Tryhackme:CC: PenTesting(PART-2)

8 min readMar 27, 2021

A crash course on various topics in penetration testing

[Section 4 — Hash Cracking]: hashcat:

hashcat is another one of the most popular hash cracking tools. It is renowned for its versatility and speed. Hashcat does not have auto detection for hashtypes, instead it has modes. For example if you were trying to crack an md5 hash the “mode” would be 0, while if you were trying to crack a sha1 hash, the mode would be 100.

A full list of all modes can be found here.

1.What flag sets the mode.

A:-m

2.What flag sets the “attack mode”

A:-a

3.What is the attack mode number for Brute-force

A:3

4.What is the mode number for SHA3–512

A:17600

5.Crack This Hash

56ab24c15b72a457069c5ea42fcfc640

Type: MD5

#command:hashcat -a 3 -m 0 md5.hash ?a?a?a?a?a

A:happy

6.Crack this hash:

4bc9ae2b9236c2ad02d81491dcb51d5f

Type: MD4

#command:hashcat -a 0 -m 900 md4.hash rockyou.txt

A:nootnoot

[Section 4 — Hash Cracking]: John The Ripper:

John The Ripper(jtr) is one of the best hash cracking tools available. It supports numerous formats of hashes and is extremely easy to use, while having a lot of options for customization.

Note: There are multiple variations of jtr out there. For this task the version that comes pre-installed on kali will be used

Note 2: All hashes can be cracked with rockyou.txt

1.What flag let’s you specify which wordlist to use?

A: — wordlist

2.What flag lets you specify which hash format(Ex: MD5,SHA1 etc.) to use?

A: — format

3.How do you specify which rule to use?

A: — rules

4.Crack this hash:

5d41402abc4b2a76b9719d911017c592

Type: MD5

command:sudo john — format=RAW-MD5 — wordlist=rockyou.txt md5.txt , john — format=RAW-MD5 md5.txt

A:hello

5.Crack this hash:

5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8

Type: SHA1

command:sudo john — format=RAW-SHA1 — wordlist=rockyou.txt md5.txt , john — format=RAW-SHA1 md5.txt

A:password

[Section 5 — SQL Injection]: Intro:

SQL injection is the art of modifying a SQL query so you can get access to the target’s database. This technique is often used to get user’s data such as passwords, emails etc. SQL injection is one of the most common web vulnerabilities, and as such, it is highly worth checking for

Section 5 — SQL Injection]: sqlmap:

Sqlmap is arguably the most popular automated SQL injection tool out there. It checks for various types of injections, and has plenty of customization options.

1.How do you specify which url to check?

A:-u

2.What about which google dork to use?

A:-g

3.How do you select(lol) which parameter to use?(Example: in the url http://ex.com?test=1 the parameter would be test.)

A:-p

4.What flag sets which database is in the target host’s backend?(Example: If the flag is set to mysql then sqlmap will only test mysql injections).

A: — dbms

5.How do you select the level of depth sqlmap should use(Higher = more accurate and more tests in general).

A: — level

6.How do you dump the table entries of the database?

A: — dump

7.Which flag sets which db to enumerate?

(Case sensitive)

A:-D

8.Which flag sets which table to enumerate?

(Case sensitive)

A:-T

9.Which flag sets which column to enumerate?

(Case sensitive)

A:-C

10.How do you ask sqlmap to try to get an interactive os-shell?

A: — os-shell

11.What flag dumps all data from every table

A: — dump-all

Section 5 — SQL Injection]: A Note on Manual SQL Injection:

Occasionally you will be unable to use sqlmap. This can be for a variety of reasons, such as a the target has set up a firewall or a request limit. In this case it is worth knowing how to do basic manual SQL Injection, if only to confirm that there is SQL Injection. A list of ways to check for SQL Injection can be found here.

Note: As there are various ways to check for sql injection, and it would be difficult to properly convey how to test for sqli given each situation, there will be no questions for this task.

[Section 5 — SQL Injection]: Vulnerable Web Application:

To demonstrate how to use sqlmap to check for vulnerabilities and dump table data, I will be walking you through an example web app. Deploy the machine and let’s get started!

