July 7, 2026
Search Skills: Mastering Cyber Security Research & OSINT
Introduction
By Jonathan Sanfer
6 min read
Introduction
Welcome to my walkthrough of the room Search Skills, an essential introduction to gathering open-source intelligence (OSINT) within the Start Your Cyber Security Journey module of TryHackMe's pathway Cyber Security 101!
If you are following along with the new pathway structure, this introductory module actually contains three rooms. However, because the first two Offensive Security Intro and Defensive Security Intro are identical to the very first rooms we conquered at the beginning of our Pre Security journey, we are skipping right ahead to the final, unique room of this module.
In my previous article, Become a Defender, we officially wrapped up that Pre Security pathway by looking at infrastructure through a blue team lens, mapping environments, and setting up defensive perimeters. As we pivot into this new pathway, we focus on a fundamental skill that bridges both worlds: research efficiency. In cyber security, knowing where and how to find data is just as critical as knowing how to exploit or defend it.
We explore how to utilize industry-standard open-source repositories, query engines, and documentation frameworks like Shodan, VirusTotal, and the universal CVE index to gather actionable intelligence.
Catch up on my final Pre Security milestone, Become a Defender, by clicking the banner below.
What we will cover
- Infrastructure OSINT: Leveraging Shodan queries to identify exposed hardware and server deployments.
- Threat Intelligence: Utilizing VirusTotal aggregate scanning to validate suspicious file structures.
- Vulnerability Indexing: Navigating CVE databases and technical documentations to evaluate architectural risks.
Room Information
Before diving into our research platforms, let's document our structural target properties.
- Room Name: Search Skills
- Path: Cyber Security 101
- Module: Start Your Cyber Security Journey
- Topic: Introduction / Walkthrough
- Difficulty: Easy
- Room Link: TryHackMe — Search Skills
Task 1: Introduction
Information gathering is the foundational cornerstone of both offensive security assessments and active defensive operations. Whether an operator is hunting down an unpatched software exploit, diagnosing unexpected tool behaviors, or tracking a malicious threat actor, their success relies entirely on leveraging the internet's global knowledge resources effectively.
Task 2: Shodan (TryScanMe)
Shodan is a specialized search engine designed to continuously sweep the public internet, indexing exposed Internet of Things (IoT) devices, routers, servers, industrial control systems, and network perimeters. Instead of indexing web page text like traditional search engines, Shodan interacts with open network ports and grabs the public banners advertised by the hosting applications.
During a penetration test or vulnerability audit, Shodan allows security analysts to check for exposed server versions globally and map them directly against known security gaps.
Core Shodan Query Filters
To optimize search queries, Shodan utilizes dedicated logical filters to narrow down raw data fields:
|----------+-------------------------------------------------------------------------------+-----------------------|
| Filter | Description | Example |
|----------+-------------------------------------------------------------------------------+-----------------------|
| country | Restricts results to a specific country code. | country:IE |
| port | Filters results by a specific open port number or range. | port:22 |
| org | Scopes findings to a specific organization or Autonomous System Number (ASN). | org:AS7224 |
| hostname | Matches findings against a distinct domain name or hostname. | hostname:fakebank.thm |
|----------+-------------------------------------------------------------------------------+-----------------------||----------+-------------------------------------------------------------------------------+-----------------------|
| Filter | Description | Example |
|----------+-------------------------------------------------------------------------------+-----------------------|
| country | Restricts results to a specific country code. | country:IE |
| port | Filters results by a specific open port number or range. | port:22 |
| org | Scopes findings to a specific organization or Autonomous System Number (ASN). | org:AS7224 |
| hostname | Matches findings against a distinct domain name or hostname. | hostname:fakebank.thm |
|----------+-------------------------------------------------------------------------------+-----------------------|Guided Walkthrough: Simulating Shodan Queries
To perform our asset intelligence sweep, we access the custom TryScanMe simulation engine and query the database for the popular web server framework apache.
The search platform parses the public internet records and exposes host fingerprints matching the string. Inspecting the top entry flags the underlying target infrastructure profile, revealing the specific corporate domain tied directly to the requested IP address string.
Questions and Answers
What domain is associated with the IP address 185.243.115.47?
Answer:
tryhackme.thmtryhackme.thmTask 3: VirusTotal (TryDetectMe)
VirusTotal acts as a central aggregator for threat signature verification, collating real-time detection feedback from over 70 premier antivirus engines and website security scanners. Analysts can submit files, hashes, URLs, or domains to instantly check if any security vendors have flagged the payload as malicious. While not foolproof, it serves as a massive triage asset for Blue Teams to verify suspicious artifacts quickly.
