TryHackMe: CC Pen Testing Writeup

CC Pen Testing Logo at TryHackMe

This room is a crash course on various topics in penetration testing. The room can be accessed using the link: https://tryhackme.com/room/ccpentesting

Task 1: Introduction

  1. Read the above. Answer: No answer needed

Task 2: [Section 1 — Network Utilities] — nmap

  1. What does nmap stand for? Answer: Network Mapper
  2. How do you specify which port(s) to scan? Answer: -p
  3. How do you do a “ping scan”(just tests if the host(s) is up)? Answer: -sn
  4. What is the flag for a UDP scan? Answer: -sU
  5. How do you run default scripts? Answer: -sC
  6. How do you enable “aggressive mode”(Enables OS detection, version detection, script scanning, and traceroute). Answer: -A
  7. What flag enables OS detection. Answer: -O
  8. How do you get the versions of services running on the target machine. Answer: -sV
  9. Deploy the machine. Answer: No answer needed.
  10. How many ports are open on the machine? Answer: 1
  11. What service is running on the machine? Answer: Apache
  12. What is the version of the service? Answer: 2.4.18
  13. What is the output of the http-title script(included in default scripts). Answer: Apache2 Ubuntu Default Page: It Works

Task 3: [Section 1 — Network Utilities] — Netcat

  1. How do you listen for connections? Answer: -l
  2. How do you enable verbose mode(allows you to see who connected to you)? Answer: -v
  3. How do you specify a port to listen on. Answer: -p
  4. How do you specify which program to execute after you connect to a host(One of the most infamous)? Answer: -e
  5. How do you connect to udp ports. Answer: -u

Task 4: [Section 2 — Web Enumeration] — gobuster

  1. How do you specify directory/file brute forcing mode? Answer: dir
  2. How do you specify dns bruteforcing mode? Answer: dns
  3. What flag sets extensions to be used? Example: if the php extension is set, and the word is “admin” then gobuster will test admin.php against the webserver. Answer: -x
  4. What flag sets a wordlist to be used? Answer: -w
  5. How do you set the Username for basic authentication(If the directory requires a username/password)? Answer: -U
  6. How do you set the password for basic authentication? Answer: -P
  7. How do you set which status codes gobuster will interpret as valid Example: 200,400,404,204. Answer: -s
  8. How do you skip ssl certificate verification? Answer: -k
  9. How do you specify a User-Agent? Answer: -a
  10. How do you specify a HTTP header? Answer: -H
  11. What flag sets the URL to bruteforce? Answer: -u
  12. Deploy the machine. Answer: NO answer needed
  13. What is the name of the hidden directory. Answer: secret
  14. What is the name of the hidden file with the extension xxa. Answer: password

Task 5: [Section 2 — Web Enumeration] — nikto

  1. How do you specify which host to use? Answer: -h
  2. What flag disables SSL? Answer: -nossl
  3. How do you force SSL? Answer: -ssl
  4. How do you specify authentication(username + pass)? Answer: -id
  5. How do you select which plugin to use? Answer: -plugins
  6. Which plugin checks if you can enumerate apache users? Answer: apacheusers
  7. How do you update the plugin list. Answer: -update
  8. How do you list all possible plugins to use. Answer: — list-plugins

Task 7: [Section 3 — Metasploit]: Setting Up

  1. What command allows you to search modules? Answer: search
  2. How do you select a module? Answer: use
  3. How do you display information about a specific module? Answer: info
  4. How do you list options that you can set? Answer: options
  5. What command lets you view advanced options for a specific module? Answer: advanced
  6. How do you show options in a specific category? Answer: show

Task 8: [Section 3 — Metasploit]: — Selecting a module

  1. How do you select the eternalblue module? Answer: use exploit/windows/smb/ms17_010_eternalblue
  2. What option allows you to select the target host(s)? Answer: RHOSTS
  3. How do you set the target port? Answer: RPORT
  4. What command allows you to set options? Answer: set
  5. How would you set SMBPass to “username”? Answer: set SMBPass username
  6. How would you set the SMBUser to “password”? Answer: set SMBUser password
  7. What option sets the architecture to be exploited? Answer: arch
  8. What option sets the payload to be sent to the target machine? Answer: payload
  9. Once you’ve finished setting all the required options, how do you run the exploit? Answer: exploit
  10. What flag do you set if you want the exploit to run in the background? Answer: -j
  11. How do you list all current sessions? Answer: sessions
  12. What flag allows you to go into interactive mode with a session(“drops you either into a meterpreter or regular shell”). Answer: -i

