Blue Team Cyber Defender

  Learn how to interact with the win32 API and understand its wide range of use cases Link- https://tryhackme.com/room/windowsapi Does a process in the user mode have direct hardware access? (Y/N) n Does launching an application as an administrator open the process in kernel mode? (Y/N) n What header file imports and defines the User32 DLL and structure? winuser.h What parent header file contains all other required child and core header files? windows.h What overarching namespace provides P/Invoke to .NET? system What memory protection solution obscures the process of importing API calls? aslr Which character appended to an API call represents an ANSI encoding? a Which character appended to an API call represents extended functionality? ex What is the memory allocation type of 0x00080000 in the VirtualAlloc API call? MEM_RESET Do you need to define a structure to use API calls in C? (Y/N) n What method is used to import a required DLL? dllimport What type of method is used to ...

  Learn the steps and procedures of a red team engagement, including planning, frameworks, and documentation. Link - https://tryhackme.com/room/redteamengagements What CIDR range is permitted to be attacked? 10.0.4.0/22 Is the use of white cards permitted? (Y/N) Y Are you permitted to access “*.bethechange.xyz?” (Y/N) N How many explicit restriction are specified? 3 What is the first access type mentioned in the document? phishing Is the red team permitted to attack 192.168.1.0/24? (Y/N) N How long will the engagement last? 1 Month How long is the red cell expected to maintain persistence? 3 Weeks What is the primary tool used within the engagement? Cobalt Strike When will the engagement end? 11/14/2021 What is the budget the red team has for AWS cloud cost? $1000 Are there any miscellaneous requirements for the engagement? (Y/N) N What phishing method will be employed during the initial access phase? Spearphishing What site will be utilized for communication between the client and...

  An introduction to security awareness; why its important, the impact of being attacked, different threat actors and basic account security. Link - https://tryhackme.com/room/securityawarenessintro How many people were affected by eBay being hacked? 145 million What data was leaked from Playstation being hacked? names, addresses, e-mail, birth dates Who would most likely be interested in exploiting a business? Cybercriminals Who would most likely be interested in exploiting a personal computer for fun? Thrill-seekers Who would most likely be interested in exploiting a website to deliver a message? Hacktivists That’s it! See you in the next Room :)

  Learn all the components that make up an email. Link- https://tryhackme.com/room/phishingemails1tryoe Email dates back to what time frame? 1970s What port is classified as Secure Transport for SMTP? 465 What port is classified as Secure Transport for IMAP? 993 What port is classified as Secure Transport for POP3? 995 What email header is the same as “Reply-to”? Return-Path Once you find the email sender’s IP address, where can you retrieve more information about the IP? http://www.arin.net/ In the above screenshots, what is the URI of the blocked image? https://i.imgur.com/lsw0tdi.png In the above screenshots, what is the name of the PDF attachment? payment-updateid.pdf In the attached virtual machine, view the information in email2.txt and reconstruct the PDF using the base64 data. What is the text within the PDF? Use Cyberchef from Base64 and save the output as a pdf file. Open the pdf. THM{BENIGN_PDF_ATTACHMENT} What trusted entity is this email masquerading as? Decode the sub...

  Apply your analytical skills to analyze the malicious network traffic using Wireshark. Link - https://tryhackme.com/room/c2carnage After loading the pcap file in wireshark. Change the time display preferences. What was the date and time for the first HTTP connection to the malicious IP? (answer format: yyyy-mm-dd hh:mm:ss) check the HTTP traffic 2021–09–24 16:44:38 What is the name of the zip file that was downloaded? Check the contents of the packet documents.zip What was the domain hosting the malicious zip file? attirenepal.com Without downloading the file, what is the name of the file in the zip file? Right click the packet and follow HTTP stream chart-1530076591.xls What is the name of the webserver of the malicious IP from which the zip file was downloaded? LiteSpeed What is the version of the webserver from the previous question? PHP/7.2.34 Malicious files were downloaded to the victim host from multiple domains. What were the three domains involved with this activity? fin...

  This room explains the technical details behind the Meltdown vulnerability. Link - https://tryhackme.com/room/meltdownexplained what is it called when a program accesses a cache and finds the correct value? hit what is it called when a program accesses a cache and doesn’t find the correct value? miss What kind of memory does the virtual address contain(apart from user memory) kernel memory That’s it! See you in the next Room :)

  Learn the basics of threat and vulnerability management using Open Vulnerability Assessment Scanning Link- https://tryhackme.com/room/openvas When did the scan start in Case 001? Feb 28, 00:04:46 When did the scan end in Case 001? Feb 28, 00:21:02 How many ports are open in Case 001? 3 How many total vulnerabilities were found in Case 001? 5 What is the highest severity vulnerability found? (MSxx-xxx) MS17–010 What is the first affected OS to this vulnerability? Microsoft Windows 10 x32/x64 Edition What is the recommended vulnerability detection method? Send the crafted SMB transaction request with fid = 0 and check the response to confirm the vulnerability. That’s it! See you in the next Room :)

