TryHackMe — Jr Penetration Tester — Network Security & Net Sec Challenge

Deepak Kushwah

15 min readOct 29, 2021

Room 1 — Passive Reconnaissance

Task 1 — Introduction

A brief introduction about module “Network Security”

Task 2 — Passive Versus Active Recon

Answer the questions below

Q 1. You visit the Facebook page of the target company, hoping to get some of their employee names. What kind of reconnaissance activity is this? (A for active, P for passive)

Ans. P

Q 2. You ping the IP address of the company webserver to check if ICMP traffic is blocked. What kind of reconnaissance activity is this? (A for active, P for passive)

Ans. A

Q 3. You happen to meet the IT administrator of the target company at a party. You try to use social engineering to get more information about their systems and network infrastructure. What kind of reconnaissance activity is this? (A for active, P for passive)

Ans. A

Task 3 — Whois

Q 1. When was TryHackMe.com registered?

Ans. 20180705

Q 2. What is the registrar of TryHackMe.com?

Ans. namecheap.com

Q 3. Which company is TryHackMe.com using for name servers?

Ans. .cloudflare.com

Task 4 — nslookup and dig

Q 1. Check the TXT records of thmlabs.com. What is the flag there?

Ans. “THM{a5b83929888ed36acb0272971e438d78}”

Task 5 — DNSDumpster

Answer the questions below

Q 1. Lookup tryhackme.com on DNSDumpster. What is one interesting subdomain that you would discover in addition to www and blog?

Ans. remote

Task 6 --Shodan.io

Answer the questions below

Q 1. According to Shodan.io, what is the 2nd country in the world in terms of the number of publicly accessible Apache servers?

Ans. Germany

Q 2. Based on Shodan.io, what is the 3rd most common port used for Apache?

Ans. 8080

Q 3. Based on Shodan.io, what is the 3rd most common port used for nginx?

Ans. 8888

Room 2 — Active Reconnaissancen

Task 1 — Introduction

Read Only content !!

Task 2 — Web Browser

Answer the questions below

Q 1. Browse to the following website and ensure that you have opened your Developer Tools on AttackBox Firefox, or the browser on your computer. Using the Developer Tools, figure out the total number of questions.

Ans. 8

Task 3 — Ping

Answer the questions below

Q 1. Which option would you use to set the size of the data carried by the ICMP echo request?

Ans. -s

Q 2. What is the size of the ICMP header in bytes?

Ans. 8

Q 3. Does MS Windows Firewall block ping by default? (Y/N)

Ans. Y

Q 4. Deploy the VM for this task and using the AttackBox terminal, issue the command ping -c 10 10.10.5.50. How many ping replies did you get back?

Ans. 10

Task 4 — Traceroute

Answer the questions below

Q 1. Start the attached VM from Task 3 if it is not already started. On the AttackBox, open the terminal and use the telnet client to connect to the VM on port 80. What is the name of the running server?

Ans. Apache

Q 2. What is the version of the running server (on port 80 of the VM)?

Ans. 2.4.10

Task 6 — Netcat

Answer the questions below

Q 1. Start the VM and open the AttackBox. Once the AttackBox loads, use Netcat to connect to the VM port 21. What is the version of the running server?

Ans. 0.17

Task 7 — Putting It All Together

Read Only module!!

Room -3 Nmap Live Host Discovery

Task 1 — Introduction

Read only Task !!

Task 2 — Subnetworks

Answer the questions below

Statement: Send a packet with the following:

From computer1
To computer1 (to indicate it is broadcast)
Packet Type: “ARP Request”
Data: computer6 (because we are asking for computer6 MAC address using ARP Request)

Q 1.How many devices can see the ARP Request?

Ans. 4

Q 2. Did computer6 receive the ARP Request? (Y/N)

Ans. N

Statement 3: — Send a packet with the following:

From computer4
To computer4 (to indicate it is broadcast)
Packet Type: “ARP Request”
Data: computer6 (because we are asking for computer6 MAC address using ARP Request)

Q 1. How many devices can see the ARP Request?

Ans. 4

Q 2. Did computer6 reply to the ARP Request? (Y/N)

Ans. Y

Task 3 — Enumerating Targets

Answer the questions below

Q 1. What is the first IP address Nmap would scan if you provided 10.10.12.13/29 as your target?

Ans. 10.10.12.8

Q 2. How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125?

Ans. 6400

Task 4 — Discovering Live Hosts

Answer the questions below

Statement — Send a packet with the following:

From computer1
To computer3
Packet Type: “Ping Request”

Q 1. What is the type of packet that computer1 sent before the ping?

