Netcat
- How do you listen for connections? Answer: -l
- How do you enable verbose mode(allows you to see who connected to you)? Answer: -v
- How do you specify a port to listen on. Answer: -p
- How do you specify which program to execute after you connect to a host(One of the most infamous)? Answer: -e
- How do you connect to udp ports. Answer: -u
Task 4: [Section 2 — Web Enumeration] — gobuster
- How do you specify directory/file brute forcing mode? Answer: dir
- How do you specify dns bruteforcing mode? Answer: dns
- What flag sets extensions to be used? Example: if the php extension is set, and the word is “admin” then gobuster will test admin.php against the webserver. Answer: -x
- What flag sets a wordlist to be used? Answer: -w
- How do you set the Username for basic authentication(If the directory requires a username/password)? Answer: -U
- How do you set the password for basic authentication? Answer: -P
- How do you set which status codes gobuster will interpret as valid Example: 200,400,404,204. Answer: -s
- How do you skip ssl certificate verification? Answer: -k
- How do you specify a User-Agent? Answer: -a
- How do you specify a HTTP header? Answer: -H
- What flag sets the URL to bruteforce? Answer: -u
- Deploy the machine. Answer: NO answer needed
- What is the name of the hidden directory. Answer: secret
- What is the name of the hidden file with the extension xxa. Answer: password
Task 5: [Section 2 — Web Enumeration] — nikto
- How do you specify which host to use? Answer: -h
- What flag disables SSL? Answer: -nossl
- How do you force SSL? Answer: -ssl
- How do you specify authentication(username + pass)? Answer: -id
- How do you select which plugin to use? Answer: -plugins
- Which plugin checks if you can enumerate apache users? Answer: apacheusers
- How do you update the plugin list. Answer: -update
- How do you list all possible plugins to use. Answer: — list-plugins
Task 7: [Section 3 — Metasploit]: Setting Up
- What command allows you to search modules? Answer: search
- How do you select a module? Answer: use
- How do you display information about a specific module? Answer: info
- How do you list options that you can set? Answer: options
- What command lets you view advanced options for a specific module? Answer: advanced
- How do you show options in a specific category? Answer: show
Task 8: [Section 3 — Metasploit]: — Selecting a module
- How do you select the eternalblue module? Answer: use exploit/windows/smb/ms17_010_eternalblue
- What option allows you to select the target host(s)? Answer: RHOSTS
- How do you set the target port? Answer: RPORT
- What command allows you to set options? Answer: set
- How would you set SMBPass to “username”? Answer: set SMBPass username
- How would you set the SMBUser to “password”? Answer: set SMBUser password
- What option sets the architecture to be exploited? Answer: arch
- What option sets the payload to be sent to the target machine? Answer: payload
- Once you’ve finished setting all the required options, how do you run the exploit? Answer: exploit
- What flag do you set if you want the exploit to run in the background? Answer: -j
- How do you list all current sessions? Answer: sessions
- What flag allows you to go into interactive mode with a session(“drops you either into a meterpreter or regular shell”). Answer: -i
Task 9: [Section 3 — Metasploit]: meterpreter
- What command allows you to download files from the machine? Answer: download
- What command allows you to upload files to the machine? Answer: upload
- How do you list all running processes? Answer: ps
- How do you change processes on the victim host(Ideally it will allow you to change users and gain the perms associated with that user). Answer: migrate
- What command lists files in the current directory on the remote machine? Answer: ls
- How do you execute a command on the remote host? Answer: execute
- What command starts an interactive shell on the remote host? Answer: shell
- How do you find files on the target host(A similar function to the Linux command “find”)? Answer: search
- How do you get the output of a file on the remote host? Answer: cat
- How do you put a meterpreter shell into “background mode”(allows you to run other msf modules while also keeping the meterpreter shell as a session)? Answer: background
Task 10: [Section 3 — Metasploit]: Final Walkthrough
- Select the module that needs to be exploited. Answer: use exploit/multi/http/nostromo_code_exec
- What variable do you need to set, to select the remote host. Answer: rhosts
- How do you set the port to 80. Answer: set rport 80
- How do you set listening address(Your machine). Answer: lhost
- Exploit the machine! Answer: No answer needed
- What is the name of the secret directory in the /var/nostromo/htdocs directory? Answer: s3cretd1r
- What are the contents of the file inside of the directory? Answer: Woohoo!
