Blue Team Cyber Defender

  This room is an introduction to red teaming Link - https://tryhackme.com/room/redteamrecon Would vulnerability assessments prepare us to detect a real attacker on our networks? (Yay/Nay) Nay During a penetration test, are you concerned about being detected by the client? (Yay/Nay) Nay Highly organised groups of skilled attackers are nowadays referred to as … Advanced Persistent Threats The goals of a red team engagement will often be referred to as flags or… crown jewels During a red team engagement, common methods used by attackers are emulated against the target. Such methods are usually called TTPs. What does TTP stand for? Tactics, techniques and procedures The main objective of a red team engagement is to detect as many vulnerabilities in as many hosts as possible (Yay/Nay) Nay What cell is responsible for the offensive operations of an engagement? Red Cell What cell is the trusted agent considered part of? White Cell If an adversary deployed Mimikatz on a target machine, where

  If you are unable to get your Kali virtual machine to connect to the TryHackMe network …follow the instructions below to fix the issue Open cmd in your kali machine and run the following command:- sudo ifconfig eth0 mtu 1200 After running this command ..then run the usual… sudo openvpn /path-to-file/file.ovpn The issue is now resolved :)

  Learn the basics of automated web scanning! Link - https://tryhackme.com/room/rpwebscanning First and foremost, what switch do we use to set the target host? -h Websites don’t always properly redirect to their secure transport port and can sometimes have different issues depending on the manner in which they are scanned. How do we disable secure transport? -nossl How about the opposite, how do we force secure transport? -ssl What if we want to set a specific port to scan? -p As the web is constantly evolving, so is Nikto. A database of vulnerabilities represents a core component to this web scanner, how do we verify that this database is working and free from error? -dbcheck If instructed to, Nikto will attempt to guess and test both files within directories as well as usernames. Which switch and numerical value do we use to set Nikto to enumerate usernames in Apache? Keep in mind, this option is deprecated in favor of plugins, however, it’s still a great option to be aware of for si

  A guided room covering the deployment of honeypots and analysis of botnet activities Link - https://tryhackme.com/room/introductiontohoneypots Create a file and then log back in is the file still there? (Yay/Nay) Nay How many passwords include the word “password” or some other variation of it e.g “p@ssw0rd” 15 What is arguably the most common tool for brute-forcing SSH? hydra What intrusion prevention software framework is commonly used to mitigate SSH brute-force attacks? Fail2Ban What CPU does the honeypot “use”? Run command cat /proc/cpuinfo Intel(R) Core(TM) i9–11900KB CPU @ 3.30GHz Does the honeypot return the correct values when uname -a is run? (Yay/Nay) Nay What flag must be set to pipe wget output into bash? -O How would you disable bash history using unset ? unset HISTFILE What brand of device is the bot in the first sample searching for? (BotCommands/Sample1.txt) Do a simple google search of the processes Mikrotik What are the commands in the second sample changing? (Bot

  Learn how to use Nmap to discover live hosts using ARP scan, ICMP scan, and TCP/UDP ping scan. Link - https://tryhackme.com/room/nmap01 Send a packet with the following: From computer1 To computer1 (to indicate it is broadcast) Packet Type: “ARP Request” Data: computer6 (because we are asking for computer6 MAC address using ARP Request) How many devices can see the ARP Request? 4 Did computer6 receive the ARP Request? (Y/N) N Send a packet with the following: From computer4 To computer4 (to indicate it is broadcast) Packet Type: “ARP Request” Data: computer6 (because we are asking for computer6 MAC address using ARP Request) How many devices can see the ARP Request? 4 Did computer6 reply to the ARP Request? (Y/N) Y What is the first IP address Nmap would scan if you provided 10.10.12.13/29 as your target? 10.10.12.8 How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125 ? 6400 Send a packet with the following: From computer1 To computer3 Packet T

