In this article, I tried to gear up a write-up for the "CC: Pen Testing"  room ontryhackme.

[Task ane] Introduction

The idea backside this room is to provide an introduction to various tools and concepts usually encountered in penetration testing.

#ane Read the in a higher place.

Respond: No respond needed

[Job 2] [Section 1 – Network Utilities] – nmap

nmap is one of the almost important tools for pentesting.

#1 What does nmap stand for?

ANSWER: Network Mapper

#2 How do you specify which port(southward) to scan?

Answer: -p

#three How do you lot do a "ping scan"(just tests if the host(s) is up)?

ANSWER: -sn

#4 What is the flag for a UDP scan?

Answer: -sU

#5 How do you run default scripts?

Answer: -sC

#vi How practice you enable "ambitious mode"?

Reply: -A

#vii What flag enables Os detection

Respond: -O

#eight How do you get the versions of services running on the target machine

ANSWER: -sV

#ix Deploy the machine

After deploy the automobile, yous can run this nmap command:

nmap -A -sC -sV -O <IP Accost>

Yous can see my nmap result. All answer can be seen.

Reply: No answer needed

#ten How many ports are open on the machine?

Reply: one

#11 What service is running on the auto?

Respond: Apache

#12 What is the version of the service?

ANSWER: two.4.18

#13 What is the output of the http-title script(included in default scripts)

Answer: Apache2 Ubuntu Default Page: It Works

[Task 3] [Section 1 – Network Utilities] – Netcat

You can see netcat help folio:

#1 How practice you listen for connections?

ANSWER: -l

#2 How exercise you enable verbose way(allows you to see who connected to you)?

ANSWER: -v

#3 How do y'all specify a port to listen on

ANSWER: -p

#4 How do you specify which programme to execute after y'all connect to a host(One of the most infamous)?

ANSWER: -eastward

#five How do you connect to udp ports

Respond: -u

[Job four] [Section 2 – Spider web Enumeration] – gobuster

You tin see gobuster help page :

#1 How practice you lot specify directory/file brute forcing mode?

ANSWER: dir

#2 How do you specify dns bruteforcing mode?

ANSWER: dns

#3 What flag sets extensions to be used?

ANSWER: -10

#4 What flag sets a wordlist to be used?

ANSWER: -w

#5 How do you set the Username for basic authentication?

ANSWER: -U

#6 How exercise you set the password for bones authentication?

ANSWER: -P

#vii How do you set which status codes gobuster volition translate as valid?

ANSWER: -s

#eight How do you skip ssl certificate verification?

Reply: -k

#9 How do you specify a User-Amanuensis?

ANSWER: -a

#x How do you specify a HTTP header?

Answer: -H

#eleven What flag sets the URL to bruteforce?

ANSWER: -u

#12 Deploy the car

After deploy the machine, you lot can run this command:

gobuster dir -u http://<Motorcar IP> -w /usr/share/wordlists/dirb/common.txt -t 64

#xiii What is the name of the subconscious directory

Yous tin can see the answer above motion picture.

Respond: cloak-and-dagger

#14 What is the proper name of the hidden file with the extension xxa

Y'all can run into my reply:

Respond: password

[Task 5] [Section 2 – Spider web Enumeration] – nikto

You tin can employ nikto help page:

#1 How do you specify which host to use?

ANSWER: -h

#ii What flag disables ssl?

Reply: -nossl

#3 How practice you force ssl?

ANSWER: -ssl

#4 How practice y'all specify authentication(username + pass)?

ANSWER: -id

#5 How exercise y'all select which plugin to employ?

Answer: -plugins

#half dozen Which plugin checks if you can enumerate apache users?

You have to run this command:

Then you tin can show the answer:

ANSWER: apacheusers

#7 How exercise yous update the plugin listing ?

Reply: -update

#8 How exercise you list all possible plugins to use?

Respond: –list-plugins

[Chore vi] [Section 3 – Metasploit]: Intro

#1

ANSWER: No reply needed

[Task vii] [Department 3 Metasploit]: Setting Upwards

#i What command allows you to search modules?

Reply: search

#two How do you select a module?

ANSWER: apply

#iii How practice you display information near a specific module?

ANSWER: info

#iv How do y'all list options that you can prepare?

Answer: options

#five What control lets y'all view avant-garde options for a specific module?