  Learn how to detect and exploit SQL Injection vulnerabilities Link - https://tryhackme.com/room/sqlinjectionlm What does SQL stand for? Structured Query Language What is the acronym for the software that controls a database? DBMS What is the name of the grid-like structure which holds the data? table What SQL statement is used to retrieve data? SELECT What SQL clause can be used to retrieve data from multiple tables? UNION What SQL statement is used to add data? INSERT What character signifies the end of an SQL query? ; What is the flag after completing level 1? Login as Martin What is the flag after completing level two? (and moving to level 3) What is the flag after completing level three? Login as admin with the password What is the final flag after completing level four? Use the following referrer= admin123' UNION SELECT SLEEP(5),2 from users where username=’admin’ and password like ‘4961% login as admin with password 4961 Name a protocol beginning with D that can be used to ...

  Learn how to use Repeater to duplicate requests in Burp Suite Link - https://tryhackme.com/room/burpsuiterepeater Which view option displays the response in the same format as your browser would? Render Send the request. What is the flag you receive? See if you can get the server to error out with a “500 Internal Server Error” code by changing the number at the end of the request to extreme inputs. What is the flag you receive when you cause a 500 error in the endpoint? Exploit the union SQL injection vulnerability in the site. What is the flag? That’s it! See you in the next room :)

  Understand the flaws of an application and apply your researching skills on some vulnerability databases. Link - https://tryhackme.com/room/vulnerabilities101 An attacker has been able to upgrade the permissions of their system account from “user” to “administrator”. What type of vulnerability is this? Operating System You manage to bypass a login panel using cookies to authenticate. What type of vulnerability is this? Application Logic What year was the first iteration of CVSS published? 2005 If you wanted to assess vulnerability based on the risk it poses to an organisation, what framework would you use? Note: We are looking for the acronym here. VPR If you wanted to use a framework that was free and open-source, what framework would that be? Note: We are looking for the acronym here. CVSS Using NVD, how many CVEs were submitted in July 2021? 1585 Who is the author of Exploit-DB? Offensive Security What type of vulnerability did we use to find the name and version of the applic...

  A guided room covering the deployment of honeypots and analysis of botnet activities Link - https://tryhackme.com/room/introductiontohoneypots Create a file and then log back in is the file still there? (Yay/Nay) Nay How many passwords include the word “password” or some other variation of it e.g “p@ssw0rd” 15 What is arguably the most common tool for brute-forcing SSH? hydra What intrusion prevention software framework is commonly used to mitigate SSH brute-force attacks? Fail2Ban What CPU does the honeypot “use”? Run command cat /proc/cpuinfo Intel(R) Core(TM) i9–11900KB CPU @ 3.30GHz Does the honeypot return the correct values when uname -a is run? (Yay/Nay) Nay What flag must be set to pipe wget output into bash? -O How would you disable bash history using unset ? unset HISTFILE What brand of device is the bot in the first sample searching for? (BotCommands/Sample1.txt) Do a simple google search of the processes Mikrotik What are the commands in the second sample changing? ...

  Learn how to use Nmap to discover live hosts using ARP scan, ICMP scan, and TCP/UDP ping scan. Link - https://tryhackme.com/room/nmap01 Send a packet with the following: From computer1 To computer1 (to indicate it is broadcast) Packet Type: “ARP Request” Data: computer6 (because we are asking for computer6 MAC address using ARP Request) How many devices can see the ARP Request? 4 Did computer6 receive the ARP Request? (Y/N) N Send a packet with the following: From computer4 To computer4 (to indicate it is broadcast) Packet Type: “ARP Request” Data: computer6 (because we are asking for computer6 MAC address using ARP Request) How many devices can see the ARP Request? 4 Did computer6 reply to the ARP Request? (Y/N) Y What is the first IP address Nmap would scan if you provided 10.10.12.13/29 as your target? 10.10.12.8 How many IP addresses will Nmap scan if you provide the following range 10.10.0-255.101-125 ? 6400 Send a packet with the following: From computer1 To computer3 Pack...

  Practice analyzing malicious traffic using Brim. Link - https://tryhackme.com/room/mastermindsxlq [Infection 1] Provide the victim’s IP address. Load infection1.pcap in Brim Check the source IP of “Http Requests” 192.168.75.249 The victim attempted to make HTTP connections to two suspicious domains with the status ‘404 Not Found’. Provide the hosts/domains requested. cambiasuhistoria.growlab.es, www.letscompareonline.com The victim made a successful HTTP connection to one of the domains and received the response_body_len of 1,309 (uncompressed content size of the data transferred from the server). Provide the domain and the destination IP address. Check the “Http Requests” ww25.gocphongthe.com,199.59.242.153 How many unique DNS requests were made to cab[.]myfkn[.]com domain (including the capitalized domain)? Check “Unique DNS Queries” 7 Provide the URI of the domain bhaktivrind[.]com that the victim reached out over HTTP. Check the “Http Requests” /cgi-bin/JBbb8/ Provide the IP ...