Disclaimer: This writeup is based on a Capture The Flag (CTF) challenge hosted on TryHackMe and it is intended for educational purposes only.
The Basic Vulnerability Identification Techniques room on TryHackMe introduces learners to the fundamental methods used to discover security weaknesses in systems and applications. It focuses on essential concepts such as identifying vulnerabilities through enumeration, understanding common vulnerability types, and leveraging tools and resources to research potential exploits. Through practical exercises, users learn how to correlate gathered information (like services and versions) with known vulnerabilities, building a solid foundation for penetration testing and vulnerability assessment.
Task 1 Introduction
I understanding the learning objectives and am ready learn vulnerability indenitification techniques!
No answer needed
Task 2 Understanding the Attack Surface
Which type of attack surface becomes accessible only after gaining an initial foothold inside the network?
Internal
Task 3 Service Enumeration and Banner Grabbing
Run an Nmap scan against the target with -sV -sC flags. What version of Apache is running on port 80?
2.4.52
Use netcat to grab the SSH banner on port 22. What is the full OpenSSH version string returned?
OpenSSH_8.9p1
Task 4 Matching Services to Known Exploits
A CVE describes a remote code execution flaw in the version of a service running on the target, but the administrator has applied a patch without updating the version string. Is this service still exploitable through that CVE? (Yay/Nay)
Nay
Task 5 Identifying Web Application Vulnerabilities
Navigate to http://10.113.181.182 in your browser and view the HTML source of the main page. What internal IP address is referenced in the deployment note comment?
10.10.14.50
Access /profile.php?id=1, then change the id parameter to 2. You can view another user's profile without authorisation. What type of vulnerability is this?
IDOR
Navigate to /admin/. What is the username of the user whose notes contain backup server credentials?
dbadmin
Task 6 Identifying System and Network Vulnerabilities
Connect to the FTP service using anonymous access. What is the filename in the /pub directory that contains the internal network map?
network-map.txt
According to the file, what are the default credentials for the Dev environment? (Format: username:password)
devops:D3vOps2024!
Use smbclient to list shares on the target with a null session. What is the name of the readable share?
shared
Task 7 Triaging and Documenting Findings
You discover an unauthenticated remote code execution vulnerability on an externally facing web server. Which priority tier does this belong to?
1
You find that a service is using a deprecated protocol but cannot identify a clear exploitation path. Which priority tier does this belong to?
3
Task 8 Practical Challenge
What URL path exposes the admin dashboard without any authentication?
admin
What file on the anonymous FTP server reveals that several servers are 3+ months behind on patches?
maintenance-schedule.txt
What is the default temporary password assigned to new employees according to the SMB share's onboarding document?
Welcome2024!
Task 9 Conclusion
I can now do basic vulnerability assessment and exploitation!
No answer needed