Blue Team Cyber Defender

  Learn the steps and procedures of a red team engagement, including planning, frameworks, and documentation. Link - https://tryhackme.com/room/redteamengagements What CIDR range is permitted to be attacked? 10.0.4.0/22 Is the use of white cards permitted? (Y/N) Y Are you permitted to access “*.bethechange.xyz?” (Y/N) N How many explicit restriction are specified? 3 What is the first access type mentioned in the document? phishing Is the red team permitted to attack 192.168.1.0/24? (Y/N) N How long will the engagement last? 1 Month How long is the red cell expected to maintain persistence? 3 Weeks What is the primary tool used within the engagement? Cobalt Strike When will the engagement end? 11/14/2021 What is the budget the red team has for AWS cloud cost? $1000 Are there any miscellaneous requirements for the engagement? (Y/N) N What phishing method will be employed during the initial access phase? Spearphishing What site will be utilized for communication between the client and...

  Play through a day in the life of a Junior Security Analyst, their responsibilities and qualifications needed to land a role as an analyst. Link - https://tryhackme.com/room/jrsecanalystintrouxo What was the malicious IP address in the alerts? 221.181.185.159 To whom did you escalate the event associated with the malicious IP address? Will Griffin After blocking the malicious IP address on the firewall, what message did the malicious actor leave for you? That’s it! See you in the next Room :)

  Apply your analytical skills to analyze the malicious network traffic using Wireshark. Link - https://tryhackme.com/room/c2carnage After loading the pcap file in wireshark. Change the time display preferences. What was the date and time for the first HTTP connection to the malicious IP? (answer format: yyyy-mm-dd hh:mm:ss) check the HTTP traffic 2021–09–24 16:44:38 What is the name of the zip file that was downloaded? Check the contents of the packet documents.zip What was the domain hosting the malicious zip file? attirenepal.com Without downloading the file, what is the name of the file in the zip file? Right click the packet and follow HTTP stream chart-1530076591.xls What is the name of the webserver of the malicious IP from which the zip file was downloaded? LiteSpeed What is the version of the webserver from the previous question? PHP/7.2.34 Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity? fin...

  This room explains the technical details behind the Meltdown vulnerability. Link - https://tryhackme.com/room/meltdownexplained what is it called when a program accesses a cache and finds the correct value? hit what is it called when a program accesses a cache and doesn’t find the correct value? miss What kind of memory does the virtual address contain(apart from user memory) kernel memory That’s it! See you in the next Room :)

  Learn the basics of threat and vulnerability management using Open Vulnerability Assessment Scanning Link- https://tryhackme.com/room/openvas When did the scan start in Case 001? Feb 28, 00:04:46 When did the scan end in Case 001? Feb 28, 00:21:02 How many ports are open in Case 001? 3 How many total vulnerabilities were found in Case 001? 5 What is the highest severity vulnerability found? (MSxx-xxx) MS17–010 What is the first affected OS to this vulnerability? Microsoft Windows 10 x32/x64 Edition What is the recommended vulnerability detection method? Send the crafted SMB transaction request with fid = 0 and check the response to confirm the vulnerability. That’s it! See you in the next Room :)

  Learn how to detect and exploit SQL Injection vulnerabilities Link - https://tryhackme.com/room/sqlinjectionlm What does SQL stand for? Structured Query Language What is the acronym for the software that controls a database? DBMS What is the name of the grid-like structure which holds the data? table What SQL statement is used to retrieve data? SELECT What SQL clause can be used to retrieve data from multiple tables? UNION What SQL statement is used to add data? INSERT What character signifies the end of an SQL query? ; What is the flag after completing level 1? Login as Martin What is the flag after completing level two? (and moving to level 3) What is the flag after completing level three? Login as admin with the password What is the final flag after completing level four? Use the following referrer= admin123' UNION SELECT SLEEP(5),2 from users where username=’admin’ and password like ‘4961% login as admin with password 4961 Name a protocol beginning with D that can be used to ...

