TryHackMe: CC Pen Testing Writeup

This room is a crash course on various topics in penetration testing. The room can be accessed using the link: https://tryhackme.com/room/ccpentesting

Task 1: Introduction

1. Read the above. Answer: No answer needed

Task 2: [Section 1 — Network Utilities] — nmap

1. What does nmap stand for? Answer: Network Mapper
2. How do you specify which port(s) to scan? Answer: -p
3. How do you do a “ping scan”(just tests if the host(s) is up)? Answer: -sn
4. What is the flag for a UDP scan? Answer: -sU
5. How do you run default scripts? Answer: -sC
6. How do you enable “aggressive mode”(Enables OS detection, version detection, script scanning, and traceroute). Answer: -A
7. What flag enables OS detection. Answer: -O
8. How do you get the versions of services running on the target machine. Answer: -sV
9. Deploy the machine. Answer: No answer needed.
10. How many ports are open on the machine? Answer: 1
11. What service is running on the machine? Answer: Apache
12. What is the version of the service? Answer: 2.4.18
13. What is the output of the http-title script(included in default scripts). Answer: Apache2 Ubuntu Default Page: It Works

Task 3: [Section 1 — Network Utilities] — Netcat

1. How do you listen for connections? Answer: -l
2. How do you enable verbose mode(allows you to see who connected to you)? Answer: -v
3. How do you specify a port to listen on. Answer: -p
4. How do you specify which program to execute after you connect to a host(One of the most infamous)? Answer: -e
5. How do you connect to udp ports. Answer: -u

Task 4: [Section 2 — Web Enumeration] — gobuster

1. How do you specify directory/file brute forcing mode? Answer: dir
2. How do you specify dns bruteforcing mode? Answer: dns
3. What flag sets extensions to be used? Example: if the php extension is set, and the word is “admin” then gobuster will test admin.php against the webserver. Answer: -x
4. What flag sets a wordlist to be used? Answer: -w
5. How do you set the Username for basic authentication(If the directory requires a username/password)? Answer: -U
6. How do you set the password for basic authentication? Answer: -P
7. How do you set which status codes gobuster will interpret as valid Example: 200,400,404,204. Answer: -s
8. How do you skip ssl certificate verification? Answer: -k
9. How do you specify a User-Agent? Answer: -a
10. How do you specify a HTTP header? Answer: -H
11. What flag sets the URL to bruteforce? Answer: -u
12. Deploy the machine. Answer: NO answer needed
13. What is the name of the hidden directory. Answer: secret
14. What is the name of the hidden file with the extension xxa. Answer: password

Task 5: [Section 2 — Web Enumeration] — nikto

1. How do you specify which host to use? Answer: -h
2. What flag disables SSL? Answer: -nossl
3. How do you force SSL? Answer: -ssl
4. How do you specify authentication(username + pass)? Answer: -id
5. How do you select which plugin to use? Answer: -plugins
6. Which plugin checks if you can enumerate apache users? Answer: apacheusers
7. How do you update the plugin list. Answer: -update
8. How do you list all possible plugins to use. Answer: — list-plugins

Task 7: [Section 3 — Metasploit]: Setting Up

1. What command allows you to search modules? Answer: search
2. How do you select a module? Answer: use
3. How do you display information about a specific module? Answer: info
4. How do you list options that you can set? Answer: options
5. What command lets you view advanced options for a specific module? Answer: advanced
6. How do you show options in a specific category? Answer: show

Task 8: [Section 3 — Metasploit]: — Selecting a module

1. How do you select the eternalblue module? Answer: use exploit/windows/smb/ms17_010_eternalblue
2. What option allows you to select the target host(s)? Answer: RHOSTS
3. How do you set the target port? Answer: RPORT
4. What command allows you to set options? Answer: set
5. How would you set SMBPass to “username”? Answer: set SMBPass username
6. How would you set the SMBUser to “password”? Answer: set SMBUser password
7. What option sets the architecture to be exploited? Answer: arch
8. What option sets the payload to be sent to the target machine? Answer: payload
9. Once you’ve finished setting all the required options, how do you run the exploit? Answer: exploit
10. What flag do you set if you want the exploit to run in the background? Answer: -j
11. How do you list all current sessions? Answer: sessions
12. What flag allows you to go into interactive mode with a session(“drops you either into a meterpreter or regular shell”). Answer: -i