Ans. arp request

Q 2. What is the type of packet that computer1 received before being able to send the ping?

Ans. arp response

Q 3. How many computers responded to the ping request?

Ans. 1

Statement: — Send a packet with the following:

From computer2
To computer5
Packet Type: “Ping Request”

Q 1. What is the name of the first device that responded to the first ARP Request?

Ans. router

Q 2. What is the name of the first device that responded to the second ARP Request?

Ans. Computer5

Q 3. Send another Ping Request. Did it require new ARP Requests? (Y/N)

Ans. N

Task 5 - Nmap Host Discovery Using ARP

Answer the questions below

Statement: — We will be sending broadcast ARP Requests packets with the following options:

From computer1
To computer1 (to indicate it is broadcast)
Packet Type: “ARP Request”
Data: try all the possible eight devices (other than computer1) in the network: computer2, computer3, computer4, computer5, computer6, switch1, switch2, and router.

Q 1. How many devices are you able to discover using ARP requests?

Ans. 3

Task 6 — Nmap Host Discovery Using ICMP

Answer the questions below

Q 1. What is the option required to tell Nmap to use ICMP Timestamp to discover live hosts?

Ans. -PP

Q 2. What is the option required to tell Nmap to use ICMP Address Mask to discover live hosts?

Ans. -PM

Q 3. What is the option required to tell Nmap to use ICMP Echo to discover life hosts?

Ans. -PE

Task 7 — Nmap Host Discovery Using TCP and UDP

Answer the questions below

Q 1. Which TCP ping scan does not require a privileged account?

Ans. TCP SYN ping

Q 2. Which TCP ping scan requires a privileged account?

Ans. TCP ACK ping

Q 3. What option do you need to add to Nmap to run a TCP SYN ping scan on the telnet port?

Ans. -PS23

Task 8 — Using Reverse-DNS Lookup

Answer the questions below

Q 1. We want Nmap to issue a reverse DNS lookup for all the possibles hosts on a subnet, hoping to get some insights from the names. What option should we add?

Ans. -R

Room — 4 Nmap Basic Port Scans

Task 1 Introduction

Read only part !!

Task 2 TCP and UDP Ports

Answer the questions below

Q 1. Which service uses UDP port 53 by default?

Ans. DNS

Q 2. Which service uses TCP port 22 by default?

Ans. SSH

Q 3. How many port states does Nmap consider?

Ans. 6

Q 4. Which port state is the most interesting to discover as a pentester?

Ans. Open

Task 3 — TCP Flags

Answer the questions below

Q 1. What 3 letters represent the Reset flag?

Ans. RST

Q 2. Which flag needs to be set when you initiate a TCP connection (first packet of TCP 3-way handshake)?

Ans. SYN

Task 4 — TCP Connect Scan

Answer the questions below

Launch the VM. Open the AttackBox and execute nmap -sT 10.10.99.73 via the terminal. A new service has been installed on this VM since our last scan. Which port number was closed in the scan above but is now open on this target VM?

Ans. 110

Q 2. What is Nmap’s guess about the newly installed service?

Ans. pop3

Task 5 - TCP SYN Scan

Answer the questions below

Launch the VM. Some new server software has been installed since the last time we scanned it. On the AttackBox, use the terminal to execute nmap -sS 10.10.139.114.

Q 1. What is the new open port?

Ans. 6667

Q 2. What is Nmap’s guess of the service name?

Ans. IRC

Task 6 — UDP Scan

Answer the questions below

Launch the VM. On the AttackBox, use the terminal to execute nmap -sU -F -v 10.10.139.114. A new service has been installed since the last scan. What Q 1. is the UDP port that is now open?

Ans. 53

Q 2. What is the service name according to Nmap?

Ans. Domain

Task 7 — Fine-Tuning Scope and Performance

Answer the questions below

Q 1. What is the option to scan all the TCP ports between 5000 and 5500?

Ans. -p5000–5500

Q 2 .How can you ensure that Nmap will run at least 64 probes in parallel?

Ans. — min-parallelism=64 (two hyphen in the start)

Q 3. What option would you add to make Nmap very slow and paranoid?

Ans. T0

Task 8 — Summary

Reead Only Task !!

Room 5— Nmap Advanced Port Scans

Task 1 — Introduction

Read only task!!

Task 2 — TCP Null Scan, FIN Scan, and Xmas Scan

Answer the questions below

Q 1. In a null scan, how many flags are set to 1?

Ans. 0

Q 2. In a FIN scan, how many flags are set to 1?

Ans. 1

Q 3. In a Xmas scan, how many flags are set to 1?

