TryHackMe — Jr Penetration Tester — Vulnerability Research
Room 1 — Vulnerabilities 101
Task 1 Introduction
Read only task!!
Task 2 Introduction to Vulnerabilities
Answer the questions below
Q 1. An attacker has been able to upgrade the permissions of their system account from “user” to “administrator”. What type of vulnerability is this?
Ans. Operating System
Q 2. You manage to bypass a login panel using cookies to authenticate. What type of vulnerability is this?
Ans. Application Logic
Task 3 Scoring Vulnerabilities (CVSS & VPR)
Answer the questions below
Q 1. What year was the first iteration of CVSS published?
Ans. 2005
Q 2. If you wanted to assess vulnerability based on the risk it poses to an organisation, what framework would you use?
Ans. VPR
Note: We are looking for the acronym here.
Q 3. If you wanted to use a framework that was free and open-source, what framework would that be?
Note: We are looking for the acronym here.
Ans. CVSS
Task 4 Vulnerability Databases
Answer the questions below
Q 1. Using NVD, how many CVEs were submitted in July 2021?
Ans. 1585
Q 2. Who is the author of Exploit-DB?
Ans. Offensive Security
Task 5 An Example of Finding a Vulnerability
Answer the questions below
Q 1. What type of vulnerability did we use to find the name and version of the application in this example?
Ans. Version Disclosure
Task 6 Showcase: Exploiting Ackme’s Application
Answer the questions below
Q 1. Follow along with the showcase of exploiting ACKme’s application to the end to retrieve a flag. What is this flag?
Ans. THM{ACKME_ENGAGEMENT}
Task 7 Conclusion
Read only Task !!
Room -2 Exploit Vulnerabilities
Task 1 Introduction
Read only task !!
Task 2 Automated Vs. Manual Vulnerability Research
Answer the questions below
Q 1. You are working close to a deadline for your penetration test and need to scan a web application quickly. Would you use an automated scanner? (Yay/Nay)
Ans. Yay
Q 2. You are testing a web application and find that you are able to input and retrieve data in a database. What vulnerability is this?
Ans. Injection
Q 3. You manage to impersonate another user. What vulnerability is this?
Ans. Broken Access Control
Task 3 Finding Manual Exploits
Answer the questions below
Q 1. What website would you use as a security researcher if you wanted to upload a Proof of Concept?
Ans. github
Q 2. You are performing a penetration test at a site with no internet connection. What tool could you use to find exploits to use?
Ans. Searchsploit
Task 4 Example of Manual Exploitation
Answer the questions below
Q 1. What type of vulnerability was used in this attack?
Ans. remote code execution
Task 5 Practical: Manual Exploitation
Answer the questions below
Q 1. Find out the version of the application that is running. What are the name and version number of the application?
Ans. Online Book Store v1.0
Q 2. Now use the resources and skills from this module to find an exploit that will allow you to gain remote access to the vulnerable machine.
Ans. read only ques!!
Q 3. Use this exploit against the vulnerable machine. What is the value of the flag located in a web directory?
Ans. THM{BOOK_KEEPING}
We can found the exploit at https://www.exploit-db.com/exploits/47887
Room 3 — Vulnerability Capstone
Task 1 — Introduction
Read only task !!
Task 2 Exploit the Machine (Flag Submission)
Answer the questions below
Deploy the vulnerable machine attached to this task & wait five minutes before visiting the vulnerable machine.
Q 1. What is the name of the application running on the vulnerable machine?
Ans. Fuel CMS
Q 2. What is the version number of this application?
Ans. Version 1.4
Q 3. What is the number of the CVE that allows an attacker to remotely execute code on this application? Format: CVE-XXXX-XXXXX
Ans. CVE-2018–16763
Q 4. Use the resources & skills learnt throughout this module to find and use a relevant exploit to exploit this vulnerability.
Ans. read only
Note: There are numerous exploits out there that can be used for this vulnerability (some more useful than others!)
Q 5. What is the value of the flag located on this vulnerable machine? This is located in /home/ubuntu on the vulnerable machine.
Ans. THM{ACKME_BLOG_HACKED}
go to — usr/share/exploits/vulnerabilitiescapstone and run exploit.py
$ python3 exploit.py victim_IP/target_IP
then run netcat listener and get reverse shell