  Learn how to use Repeater to duplicate requests in Burp Suite Link - https://tryhackme.com/room/burpsuiterepeater Which view option displays the response in the same format as your browser would? Render Send the request. What is the flag you receive? See if you can get the server to error out with a “500 Internal Server Error” code by changing the number at the end of the request to extreme inputs. What is the flag you receive when you cause a 500 error in the endpoint? Exploit the union SQL injection vulnerability in the site. What is the flag? That’s it! See you in the next room :)

  Understand the flaws of an application and apply your researching skills on some vulnerability databases. Link - https://tryhackme.com/room/vulnerabilities101 An attacker has been able to upgrade the permissions of their system account from “user” to “administrator”. What type of vulnerability is this? Operating System You manage to bypass a login panel using cookies to authenticate. What type of vulnerability is this? Application Logic What year was the first iteration of CVSS published? 2005 If you wanted to assess vulnerability based on the risk it poses to an organisation, what framework would you use? Note: We are looking for the acronym here. VPR If you wanted to use a framework that was free and open-source, what framework would that be? Note: We are looking for the acronym here. CVSS Using NVD, how many CVEs were submitted in July 2021? 1585 Who is the author of Exploit-DB? Offensive Security What type of vulnerability did we use to find the name and version of the applic...

  Learn how to use Nmap to discover live hosts using ARP scan, ICMP scan, and TCP/UDP ping scan. Link - https://tryhackme.com/room/nmap01 Send a packet with the following: From computer1 To computer1 (to indicate it is broadcast) Packet Type: “ARP Request” Data: computer6 (because we are asking for computer6 MAC address using ARP Request) How many devices can see the ARP Request? 4 Did computer6 receive the ARP Request? (Y/N) N Send a packet with the following: From computer4 To computer4 (to indicate it is broadcast) Packet Type: “ARP Request” Data: computer6 (because we are asking for computer6 MAC address using ARP Request) How many devices can see the ARP Request? 4 Did computer6 reply to the ARP Request? (Y/N) Y What is the first IP address Nmap would scan if you provided 10.10.12.13/29 as your target? 10.10.12.8 How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125 ? 6400 Send a packet with the following: From computer1 To computer3 Pack...

Learn how to use simple tools such as traceroute, ping, telnet, and a web browser to gather information. Link - https://tryhackme.com/room/activerecon Browse to the following website and ensure that you have opened your Developer Tools on AttackBox Firefox, or the browser on your computer. Using the Developer Tools, figure out the total number of questions. Go to the website and right click and “Inspect” . Go to Sources and “script.js” 8 Which option would you use to set the size of the data carried by the ICMP echo request? -s What is the size of the ICMP header in bytes? 8 Does MS Windows Firewall block ping by default? (Y/N) Y Deploy the VM for this task and using the AttackBox terminal, issue the command ping -c 10 MACHINE_IP . How many ping replies did you get back? 10 In Traceroute A, what is the IP address of the last router/hop before reaching tryhackme.com? 172.67.69.208 In Traceroute B, what is the IP address of the last router/hop before reaching tryhackme.com? 104.26.1...

Learn about the essential tools for passive reconnaissance, such as whois, nslookup, and dig. Link - https://tryhackme.com/room/passiverecon You visit the Facebook page of the target company, hoping to get some of their employee names. What kind of reconnaissance activity is this? (A for active, P for passive) P You ping the IP address of the company webserver to check if ICMP traffic is blocked. What kind of reconnaissance activity is this? (A for active, P for passive) A You happen to meet the IT administrator of the target company at a party. You try to use social engineering to get more information about their systems and network infrastructure. What kind of reconnaissance activity is this? (A for active, P for passive) A When was TryHackMe.com registered? 20180705 What is the registrar of TryHackMe.com? namecheap.com Which company is TryHackMe.com using for name servers? cloudflare.com Check the TXT records of thmlabs.com. What is the flag there? Lookup tryhackme.com on DNSDumpste...

Find out what happened by analysing a .pcap file and hack your way back into the machine Link - https://tryhackme.com/room/h4cked Download the Task file The attacker is trying to log into a specific service. What service is this? FTP There is a very popular tool by Van Hauser which can be used to brute force a series of services. What is the name of this tool? Hydra The attacker is trying to log on with a specific username. What is the username? jenny What is the user’s password? password123 What is the current FTP working directory after the attacker logged in? /var/www/html The attacker uploaded a backdoor. What is the backdoor’s filename? shell.php The backdoor can be downloaded from a specific URL, as it is located inside the uploaded file. What is the full URL? Follow tcp stream http://pentestmonkey.net/tools/php-reverse-shell Which command did the attacker manually execute after getting a reverse shell? Follow tcp stream whoami What is the computer’s hostname? Follow tcp stre...