Respond: advanced

#vi How do you show options in a specific category

ANSWER: bear witness

[Task eight] [Section 3 – Metasploit]: – Selecting a module

This task will take yous through selecting and setting options for i of the most popular metasploit modules "eternalblue". All bones commands that could exist run before selecting a module can besides be done while a module is selected.

#one How practise you select the eternalblue module?

Respond: use exploit/windows/smb/ms17_010_eternalblue

#2 What pick allows y'all to select the target host(s)?

ANSWER: RHOSTS

#3 How practise you set the target port?

Reply: RPORT

#4 What command allows you to set options?

ANSWER: set

#5 How would yous set SMBPass to "username"?

ANSWER: set SMBPass username

#6 How would you lot set the SMBUser to "password"?

ANSWER: prepare SMBUser password

#7 What selection sets the architecture to be exploited?

ANSWER: curvation

#viii What pick sets the payload to be sent to the target machine?

Reply: payload

#nine Once you lot've finished setting all the required options, how practice you run the exploit?

ANSWER: exploit

#x What flag do y'all fix if yous want the exploit to run in the background?

ANSWER: -j

#xi How do you list all current sessions?

ANSWER: sessions

#12 What flag allows you to become into interactive way with a session?

Answer: -i

[Task ix] [Section iii – Metasploit]: meterpreter

#1 What command allows you to download files from the machine?

Respond: download

#2 What command allows you to upload files to the car?

ANSWER: upload

#iii How do y'all listing all running processes?

Respond: ps

#4 How do you modify processes on the victim host?

Answer: drift

#5 What control lists files in the current directory on the remote auto?

Answer: ls

#six How do you execute a command on the remote host?

Respond: execute

#7 What command starts an interactive vanquish on the remote host?

ANSWER: shell

#8 How do you find files on the target host?

Respond: search

#9 How practice you become the output of a file on the remote host?

ANSWER: true cat

#10 How do you put a meterpreter shell into "groundwork mode"

ANSWER: background

[Task 10] [Section 3 – Metasploit]: Final Walkthrough

Allow's select the "exploit/multi/http/nostromo_code_exec" module and list the options:

#1 Select the module that needs to exist exploited

Reply: use exploit/multi/http/nostromo_code_exec

#two What variable practise y'all demand to set, to select the remote host

ANSWER: rhosts

#3 How do you set the port to fourscore

Answer: set rport fourscore

#4 How do you set listening address(Your motorcar)

Reply: lhost

#5 Exploit the machine!

Let'due south prepare the parameters then exploit this machine 🙂

#six What is the name of the secret directory in the /var/nostromo/htdocs directory?

Y'all can do similar me:

Answer: s3cretd1r

#seven What are the contents of the file inside of the directory?

ANSWER: Woohoo!

[Task 11] [Department four – Hash Cracking]: Intro

#i

Reply: No answer needed

[Job 12] [Section 4 – Hash Cracking]: Salting and Formatting

#i

ANSWER: No reply needed

[Task 13] [Section 4 – Hash Keen]: hashcat

#i What flag sets the mode.

ANSWER: -m

#2 What flag sets the "assault mode"

Respond: -a

#three What is the attack mode number for Brute-force

Answer: 3

#4 What is the way number for SHA3-512

ANSWER: 17600

#v Fissure This Hash:56ab24c15b72a457069c5ea42fcfc640

Yous can use this web site .

ANSWER: happy

#6 Crack this hash: 4bc9ae2b9236c2ad02d81491dcb51d5f

Y'all can use this web site .

ANSWER: nootnoot

[Chore fourteen] [Section 4 – Hash Cracking]: John The Ripper

#one What flag let'southward y'all specify which wordlist to use?

Respond: –wordlist

#2 What flag lets you lot specify which hash format(Ex: MD5,SHA1 etc.) to employ?

Reply: –format

#iii How do you lot specify which dominion to use?

ANSWER: –rules

#4 Crack this hash: 5d41402abc4b2a76b9719d911017c592

You lot can use this command in "/root/Desktop" directory.

Respond: hello

#five Crevice this hash: 5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

You lot can use this command in "/root/Desktop" directory.

ANSWER: password

[Chore xv] [Section 5 – SQL Injection]: Intro

#1

Answer: No reply needed

[Task 16] [Department 5 – SQL Injection]: sqlmap

Sqlmap is arguably the about popular automated SQL injection tool out there.

You can see the sqlmap assist menü:

#i How do you specify which url to check?

