Holisticz - Embrace the Infinite

Step into the world of endless opportunities and unlock the gateway to virtual transactions.

  • Domain Update: Our Forum has moved! Please visit us at Holisticz.com for the latest updates.

Become a Hacker | TryHackMe CheatSheet

iLoveNuggets

Royal
Royal Elite member Premium

0

0%

Status

Offline

Posts

494

Likes

201

Rep

229

3

Years of Service

Let's learn together
[Image: dance3.gif]


Learn how TryHackMe can help you become a hacker.

https://tryhackme.com/room/becomeahackeroa

Task 1 :

What is Offensive Security?

In short, offensive security is the process of breaking into computer systems, exploiting software bugs, and finding loopholes in applications to gain unauthorized access to them.
To beat a hacker, you need to behave like a hacker, finding vulnerabilities and recommending patches before a cybercriminal does, as you'll do in this room!

On the flip side, there is also defensive security, which is the process of protecting an organization's network and computer systems by analyzing and securing any potential digital threats; learn more in the digital forensics room.
In a defensive cyber role, you could be investigating infected computers or devices to understand how it was hacked, tracking down cybercriminals, or monitoring infrastructure formalicious activity.

Which of the following options better represents the process where you simulate a hacker's actions to find vulnerabilities in a system?
  • Offensive Security
  • Defensive Security
THE ANSWER ISOffensive Security

--------------------------------------------------------------------------------------

Task 2

Let's Hack - Part 1 of 2

This is your first ethical hacking exercise. Not only will you learn about ethical hacking, where you will hack a test website, but youll also learn about how the TryHackMe platform works. To get started and follow along, click the View Site button in the upper right corner of this task to access the web application.
After months of working on his business idea, Mike was finally ready to launch the website! He had spent much time and effort creating a great product and was confident that people would love it.

However, Mike was also nervous about the potential for cyber threats. He knew that businesses of all sizes were being hacked every day, and he did not want to be a victim. You get a call asking you to assess his web application and see if you can spot any weaknesses. In particular, he is concerned that the software development team might have forgotten some private pages exposed to the public. He hopes you can find them before he goes public and the bad guys find them and wreak havoc.
Are you ready to help Mike? If you havent done so already, click on the View Site button in the upper right corner of this task to access the web application. (If you dont see the View Site button, you might need to scroll up.)

[Image: 6f39172b5354336701586ba6f06a596c.png?ex=...height=628]

In the upper right half, you can see a simulated browser window showing
Code:
[color=#27ae60]http://www.onlineshop.thm[/color]
, as shown in the figure above. You can interact with the address bar.


We can run many security tests, but first, lets see if we can discover any hidden pages. Here are some pages we can try:
Lets try to discover the hidden page by using one of the words in the list above. In the simulated browser in the upper right corner, try changing the address by adding a word (listed above) to the existing URL until you discover the correct word that leads to a hidden page.


(Optional) Using an Automated Tool: Gobuster
Changing the browsers address bar is helpful if the list of pages you want to try is limited. What should we do if we have hundreds or thousands of words to try? We need to use an automated tool. A solid tool to automatically search for hidden pages is Gobuster, which runs in the terminal. In the terminal, in the lower right, we need to issue the following command:

gobuster dir --url http://www.onlineshop.thm/ -w /usr/share/wordlists/dirbuster/directory-list.txt
The command above is made up of the following parts:
  • Code:
    gobuster
    is the terminal command to start Gobuster
  • Code:
    dir
    uses directory and file enumeration mod
  • Code:
    --url http://www.onlineshop.thm/
    sets the target website
  • Code:
    -w /usr/share/wordlists/dirbuster/directory-list.txt
    specifies the word list to use
In the terminal on the lower right, run the command shown above. This command should let you discover the hidden page(s) in an automated manner.

[Image: 1f93c2cb263fb33c59ac508cfa9c5280.png?ex=...height=598]


If you made it this far, congratulations, you have just discovered the hidden page using two different approaches!

What is the name of the hidden web page you discovered?

answer is

THE ANSWER IS : LOGIN

-----------------------------------------------------------

lets hack part 2 part 2


TASK 3
In Task 1, we discovered a hidden page that allows registered users to sign in. If we can figure out the username and password, we may gain access to some private sections of the web application!


[Image: 301d7962abb3d780015fa6c8fafeb572.png?wid...height=628]



One of the most common usernames is
Code:
admin
. We will start our attack using
Code:
admin
as the username and try to guess the password. Try to log in using the username
Code:
admin
and one of the common passwords listed below:
  • Code:
    abc123
  • Code:
    123456
  • Code:
    qwerty
  • Code:
    password
  • Code:
    Code:
    654321
    
    Were you able to find the password and log in successfully? One of the above passwords should work with the username
    [code]
    [color=#2ecc71]admin[/color]
    and give you access to a secret page.
    Using an Automated Tool: HydraWe could do this task manually, as we only had to go through five passwords. But what if we have to go through thousands or tens of thousands of passwords? In that case, we can use a software tool such as Hydra. In the terminal, on the lower right, lets run the following command:

    hydra -l admin -P passlist.txt www.onlineshop.thm http-post-form "/login:username=^USER^&password=^PASS^:F=incorrect" -V
    The command above is made up of the following parts:
    Code:
    hydra
    is the terminal command to start Hydra
    Code:
    -l admin
    attempts to log in using the username
    Code:
    admin
    Code:
    -P passlist.txt
    specifies the password list to try
    Code:
    www.onlineshop.thm
    sets the target website
    Code:
    http-post-form
    indicates that this is an HTTP POST request form
    Code:
    "/login:username=^USER^&password=^PASS^:F=incorrect"
    specifies the shape of the HTTP POST request and how to check if the login credentials are incorrect
    Code:
    -V
    is used for verbose outputYou do not have to worry about all the command arguments above; it is more straightforward than it appears. For now, we need to copy and paste the command above in the terminal in the lower right and watch Hydra find a valid password for us.
    Log in using the password you discovered if you have not done that already.
    If you have made it this far, congratulations, you have just hacked an insecure web application!

    THE ANSWER IS :born_to_be_a_hacker

    ------------------------------------
    Careers in Cyber Security

    TASK 4 LAST ONE
    How can I start learning?
    People often wonder how others become hackers (security consultants) or defenders (security analysts fighting cybercrime), and the answer is simple. Break it down, learn an area of cyber security you're interested in, and regularly practice using hands-on exercises. Build a habit of learning a little bit each day on TryHackMe, and you'll acquire the knowledge to get your first job in the industry.
    Trust us; you can do it! Just take a look at some people who have used TryHackMe to get their first security job:
    Paul went from a construction worker to a security engineer.https://tryhackme.com/r/resources/blog/construction-worker-to-security-engineer-how-paul-used-tryhackme-to-land-his-first-job-in-security. Kassandra went from a music teacher to a security professional.https://tryhackme.com/r/resources/blog/the-teacher-becomes-the-student. Brandon used TryHackMe while at school to get his first job in cyber.https://tryhackme.com/r/resources/blog/brandons-success-story.What careers are there?
    The cyber careers room goes into more depth about the different careers in cyber. However, here is a short description of a few offensive security roles:
    Penetration Tester - Responsible for testing technology products for finding exploitable security vulnerabilities. Red Teamer - Plays the role of an adversary, attacking an organization and providing feedback from an enemy's perspective. Security Engineer - Design, monitor, and maintain security controls, networks, and systems to help prevent cyberattacks.
    [/code]
THE ANSWER IS : [font]COMPLATED[/font]​

This is a bump
 

48,676

38,236

238,827

Top