Task 9: [Section 3 — Metasploit]: meterpreter

1. What command allows you to download files from the machine? Answer: download
2. What command allows you to upload files to the machine? Answer: upload
3. How do you list all running processes? Answer: ps
4. How do you change processes on the victim host(Ideally it will allow you to change users and gain the perms associated with that user). Answer: migrate
5. What command lists files in the current directory on the remote machine? Answer: ls
6. How do you execute a command on the remote host? Answer: execute
7. What command starts an interactive shell on the remote host? Answer: shell
8. How do you find files on the target host(A similar function to the Linux command “find”)? Answer: search
9. How do you get the output of a file on the remote host? Answer: cat
10. How do you put a meterpreter shell into “background mode”(allows you to run other msf modules while also keeping the meterpreter shell as a session)? Answer: background

Task 10: [Section 3 — Metasploit]: Final Walkthrough

1. Select the module that needs to be exploited. Answer: use exploit/multi/http/nostromo_code_exec
2. What variable do you need to set, to select the remote host. Answer: rhosts
3. How do you set the port to 80. Answer: set rport 80
4. How do you set listening address(Your machine). Answer: lhost
5. Exploit the machine! Answer: No answer needed
6. What is the name of the secret directory in the /var/nostromo/htdocs directory? Answer: s3cretd1r
7. What are the contents of the file inside of the directory? Answer: Woohoo!

Task 13: [Section 4 — Hash Cracking]: hashcat

1. What flag sets the mode. Answer: -m
2. What flag sets the “attack mode”. Answer: -a
3. What is the attack mode number for Brute-force. Answer: 3
4. What is the mode number for SHA3–512. Answer: 17600
5. Crack This Hash:56ab24c15b72a457069c5ea42fcfc640. Type: MD5. Answer: happy
6. Crack this hash: 4bc9ae2b9236c2ad02d81491dcb51d5f. Type: MD4. Answer: nootnoot

Task 14: [Section 4 — Hash Cracking]: John The Ripper

1. What flag let’s you specify which wordlist to use? Answer: — wordlist
2. What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use? Answer: — format
3. How do you specify which rule to use? Answer: — rules
4. Crack this hash: 5d41402abc4b2a76b9719d911017c592. Type: MD5. Answer: hello
5. Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8. Type: SHA1. Answer: password

Task 16: [Section 5 — SQL Injection]: sqlmap

1. How do you specify which url to check? Answer: -u
2. What about which google dork to use? Answer: -g
3. How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.). Answer: -p
4. What flag sets which database is in the target host’s backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections). Answer: — dbms
5. How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general). Answer: — level
6. How do you dump the table entries of the database? Answer: — dump
7. Which flag sets which db to enumerate? (Case sensitive). Answer: -D
8. Which flag sets which table to enumerate? (Case sensitive). Answer: -T
9. Which flag sets which column to enumerate? (Case sensitive). Answer: -C
10. How do you ask sqlmap to try to get an interactive os-shell? Answer: — os-shell
11. What flag dumps all data from every table. Answer: — dump-all

Task 18: [Section 5 — SQL Injection]: Vulnerable Web Application

1. Set the url to the machine ip, and run the command. Answer: No answer needed
2. How many types of sqli is the site vulnerable to? Answer: 3
3. Dump the database. Answer: No answer needed
4. What is the name of the database? Answer: tests
5. How many tables are in the database? Answer: 2
6. What is the value of the flag? Answer: found_me

Task 20: [Section 6 — Samba]: smbmap

1. How do you set the username to authenticate with? Answer: -u
2. What about the password? Answer: -p
3. How do you set the host? Answer: -H
4. What flag runs a command on the server(assuming you have permissions that is)? Answer: -x
5. How do you specify the share to enumerate? Answer: -s
6. How do you set which domain to enumerate? Answer: -d
7. What flag downloads a file? Answer: — download
8. What about uploading one? Answer: — upload
9. Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine. Answer: smbmap -u “admin” -p “password” -H 10.10.10.10 -x “ipconfig”

Task 21: [Section 6 — Samba]: smbclient

1. How do you specify which domain(workgroup) to use when connecting to the host? Answer: -w
2. How do you specify the ip address of the host? Answer: -I
3. How do you run the command “ipconfig” on the target machine? Answer: -c “ipconfig”
4. How do you specify the username to authenticate with? Answer: -U
5. How do you specify the password to authenticate with? Answer: -P
6. What flag is set to tell smbclient to not use a password? Answer: -N
7. While in the interactive prompt, how would you download the file test, assuming it was in the current directory? Answer: get test
8. In the interactive prompt, how would you upload your /etc/hosts file. Answer: put /etc/hosts

Task 24: [Section 7 — Final Exam]: Good Luck :D

1. What is the user.txt. Answer: supernootnoot
2. What is the root.txt. Answer: congratulations!!!!

Follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/