You lot can see the reply above the picture.

ANSWER: -u

#ii What well-nigh which google dork to use?

You lot tin run across the reply higher up the picture

ANSWER: -g

#three How do you select(lol) which parameter to use?

Respond: -p

#4 What flag sets which database is in the target host's backend?

You tin run into the answer previous moving-picture show 🙂

ANSWER: –dbms

#v How exercise y'all select the level of depth sqlmap should utilise

Respond: –level

#6 How practise you lot dump the table entries of the database?

ANSWER: –dump

#7 Which flag sets which db to enumerate?

You can see the answer previous picture 🙂

ANSWER: -D

#eight Which flag sets which table to enumerate?

You tin run across the answer previous picture 🙂

ANSWER: -T

#nine Which flag sets which column to enumerate?

Yous tin can see the answer previous flick 🙂

ANSWER: -C

#10 How practice you ask sqlmap to effort to become an interactive os-beat out?

Respond: –os-shell

#eleven What flag dumps all data from every table

Respond: –dump-all

[Task 17] [Section five – SQL Injection]: A Note on Transmission SQL Injection

#one

Answer: No answer needed

[Chore 18] [Section five – SQL Injection]: Vulnerable Spider web Application

To demonstrate how to use sqlmap to check for vulnerabilities and dump table data, I volition exist walking you through an example web app. Deploy the automobile and let'southward become started!

#1 Fix the url to the motorcar ip, and run the command

ANSWER: No answer needed

#two How many types of sqli is the site vulnerable too?

ANSWER: 3

#3 Dump the database.

Yous can use this control: You should answer all question with "Y".

Answer: No answer needed

#iv What is the name of the database?

Reply: tests

#v How many tables are in the database?

Their names are "msg" and "flag".

Answer: 2

#six What is the value of the flag?

ANSWER: found_me

[Task 19] [Department six – Samba]: Intro

#ane

ANSWER: No answer needed

[Chore twenty] [Section 6 – Samba]: smbmap

Y'all can use the help menu.

#1 How do yous fix the username to authenticate with?

Respond: -u

#2 What near the password?

Answer: -p

#three How exercise y'all set up the host?

Respond: -H

#4 What flag runs a control on the server?

Respond: -x

#5 How do you specify the share to enumerate?

ANSWER: -due south

#6 How do you set which domain to enumerate?

ANSWER: -d

#vii What flag downloads a file?

Respond: –download

#8 What about uploading i?

ANSWER: –upload

#9 Given the username "admin", the password "password", and the ip "10.10.10.ten", how would you run ipconfig on that automobile

ANSWER: smbmap -u "admin" -p "password" -H 10.10.x.x -x "ipconfig"

[Task 21] [Department 6 – Samba]: smbclient

You can use the help card.

#one How do you specify which domain(workgroup) to employ when connecting to the host?

ANSWER: -w

#2 How practise you specify the ip address of the host?

Reply: -I

#3 How do yous run the command "ipconfig" on the target car?

ANSWER: -c "ipconfig"

#4 How do you specify the username to authenticate with?

ANSWER: -U

#five How do yous specify the password to cosign with?

Answer: -P

#6 What flag is set to tell smbclient to not use a password?

ANSWER: -N

#7 While in the interactive prompt, how would you download the file exam, assuming it was in the current directory?

Answer: go test

#8 In the interactive prompt, how would you upload your /etc/hosts file

ANSWER: put /etc/hosts

[Task 22] [Section 6 – Samba]: A annotation about impacket

#ane

ANSWER: No answer needed

[Task 23] [Miscellaneous]: A notation on privilege escalation

#ane

ANSWER: No reply needed

Chore 24 [Section vii – Concluding Exam]: Good Luck 😀

Commencement, y'all take to utilise search the directory with "gobuster". I used the "directory-list-2.3-medium.txt" wordlist.

I constitute the "/secret" directory. Then again I searched the this directory with ".txt, .php, .html" extensions.

I constitute the "surreptitious.txt" directory.

I got some information. I tried to scissure the hash value.

Then I connected with ssh.

User proper name: nyan

Countersign: nyan

#1 What is the user.txt

Answer: supernootnoot

#2 What is the root.txt

ANSWER: congratulations!!!!

So far, I have tried to explain the solutions of the questions every bit detailed as I can. I promise information technology helped you lot. See you lot in my next write-up.