TL;DR Walkthrough of the TryHackMe Python for Pentesters room, part of the Pentest+ pathway.
A full list of our TryHackMe walkthroughs and cheatsheets is here.
Background
Unlike the PowerShell for Pentesters room, TryHackMe provided all the Python code to complete the tasks and find the answers. Hence I just skimmed through THM’s Python code, used the normal tools like nmap and hydra, and found the answers. I then wrote some PowerShell to do some of the tasks because I like Powershell.
As always, if this walkthrough skips over a question or task it is because no answer is needed.
— — Task 1 — -
What other tool can be used to convert Python scripts to Windows executables?
py2exe
— — Task 2 — -
What other protocol could be used for subdomain enumeration?
DNS
What function does Python use to get the input from the command line?
sys.argv
— — Task 3 — -
How many directories can your script identify on the target system? (extensions are .html)
Download the wordlist2.txt in Task Files, then in PowerShell:
$Lines = Get-Content .\wordlist2.txt
ForEach($Line in $Lines)
{$Line + ".html" | Add-Content .\wordlist3.txt}
copy/paste that to Kali and:
dirb http://10.10.50.48 ./wordlist3.txt
I get 4:
- http://10.10.50.48/surfer.html (CODE:200|SIZE:432)
- http://10.10.50.48/private.html (CODE:200|SIZE:667)
- http://10.10.50.48/apollo.html (CODE:200|SIZE:32)
- http://10.10.50.48/index.html (CODE:200|SIZE:362)
Alt PowerShell method:
$Target = "10.10.50.48"
$Pages = Get-Content ".\THM stuff\THM Writeups\Python Basics\wordlist3.txt"
ForEach($Page in $Pages)
{
If((Invoke-WebRequest -Uri "$Target/$Page").StatusCode -eq 200)
{Write-Host "/$Page"}
}
What is the location of the login page?
private.html
Where did you find a cryptic hash?
apollo.html
The hash, BTW, is cd13b6a6af66fb774faa589a9d18f906. I used CrackStation.net and got that it’s MD5, and is “rainbow”.
Where are the usernames located?
surfer.html
What is the password assigned to Rabbit?
Notes for Matt
Passwords set are:
Password for Madhatter set to MyCupOfTea
Password for Rabbit set to LOUSYRABBO
Password for Alice set to OnWithTheirHeads
Users created are:
tiffany
daniel
jim
mike
— — Task 4 — -
What module was used to create the ARP request packets?
scapy
Which variable would you need to change according to your local IP block?
ip_range
What variable would you change to run this code on a system with the network interface named ens33?
interface
— — Task 5 — -
What protocol will most likely be using TCP port 22?
SSH
What module did we import to be able to use sockets?
socket
What function is likely to fail if we didn’t import sys?
sys.stdout.flush
How many ports are open on the target machine?
sudo nmap -Pn -p- 10.10.121.16
22/tcp open ssh
80/tcp open http
2100/tcp open amiganetfs
Alt PowerShell method:
$ErrorActionPreference -eq "SilentlyContinue"
$Target -eq "192.168.0.1"
$LowEnd = 0
$HighEnd = 2048
$X = 0
Do
{
$CurrentPort = $LowEnd + $X
if((Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).TcpTestSucceeded)
{$CurrentPort | Out-File .\OpenPorts.txt -Append}
$X = $X + 1
}
While($CurrentPort -lt $HighEnd)
What is the highest port number open on the target system?
2100
— — Task 6 — -
What is the function used to connect to the target website?
requests.get()
Alt PowerShell method to download the file
Invoke-WebRequest -Uri “https://download.sysinternals.com/files/PSTools.zip" -OutFile .\PSTools.zip
What step of the Unified Cyber Kill Chain can PSexec be used in?
lateral movement
— — Task 7 — -
What is the hash you found during directory enumeration?
cd13b6a6af66fb774faa589a9d18f906
What is the cleartext value of this hash?
MD5 / rainbow
Modify the script to work with SHA256 hashes.
No answer needed
Using the modified script find the cleartext value for 5030c5bd002de8713fef5daebd597620f5e8bcea31c603dccdfcdf502a57cc60
redwings
— — Task 8 — -
What package installer was used?
pip3
What line in this code would you change to stop the result from being printed on the screen?
keyboard.play(keys)
Alternatively, there is a simple keylogger in PowerShell here.
— — Task 9 — -
What username starting with the letter “t” did you find earlier?
tiffany
What is the SSH password of this user?
hydra -l tiffany -P /home/kali/Downloads/Wordlists/wordlist2.txt ssh://10.10.178.146:22
trustno1
What is the content of the flag.txt file?
THM-737390028
Summary
I took CompTIA Pentest+ back in late 2019. It was a good exam overall, and the material was a great introduction to hydra, Metasploit, Meterpreter, Burp Suite, and all the other common tools that are included on Kali. CompTIA did a good job pounding in the background theory to what we do on TryHackMe.
One does not have to know how to write PowerShell or Python to pass Pentest+, only how to read and understand a simple function in either. I certainly didn’t know PowerShell well at all back when I took that exam.
Pentest+ got me interested in this stuff and learning the red teamer/pentester/attacker side of things. I like to think that it made me a better auditor and more security minded overall.
I highly recommend eJPT after taking Pentest+, followed by a hands on exam that’s focused on the specific environment you work in. I worked auditing in a Windows domain, so I did CRTP.
References
Error handling in PowerShell: https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-use-erroractionpreference-to-control-cmdlet-handling-of-errors/
Cyber Kill Chain: https://www.unifiedkillchain.com/