Guided Walkthrough: Aggregating File Reputation
We initialize the TryDetectMe threat scanning console to audit an unknown file named invoice_payment.exe.
Upon submitting the executable file parameter, the engine parses its hash against the aggregate vendor definitions. The dashboard populates a real-world detection graph highlighting exactly how many global security vendors successfully flagged the signature as an active, high-risk malware threat.
Questions and Answers
How many security vendors have identified the file as dangerous? You can see a total count at the top of the page.
Answer:
5252Task 4: Vulnerability Databases (CVE)
The Common Vulnerabilities and Exposures (CVE) program provides a standardized, universal dictionary for tracking publicly known security flaws. Managed as a collaborative global industry standard, each vulnerability receives a structured timestamp identifier following the format CVE-YEAR-NUMBER.
High-profile exploits often receive distinct names (such as Log4Shell or Heartbleed). To help organizations prioritize patching efforts, vulnerabilities are analyzed and scored using the Common Vulnerability Scoring System (CVSS), which calculates a severity rating based on three primary factors:
- Impact: What specific damage can this vulnerability cause to systems?
- Complexity: How easy or difficult is it for an attacker to execute this exploit?
- Availability: Are there active public exploits making this vulnerability highly accessible?
Security platforms like ExploitDB compile these reference indexes alongside actual Proof of Concept (PoC) scripts to demonstrate how the exploit functions in practice.
Guided Walkthrough: Querying the Vulnerability Index
We pivot to the custom TryHackMe Vulnerability Database search portal to evaluate the structural metrics of a specific target tracker, CVE-2026–1337.
Querying the reference entry reveals the critical system properties and displays the maximum baseline CVSS severity score, marking it as a critical priority patch risk.
Questions and Answers
What CVSS (Common Vulnerability Scoring System) classification did the vulnerability get?
Answer:
1010Task 5: Technical Documentation (MAN)
When working with complex command-line toolsets, official vendor documentation is the absolute source of truth. On Linux architectures, this technical guidance is built directly into the operating system kernel via MANual (man) pages. Execution of the core man command followed by any utility name populates an interactive documentation layout.
Guided Walkthrough: Parsing Terminal Manuals
We launch the terminal MANual simulation interface to inspect the usage flags for the networking utility nc (Netcat).
By executing the command, the manual opens up. Scrolling down to the bottom practical application examples section, the manual explicitly lays out the exact command template required to target and initialize a network connection to an external host on a distinct port parameter.
Questions and Answers
What is the example command?
Answer:
nc host.example.com 42nc host.example.com 42Task 6: GitHub
GitHub has evolved into an invaluable open-source asset for modern security researchers. It allows the community to share PoC exploit codes, automated scanning modules, and detailed vulnerability write-ups long before official corporate software channels release formal advisories.
However, because anyone can publish scripts, GitHub repositories require intense scrutiny. Malicious threat actors occasionally seed fake PoC tools that contain hidden backdoors or infostealers designed to target the security analysts downloading them. Always audit and verify code configurations manually before execution.
Guided Walkthrough: Auditing Code Repositories
We navigate the lab's simulated repository framework to review the technical code artifacts published for CVE-2026–1337.
By opening the repository root and auditing the structural project layout, we identify the exact Python demonstration script compiled by the researcher to safely verify the application flaw.
Questions and Answers
What is the name of the script in the repository that will demonstrate the vulnerability?
Answer:
exploit.pyexploit.pySummary & Key Takeaways
Congratulations on mastering your first core research and intelligence modules! Information gathering transforms raw data into tactical leverage, giving security practitioners the precise knowledge needed to handle emerging threats.
Tactical Terms Recap:
- OSINT: Open-Source Intelligence gathered from publicly available global network channels.
- CVSS Scoring: A standardized numeric framework (0–10) used to categorize the severity risk of vulnerabilities.
- Banners: The public text transmissions sent by network applications identifying their software version names.
Key lessons:
- Verify Before You Trust: Whether downloading a convenient PoC exploit from a GitHub repository or acting on a VirusTotal vendor alert, always cross-reference data across multiple verification sources to ensure integrity.
- Let Manuals Drive Troubleshooting: Before looking for outside help or running blind terminal commands, use internal terminal utilities like Linux
manpages to understand tool behaviors, flags, and mechanics. - Context Dictates Remediation: Leveraging vulnerability scoring systems like CVSS allows teams to shift away from chaotic fire-fighting and move towards systematic, risk-prioritized patching structures.