TryHackMe - Web Enumeration - Walkthrough
Introduction
Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines.
Task 1 - Introduction
Questions:
Let's get started
No answer needed
Task 2 - Manual Enumeration
Questions
I gotcha!
No answer needed
Task 3 - 1. introduction to Gobuster
Questions
No questions
No answer needed
Task 4 - 1.1 Gobuster Modes
Questions
I get the hang of it!
No answer needed
Task 5 - 1.2 Useful Wordlists
Questions
No questions
No answer needed
Task 6 - 1.3 Practical: Gobuster (Deploy #1)
Questions
Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available?
echo “10.10.164.99 webenum.thm” >> /etc/hosts
Run a directory scan on the host. In the "C******" directory, what file extensions exist?
gobuster dir -x js,json,txt,html,conf -t 64 -u http://webenum.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
There's a flag out there that can be found by directory scanning! Find it!
gobuster dir -x txt,php -t 64 -u http://webenum.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
curl http://webenum.thm/VIDEO/****.****
There are some virtual hosts running on this server. What are they?
gobuster vhost -t 64 -u http://webenum.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
There's another flag to be found in one of the virtual hosts! Find it!
echo “10.10.164.99 learning.webenum.thm” >> /etc/hosts; echo “10.10.164.99 products.webenum.thm” >> /etc/hosts
gobuster dir -x txt,php -t 64 -u http://products.webenum.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
curl http://products.webenum.thm/*****.****
Task 7 - 2 Introduction to WPScan
Questions
Let's explore WPScan!
No answer needed
Task 8 - 2.1 WPScan Modes
Questions
What would be the full URL for the theme "twentynineteen" installed on the WordPress site: "http://cmnatics.playground"
Answer contained wtihin Task description
What argument would we provide to enumerate a WordPress site?
Answer contained within Task description
What is the name of the other aggressiveness profile that we can use in our WPScan command?
Answer contained within Task description
Task 9 - 2.2 Practical: Gobuster (Deploy #2)
Questions
Enumerate the site, what is the name of the theme that is detected as running?
echo “10.10.250.131 wpscan.thm” >> /etc/hosts
Open Firefox browser
view-source:http://wpscan.thm/
ctrl+f search: theme
WPScan says that this theme is out of date, what does it suggest is the number of the latest version?
wpscan --url http://wpscan.thm/ --enumerate t
Enumerate the site, what is the name of the plugin that WPScan has found?
wpscan --url http://wpscan.thm/ --enumerate p --plugins-detection passive
Enumerate the site, what username can WPScan find?
wpscan --url http://wpscan.thm/ --enumerate u
Construct a WPScan command to brute-force the site with this username, using the rockyou wordlist as the password list. What is the password to this user?
wpscan --url http://wpscan.thm/ --passwords /usr/share/wordlists/rockyou.txt --usernames phreakazoid
Task 10 - 3 Introduction to Nikto
Questions
Let's dive into the world of Nikto
No answer needed
Task 11 - 3.1 Nikto Modes
Questions
What argument would we use if we wanted to scan port 80 and 8080 on a host?
Answer contained within Task description
What argument would we use if we wanted to see any cookies given by the web server?
Answer contained within Task description
Task 12 - 3.2 Nikto Practical (Deploy #3)
Questions
What is the name & version of the web server that Nikto has determined running on port 80?
nikto -h http://10.10.44.142
There is another web server running on another port. What is the name & version of this web server?
nikto -h 10.10.44.142 -p 8080
What is the name of the Cookie that this JBoss server gives?
nikto -h 10.10.44.142 -p 8080 -Display 2
Task 13 - 4 Conclusion
Questions
I'll check these out!!
No answer needed
Finish
Today we're going to be doing a walkthrough for the Web Enumeration room hosted at https://tryhackme.com/room/webenumerationv2 . For this walkthrough, we'll be using two virtual machines (VMs), the TryHackMe AttackBox VM as our attacking machine, and the deployed vulnerable Web clients as the the victim machines.