Ans. 3

Start the VM and load the AttackBox. Once both are ready, open the terminal on the AttackBox and use nmap to launch a FIN scan against the target VM. Q Q 4. How many ports appear as open|filtered?

Ans. 7

Q 5. Repeat your scan launching a null scan against the target VM. How many ports appear as open|filtered?

Ans. 7

Task 3 — TCP Maimon Scan

Answer the questions below

Q 1. In the Maimon scan, how many flags are set?

Ans. 2

Task 4 — TCP ACK, Window, and Custom Scan

Answer the questions below

Q 1. In TCP Window scan, how many flags are set?

Ans. 1

Q 2. You decided to experiment with a custom TCP scan that has the reset flag set. What would you add after --scanflags?

Ans. RST

The VM received an update to its firewall ruleset. A new port is now allowed by the firewall. After you make sure that you have terminated the VM from Task 2, start the VM for this task. Launch the AttackBox if you haven’t done that already. Once both are ready, open the terminal on the AttackBox and use Nmap to launch an ACK scan against the target VM. How many ports appear unfiltered?

Q 3. What is the new port number that appeared?

Ans. 443

Q 4. Is there any service behind the newly discovered port number? (Y/N)

Ans. N

Task 5 — Spoofing and Decoys

Answer the questions below

Q 1. What do you need to add to the command sudo nmap 10.10.245.128 to make the scan appear as if coming from the source IP address 10.10.10.11 instead of your IP address?

Ans. -S 10.10.10.11

Q 2. What do you need to add to the command sudo nmap 10.10.245.128 to make the scan appear as if coming from the source IP addresses 10.10.20.21 and 10.10.20.28 in addition to your IP address?

Ans. -D 10.10.20.21,10.10.20.28

Task 6 — Fragmented Packets

Answer the questions below

Q 1. If the TCP segment has a size of 64, and -ff option is being used, how many IP fragments will you get?

Ans. 4

Task 7 — Idle/Zombie Scan

Answer the questions below

Q 1. You discovered a rarely-used network printer with the IP address 10.10.5.5, and you decide to use it as a zombie in your idle scan. What argument should you add to your Nmap command?

Ans. -sI 10.10.5.5

Task 8 — Getting More Details

Answer the questions below

Q 1. Launch the AttackBox if you haven’t done so already. After you make sure that you have terminated the VM from Task 4, start the VM for this task. Wait for it to load completely, then open the terminal on the AttackBox and use Nmap with nmap -sS -F --reason 10.10.217.196 to scan the VM. What is the reason provided for the stated port(s) being open?

Ans. syn-ack

Task 9 — Summary

Read only task !!

Room 6— Nmap Post Port Scans

Task 1 — Introduction

Read only task !!

Task 2 — Service Detection

Answer the questions below

Q 1. Start the target machine for this task and launch the AttackBox. Run nmap -sV --version-light 10.10.173.250via the AttackBox. What is the detected version for port 143?

Ans. dovecot imapd

Q 2. Which service did not have a version detected with --version-light?

Ans. rpcbind

Task 3 — OS Detection and Traceroute

Answer the questions below

Run nmap with -O option against MACHINE_IP. What OS did Nmap detect?

Ans. Linux

Task 4 — Nmap Scripting Engine (NSE)

Answer the questions below

Q 1. Knowing that Nmap scripts are saved in /usr/share/nmap/scripts on the AttackBox. What does the script http-robots.txt check for?

Ans. disallowed entries

Q 2. Can you figure out the name for the script that checks for the remote code execution vulnerability MS15–034 (CVE2015–2015–1635)?

Ans. http-vuln-cve2015–1635

Q 3. Launch the AttackBox if you haven’t already. After you ensure you have terminated the VM from Task 2, start the target machine for this task. On the AttackBox, run Nmap with the default scripts -sC against 10.10.181.63. You will notice that there is a service listening on port 53. What is its full version value?

Ans. 9.9.5–9+deb8u19-Debian

Q 4. Based on its description, the script ssh2-enum-algos “reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers.” What is the name of the key exchange algorithms (kex_algorithms) that relies upon “sha1” and is supported by 10.10.181.63?

Ans. diffie-hellman-group14-sha1

Task 5 — Saving the Output

Answer the questions below

Terminate the target machine of the previous task and start the target machine for this task. On the AttackBox terminal, issue the command scp pentester@10.10.181.63:/home/pentester/* . to download the Nmap reports in normal and grepable formats from the target virtual machine.

Note that the username pentester has the password THM17577

Q 1. Check the attached Nmap logs. How many systems are listening on the HTTPS port?