Note: This task will be using sqlmap, however you are welcome to try to exploit it manually. It outputs the full SQL query on every attempt, so you can know what mysql is trying to do!

command:sqlmap -u <target-ip> — forms — level=1 — dbs

1.Set the url to the machine ip, and run the command

A:no answer need

2.How many types of sqli is the site vulnerable to?

A:3

3.Dump the database.

A:no answer need

4.What is the name of the database?

A:tests

5.How many tables are in the database?

A:2

6.What is the value of the flag?

A:found_me

[Section 6 — Samba]: Intro:

Most of the pentesting techniques and tools you’ve seen so far can be used on both Windows and Linux. However, one of the things you’ll find most often when pen testing Windows machines is samba, and it is worth making a section dedicated to enumerating it.

Note: Samba is cross platform as well, however this section will primarily be focused on Windows enumeration; some of the techniques you see here still apply to Linux as well.

[Section 6 — Samba]: smbmap:

Continuing with the trend of tools having “map” in the name being extremely popular, smbmap is one of the best ways to enumerate samba. smbmap allows pen-testers to run commands(given proper permissions), download and upload files, and overall is just incredibly useful for smb enumeration.

1.How do you set the username to authenticate with?

A:-u

2.What about the password?

A:-p

3.How do you set the host?

A:-h

4.What flag runs a command on the server(assuming you have permissions that is)?

A:-x

5.How do you specify the share to enumerate?

A:-s

6.How do you set which domain to enumerate?

A:-d

7.What flag downloads a file?

A: — download

8.What about uploading one?

A: — upload

9.Given the username “admin”, the password “password”, and the ip “10.10.10.10”, how would you run ipconfig on that machine

A:smbmap -u “admin” -p “password” -H 10.10.10.10 -x “ipconfig”

[Section 6 — Samba]: smbclient:

smbclient allows you to do most of the things you can do with smbmap, and it also offers you and interactive prompt.

1.How do you specify which domain(workgroup) to use when connecting to the host?

A:-w

2.How do you specify the ip address of the host?

A:-i

3.How do you run the command “ipconfig” on the target machine?

A:-c “ipconfig”

4.How do you specify the username to authenticate with?

A:-u

5.How do you specify the password to authenticate with?

A:-p

6.What flag is set to tell smbclient to not use a password?

A:-n

7.While in the interactive prompt, how would you download the file test, assuming it was in the current directory?

A:get test

8.In the interactive prompt, how would you upload your /etc/hosts file

A:put /etc/hosts

[Section 6 — Samba]: A note about impacket:

impacket is a collection of extremely useful windows scripts. It is worth mentioning here, as it has many scripts available that use samba to enumerate and even gain shell access to windows machines. All scripts can be found here.

Note: impacket has scripts that use other protocols and services besides samba.

[Miscellaneous]: A note on privilege escalation:

privilege escalation is such a large topic that it would be impossible to do it proper justice in this type of room. However, it is a necessary topic that must be covered, so rather than making a task with questions, I shall provide you all with some resources.

General:

https://github.com/swisskyrepo/PayloadsAllTheThings (A bunch of tools and payloads for every stage of pentesting)

Linux:

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ (a bit old but still worth looking at)

https://github.com/rebootuser/LinEnum (One of the most popular priv esc scripts)

https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh (Another popular script)

https://github.com/mzet-/linux-exploit-suggester (A Script that’s dedicated to searching for kernel exploits)

https://gtfobins.github.io (I can not overstate the usefulness of this for priv esc, if a common binary has special permissions, you can use this site to see how to get root perms with it.)

Windows:

https://www.fuzzysecurity.com/tutorials/16.html (Dictates some very useful commands and methods to enumerate the host and gain intel)

https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp (A bit old but still an incredibly useful script)

https://github.com/411Hall/JAWS (A general enumeration script)

[Section 7 — Final Exam]: Good Luck :D:

Throughout this course, you have learned many tactics and tools to pentesting. This is where it all gets put to the test, I have put together a beginner level ctf, that contains 2 flags. Good luck and have fun