Task 1 - Introduction
Questions:
Let's get started
No answer needed
Task 2 - Manual Enumeration
Questions
I gotcha!
No answer needed
Task 3 - 1. introduction to Gobuster
Questions
No questions
No answer needed
Task 4 - 1.1 Gobuster Modes
Questions
I get the hang of it!
No answer needed
Task 5 - 1.2 Useful Wordlists
Questions
No questions
No answer needed
Task 6 - 1.3 Practical: Gobuster (Deploy #1)
Questions
Run a directory scan on the host. Other than the standard css, images and js directories, what other directories are available?
echo “10.10.164.99 webenum.thm” >> /etc/hosts
gobuster dir -t 16 -u http://webenum.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
Run a directory scan on the host. In the "C******" directory, what file extensions exist?
gobuster dir -x js,json,txt,html,conf -t 64 -u http://webenum.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
There's a flag out there that can be found by directory scanning! Find it!
gobuster dir -x txt,php -t 64 -u http://webenum.thm -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
curl http://webenum.thm/VIDEO/****.****
There are some virtual hosts running on this server. What are they?
gobuster vhost -t 64 -u http://webenum.thm -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt
There's another flag to be found in one of the virtual hosts! Find it!
echo “10.10.164.99 learning.webenum.thm” >> /etc/hosts; echo “10.10.164.99 products.webenum.thm” >> /etc/hosts
gobuster dir -x txt,php -t 64 -u http://products.webenum.thm/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
curl http://products.webenum.thm/*****.****
Task 7 - 2 Introduction to WPScan
Questions
Let's explore WPScan!
No answer needed
Task 8 - 2.1 WPScan Modes
Questions
What would be the full URL for the theme "twentynineteen" installed on the WordPress site: "http://cmnatics.playground"
Answer contained wtihin Task description
What argument would we provide to enumerate a WordPress site?
Answer contained within Task description
What is the name of the other aggressiveness profile that we can use in our WPScan command?
Answer contained within Task description
Task 9 - 2.2 Practical: Gobuster (Deploy #2)
Questions
Enumerate the site, what is the name of the theme that is detected as running?
echo “10.10.250.131 wpscan.thm” >> /etc/hosts
Open Firefox browser
view-source:http://wpscan.thm/
ctrl+f search: theme
WPScan says that this theme is out of date, what does it suggest is the number of the latest version?
wpscan --url http://wpscan.thm/ --enumerate t
Enumerate the site, what is the name of the plugin that WPScan has found?
wpscan --url http://wpscan.thm/ --enumerate p --plugins-detection passive
Enumerate the site, what username can WPScan find?
wpscan --url http://wpscan.thm/ --enumerate u
Construct a WPScan command to brute-force the site with this username, using the rockyou wordlist as the password list. What is the password to this user?
wpscan --url http://wpscan.thm/ --passwords /usr/share/wordlists/rockyou.txt --usernames phreakazoid
Task 10 - 3 Introduction to Nikto
Questions
Let's dive into the world of Nikto
No answer needed
Task 11 - 3.1 Nikto Modes
Questions
What argument would we use if we wanted to scan port 80 and 8080 on a host?
Answer contained within Task description
What argument would we use if we wanted to see any cookies given by the web server?
Answer contained within Task description
Task 12 - 3.2 Nikto Practical (Deploy #3)
Questions
What is the name & version of the web server that Nikto has determined running on port 80?
nikto -h http://10.10.44.142
There is another web server running on another port. What is the name & version of this web server?
nikto -h 10.10.44.142 -p 8080
What is the name of the Cookie that this JBoss server gives?
nikto -h 10.10.44.142 -p 8080 -Display 2
Task 13 - 4 Conclusion
Questions
I'll check these out!!
No answer needed
Finish
Comments
Post a Comment