Task 13: [Section 4 — Hash Cracking]: hashcat
- What flag sets the mode. Answer: -m
- What flag sets the “attack mode”. Answer: -a
- What is the attack mode number for Brute-force. Answer: 3
- What is the mode number for SHA3–512. Answer: 17600
- Crack This Hash:56ab24c15b72a457069c5ea42fcfc640. Type: MD5. Answer: happy
- Crack this hash: 4bc9ae2b9236c2ad02d81491dcb51d5f. Type: MD4. Answer: nootnoot
Task 14: [Section 4 — Hash Cracking]: John The Ripper
- What flag let’s you specify which wordlist to use? Answer: — wordlist
- What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use? Answer: — format
- How do you specify which rule to use? Answer: — rules
- Crack this hash: 5d41402abc4b2a76b9719d911017c592. Type: MD5. Answer: hello
- Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8. Type: SHA1. Answer: password
Task 16: [Section 5 — SQL Injection]: sqlmap
- How do you specify which url to check? Answer: -u
- What about which google dork to use? Answer: -g
- How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.). Answer: -p
- What flag sets which database is in the target host’s backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections). Answer: — dbms
- How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general). Answer: — level
- How do you dump the table entries of the database? Answer: — dump
- Which flag sets which db to enumerate? (Case sensitive). Answer: -D
- Which flag sets which table to enumerate? (Case sensitive). Answer: -T
- Which flag sets which column to enumerate? (Case sensitive). Answer: -C
- How do you ask sqlmap to try to get an interactive os-shell? Answer: — os-shell
- What flag dumps all data from every table. Answer: — dump-all
Task 18: [Section 5 — SQL Injection]: Vulnerable Web Application
- Set the url to the machine ip, and run the command. Answer: No answer needed
- How many types of sqli is the site vulnerable to? Answer: 3
- Dump the database. Answer: No answer needed
- What is the name of the database? Answer: tests
- How many tables are in the database? Answer: 2
- What is the value of the flag? Answer: found_me
Task 20: [Section 6 — Samba]: smbmap
- How do you set the username to authenticate with? Answer: -u
- What about the password? Answer: -p
- How do you set the host? Answer: -H
- What flag runs a command on the server(assuming you have permissions that is)? Answer: -x
- How do you specify the share to enumerate? Answer: -s
- How do you set which domain to enumerate? Answer: -d
- What flag downloads a file? Answer: — download
- What about uploading one? Answer: — upload
- Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine. Answer: smbmap -u “admin” -p “password” -H 10.10.10.10 -x “ipconfig”
Task 21: [Section 6 — Samba]: smbclient
- How do you specify which domain(workgroup) to use when connecting to the host? Answer: -w
- How do you specify the ip address of the host? Answer: -I
- How do you run the command “ipconfig” on the target machine? Answer: -c “ipconfig”
- How do you specify the username to authenticate with? Answer: -U
- How do you specify the password to authenticate with? Answer: -P
- What flag is set to tell smbclient to not use a password? Answer: -N
- While in the interactive prompt, how would you download the file test, assuming it was in the current directory? Answer: get test
- In the interactive prompt, how would you upload your /etc/hosts file. Answer: put /etc/hosts
Task 24: [Section 7 — Final Exam]: Good Luck :D
- What is the user.txt. Answer: supernootnoot
- What is the root.txt. Answer: congratulations!!!!
Follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/