Ans. 3

Q 2. What is the IP address of the system listening on port 8089?

Ans. 172.17.20.14

Task 6 — Summary

Read only Task !!

Room — 7 Protocols and Servers

Task 1 — Introduction

Read only task !!

Task 2 — Telnet

Answer the questions below

Q1 .To which port will the telnet command with the default parameters try to connect?

Ans. 23

Task 3 — Hypertext Transfer Protocol (HTTP)

Answer the questions below

Q 1. Launch the attached VM. From the AttackBox terminal, connect using Telnet to MACHINE_IP 80 and retrieve the file flag.thm. What does it contain?

THM{e3eb0a1df437f3f97a64aca5952c8ea0}

Task 4 — File Transfer Protocol (FTP)

Answer the questions below

Q 1. Using an FTP client, connect to the VM and try to recover the flag file. What is the flag?

Username: frank
Password: D2xc9CgD

Ans. THM{364db6ad0e3ddfe7bf0b1870fb06fbdf}

Task 5 — Simple Mail Transfer Protocol (SMTP)

Answer the questions below

Q 1. Using the AttackBox terminal, connect to the SMTP port of the target VM. What is the flag that you can get?

Ans. THM{5b31ddfc0c11d81eba776e983c35e9b5}

Task 6 — Post Office Protocol 3 (POP3)

Answer the questions below

Q1. Connect to the VM (MACHINE_IP) at the POP3 port. Authenticate using the username frank and password D2xc9CgD. What is the response you get to STAT?

Ans. +OK 0 0

Q 2. How many email messages are available to download via IMAP on MACHINE_IP?

Ans. 0

Task 7 — Internet Message Access Protocol (IMAP)

Answer the questions below

Q 1. What is the default port used by IMAP?

Ans. 143

Task 8 — Summary

Read only Task!!

Room 8— Protocols and Servers 2

Task 1 — Introduction

Read Only task!!

Task 2 — Sniffing Attack

Answer the questions below

Q 1. What do you need to add to the command sudo tcpdump to capture only Telnet traffic?

Ans. port 23

Q 2. What is the simplest display filter you can use with Wireshark to show only IMAP traffic?

Ans. imap

Task 3 — Man-in-the-Middle (MITM) Attack

Answer the questions below

Q 1. How many different interfaces does Ettercap offer?

Ans. 3

Q 2. In how many ways can you invoke Bettercap?

Ans. 3

Task 4 Transport Layer Security (TLS)

Answer the questions below

Q 1. DNS can also be secured using TLS. What is the three-letter acronym of the DNS protocol that uses TLS?

Ans. DoT

Task 5 — Secure Shell (SSH)

Answer the questions below

Q 1. Use SSH to connect to MACHINE_IP as mark with the password XBtc49AB. Using uname -r, find the Kernel release?

Ans. 5.4.0–84-generic

Q 2. Use SSH to download the file book.txt from the remote system. How many KBs did scp display as download size?

Ans. 415

Task 6 — Password Attack

Answer the questions below

Q 1. We learned that one of the email accounts is lazie. What is the password used to access the IMAP service on MACHINE_IP?

Ans. butterfly

Task 7 — Summary

Read only task!!

Room 9 — Net Sec Challenge

Task 1 — Introduction

Read only task !!

Task 2 — Challenge Questions

Answer the questions below

Q 1. What is the highest port number being open less than 10,000?

Ans. Command syntex — nmap -v -T4 — top-ports 10000 Machine_IP

(double hypen)— top-ports = Scans the <n> highest-ratio ports found in nmap-services file after excluding all ports specified by --exclude-ports. <n> must be 1 or greater.

Q 2. There is an open port outside the common 1000 ports; it is above 10,000. What is it?

Ans. 10021

Command — nmap -v -T5 -p0–65535 machine_IP or nmap -v -T4 -p- Machine_IP

Q 3. How many TCP ports are open?

Ans. 6

Command — nmap -v -T4 -p- machine_IP (for scan all TCP Port)

Q 4. What is the flag hidden in the HTTP server header?

Ans. THM{web_server_25352}

Q 5. What is the flag hidden in the SSH server header?

Ans. THM{946219583339}

Command — telnet 10.10.19.179 22

Q 6. We have an FTP server listening on a nonstandard port. What is the version of the FTP server?

Ans. vsFTPd 3.0.3

Q 7. We learned two usernames using social engineering: eddie and quinn. What is the flag hidden in one of these two account files and accessible via FTP?

Ans. THM{321452667098}

first try with user “eddie” we do not found anything in FTP directory.