  Manipulating DNS queries to our advantage Link - https://tryhackme.com/room/dnsmanipulation If you were on Windows, what command could you use to query a txt record for ‘youtube.com’? nslookup -type=txt youtube.com If you were on Linux, what command could you use to query a txt record for ‘facebook.com’? dig facebook.com TXT AAAA stores what type of IP Address along with the hostname? IPv6 Maximum characters for a DNS TXT Record is 256. (Yay/Nay) Nay What DNS Record provides a domain name in reverse-lookup? (Research) PTR What would the reverse-lookup be for the following IPv4 Address? (192.168.203.2) (Research) 2.203.168.192.in-addr.arpa What is the maximum length of a DNS name? (Research) (Length includes dots!) 253 What is the Transaction name? (Type it as you see it) Network Equip. How much was the Firewall? (Without the $) 2500 Which file contains suspicious DNS queries? cap3.pcap Enter the plain-text after you have decoded the data using packetyGrabber.py found in ~/dns-exfil-i

Learn how to use simple tools such as traceroute, ping, telnet, and a web browser to gather information. Link - https://tryhackme.com/room/activerecon Browse to the following website and ensure that you have opened your Developer Tools on AttackBox Firefox, or the browser on your computer. Using the Developer Tools, figure out the total number of questions. Go to the website and right click and “Inspect” . Go to Sources and “script.js” 8 Which option would you use to set the size of the data carried by the ICMP echo request? -s What is the size of the ICMP header in bytes? 8 Does MS Windows Firewall block ping by default? (Y/N) Y Deploy the VM for this task and using the AttackBox terminal, issue the command ping -c 10 MACHINE_IP . How many ping replies did you get back? 10 In Traceroute A, what is the IP address of the last router/hop before reaching tryhackme.com? 172.67.69.208 In Traceroute B, what is the IP address of the last router/hop before reaching tryhackme.com? 104.26.11.22

Find out what happened by analysing a .pcap file and hack your way back into the machine Link - https://tryhackme.com/room/h4cked Download the Task file The attacker is trying to log into a specific service. What service is this? FTP There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool? Hydra The attacker is trying to log on with a specific username. What is the username? jenny What is the user’s password? password123 What is the current FTP working directory after the attacker logged in? /var/www/html The attacker uploaded a backdoor. What is the backdoor’s filename? shell.php The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL? Follow tcp stream http://pentestmonkey.net/tools/php-reverse-shell Which command did the attacker manually execute after getting a reverse shell? Follow tcp stream whoami What is the computer’s hostname? Follow tcp stream w

Learn the various ways of discovering hidden or private content on a webserver that could lead to new vulnerabilities. Link - https://tryhackme.com/room/contentdiscovery What is the Content Discovery method that begins with M? Manually What is the Content Discovery method that begins with A? Automated What is the Content Discovery method that begins with O? OSINT What is the directory in the robots.txt that isn’t allowed to be viewed by web crawlers? Check the robots.txt file /staff-portal What framework did the favicon belong to? Download the file and upload to virustotal to get hash and then check the mentioned website for the hash. cgiirc What is the path of the secret area that can be found in the sitemap.xml file? Check the sitemap /s3cr3t-area What is the flag value from the X-FLAG header? Run the curl command What is the flag from the framework’s administration portal? Go to mentioned website and find the location /thm-framework-login and login with username and password “admin”

  Learn about digital forensics artefacts found on Linux servers by analysing a compromised server Link :- https://tryhackme.com/room/linuxserverforensics Deploy the first VM Login using ssh and navigate to /var/log/apache2 How many different tools made requests to the server? Run the below command Answer is 2 Name a path requested by Nmap. Run below command Answer is /nmaplowercheck1618912425 What page allows users to upload files? Navigate to the website Answer is contact.php What IP uploaded files to the server? Run below command to find Answer is 192.168.56.24 Who left an exposed security notice on the server? Run below command to find Go to the location mentioned above and open the security.md file Answer is Fred What command and option did the attacker use to establish a backdoor? Run below command to find backdoor Answer is sh -i What is the password of the second root account? Search passwd Google search xxx from root2 :xxx to find password Deploy the second VM Login and naviga