Task 9: [Section 3 — Metasploit]: meterpreter

  1. What command allows you to download files from the machine? Answer: download
  2. What command allows you to upload files to the machine? Answer: upload
  3. How do you list all running processes? Answer: ps
  4. How do you change processes on the victim host(Ideally it will allow you to change users and gain the perms associated with that user). Answer: migrate
  5. What command lists files in the current directory on the remote machine? Answer: ls
  6. How do you execute a command on the remote host? Answer: execute
  7. What command starts an interactive shell on the remote host? Answer: shell
  8. How do you find files on the target host(A similar function to the Linux command “find”)? Answer: search
  9. How do you get the output of a file on the remote host? Answer: cat
  10. How do you put a meterpreter shell into “background mode”(allows you to run other msf modules while also keeping the meterpreter shell as a session)? Answer: background

Task 10: [Section 3 — Metasploit]: Final Walkthrough

  1. Select the module that needs to be exploited. Answer: use exploit/multi/http/nostromo_code_exec
  2. What variable do you need to set, to select the remote host. Answer: rhosts
  3. How do you set the port to 80. Answer: set rport 80
  4. How do you set listening address(Your machine). Answer: lhost
  5. Exploit the machine! Answer: No answer needed
  6. What is the name of the secret directory in the /var/nostromo/htdocs directory? Answer: s3cretd1r
  7. What are the contents of the file inside of the directory? Answer: Woohoo!

Task 13: [Section 4 — Hash Cracking]: hashcat

  1. What flag sets the mode. Answer: -m
  2. What flag sets the “attack mode”. Answer: -a
  3. What is the attack mode number for Brute-force. Answer: 3
  4. What is the mode number for SHA3–512. Answer: 17600
  5. Crack This Hash:56ab24c15b72a457069c5ea42fcfc640. Type: MD5. Answer: happy
  6. Crack this hash: 4bc9ae2b9236c2ad02d81491dcb51d5f. Type: MD4. Answer: nootnoot

Task 14: [Section 4 — Hash Cracking]: John The Ripper

  1. What flag let’s you specify which wordlist to use? Answer: — wordlist
  2. What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use? Answer: — format
  3. How do you specify which rule to use? Answer: — rules
  4. Crack this hash: 5d41402abc4b2a76b9719d911017c592. Type: MD5. Answer: hello
  5. Crack this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8. Type: SHA1. Answer: password

Task 16: [Section 5 — SQL Injection]: sqlmap

  1. How do you specify which url to check? Answer: -u
  2. What about which google dork to use? Answer: -g
  3. How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.). Answer: -p
  4. What flag sets which database is in the target host’s backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections). Answer: — dbms
  5. How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general). Answer: — level
  6. How do you dump the table entries of the database? Answer: — dump
  7. Which flag sets which db to enumerate? (Case sensitive). Answer: -D
  8. Which flag sets which table to enumerate? (Case sensitive). Answer: -T
  9. Which flag sets which column to enumerate? (Case sensitive). Answer: -C
  10. How do you ask sqlmap to try to get an interactive os-shell? Answer: — os-shell
  11. What flag dumps all data from every table. Answer: — dump-all

Task 18: [Section 5 — SQL Injection]: Vulnerable Web Application

  1. Set the url to the machine ip, and run the command. Answer: No answer needed
  2. How many types of sqli is the site vulnerable to? Answer: 3
  3. Dump the database. Answer: No answer needed
  4. What is the name of the database? Answer: tests
  5. How many tables are in the database? Answer: 2
  6. What is the value of the flag? Answer: found_me

Task 20: [Section 6 — Samba]: smbmap

  1. How do you set the username to authenticate with? Answer: -u
  2. What about the password? Answer: -p
  3. How do you set the host? Answer: -H
  4. What flag runs a command on the server(assuming you have permissions that is)? Answer: -x
  5. How do you specify the share to enumerate? Answer: -s
  6. How do you set which domain to enumerate? Answer: -d
  7. What flag downloads a file? Answer: — download
  8. What about uploading one? Answer: — upload
  9. Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine. Answer: smbmap -u “admin” -p “password” -H 10.10.10.10 -x “ipconfig”

Task 21: [Section 6 — Samba]: smbclient

  1. How do you specify which domain(workgroup) to use when connecting to the host? Answer: -w
  2. How do you specify the ip address of the host? Answer: -I
  3. How do you run the command “ipconfig” on the target machine? Answer: -c “ipconfig”
  4. How do you specify the username to authenticate with? Answer: -U
  5. How do you specify the password to authenticate with? Answer: -P
  6. What flag is set to tell smbclient to not use a password? Answer: -N
  7. While in the interactive prompt, how would you download the file test, assuming it was in the current directory? Answer: get test
  8. In the interactive prompt, how would you upload your /etc/hosts file. Answer: put /etc/hosts

Task 24: [Section 7 — Final Exam]: Good Luck :D

  1. What is the user.txt. Answer: supernootnoot
  2. What is the root.txt. Answer: congratulations!!!!

Follow me on LinkedIn: https://www.linkedin.com/in/-prashantkumar07/

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store