Python for Pentesters TryHackMe Walkthrough

Rich
5 min readJan 29, 2024

--

TL;DR Walkthrough of the TryHackMe Python for Pentesters room, part of the Pentest+ pathway.

A full list of our TryHackMe walkthroughs and cheatsheets is here.

Background

Unlike the PowerShell for Pentesters room, TryHackMe provided all the Python code to complete the tasks and find the answers. Hence I just skimmed through THM’s Python code, used the normal tools like nmap and hydra, and found the answers. I then wrote some PowerShell to do some of the tasks because I like Powershell.

As always, if this walkthrough skips over a question or task it is because no answer is needed.

— — Task 1 — -

What other tool can be used to convert Python scripts to Windows executables?

py2exe

— — Task 2 — -

What other protocol could be used for subdomain enumeration?

DNS

What function does Python use to get the input from the command line?

sys.argv

— — Task 3 — -

How many directories can your script identify on the target system? (extensions are .html)

Download the wordlist2.txt in Task Files, then in PowerShell:

$Lines = Get-Content .\wordlist2.txt
ForEach($Line in $Lines)
{$Line + ".html" | Add-Content .\wordlist3.txt}

copy/paste that to Kali and:

dirb http://10.10.50.48 ./wordlist3.txt

I get 4:

Alt PowerShell method:

$Target = "10.10.50.48"
$Pages = Get-Content ".\THM stuff\THM Writeups\Python Basics\wordlist3.txt"
ForEach($Page in $Pages)
{
If((Invoke-WebRequest -Uri "$Target/$Page").StatusCode -eq 200)
{Write-Host "/$Page"}
}

What is the location of the login page?

private.html

Where did you find a cryptic hash?

apollo.html

The hash, BTW, is cd13b6a6af66fb774faa589a9d18f906. I used CrackStation.net and got that it’s MD5, and is “rainbow”.

Where are the usernames located?

surfer.html

What is the password assigned to Rabbit?

Notes for Matt

Passwords set are:
Password for Madhatter set to MyCupOfTea
Password for Rabbit set to LOUSYRABBO
Password for Alice set to OnWithTheirHeads

Users created are:
tiffany
daniel
jim
mike

— — Task 4 — -

What module was used to create the ARP request packets?

scapy

Which variable would you need to change according to your local IP block?

ip_range

What variable would you change to run this code on a system with the network interface named ens33?

interface

— — Task 5 — -

What protocol will most likely be using TCP port 22?

SSH

What module did we import to be able to use sockets?

socket

What function is likely to fail if we didn’t import sys?

sys.stdout.flush

How many ports are open on the target machine?

sudo nmap -Pn -p- 10.10.121.16

22/tcp open ssh

80/tcp open http

2100/tcp open amiganetfs

Alt PowerShell method:

$ErrorActionPreference -eq "SilentlyContinue"
$Target -eq "192.168.0.1"
$LowEnd = 0
$HighEnd = 2048
$X = 0

Do
{
$CurrentPort = $LowEnd + $X
if((Test-NetConnection -ErrorAction SilentlyContinue $Target -Port $CurrentPort).TcpTestSucceeded)
{$CurrentPort | Out-File .\OpenPorts.txt -Append}
$X = $X + 1
}
While($CurrentPort -lt $HighEnd)

What is the highest port number open on the target system?

2100

— — Task 6 — -

What is the function used to connect to the target website?

requests.get()

Alt PowerShell method to download the file

Invoke-WebRequest -Uri “https://download.sysinternals.com/files/PSTools.zip" -OutFile .\PSTools.zip

What step of the Unified Cyber Kill Chain can PSexec be used in?

lateral movement

— — Task 7 — -

What is the hash you found during directory enumeration?

cd13b6a6af66fb774faa589a9d18f906

What is the cleartext value of this hash?

MD5 / rainbow

Modify the script to work with SHA256 hashes.

No answer needed

Using the modified script find the cleartext value for 5030c5bd002de8713fef5daebd597620f5e8bcea31c603dccdfcdf502a57cc60

redwings

— — Task 8 — -

What package installer was used?

pip3

What line in this code would you change to stop the result from being printed on the screen?

keyboard.play(keys)

Alternatively, there is a simple keylogger in PowerShell here.

— — Task 9 — -

What username starting with the letter “t” did you find earlier?

tiffany

What is the SSH password of this user?

hydra -l tiffany -P /home/kali/Downloads/Wordlists/wordlist2.txt ssh://10.10.178.146:22

trustno1

What is the content of the flag.txt file?

THM-737390028

Summary

I took CompTIA Pentest+ back in late 2019. It was a good exam overall, and the material was a great introduction to hydra, Metasploit, Meterpreter, Burp Suite, and all the other common tools that are included on Kali. CompTIA did a good job pounding in the background theory to what we do on TryHackMe.

One does not have to know how to write PowerShell or Python to pass Pentest+, only how to read and understand a simple function in either. I certainly didn’t know PowerShell well at all back when I took that exam.

Pentest+ got me interested in this stuff and learning the red teamer/pentester/attacker side of things. I like to think that it made me a better auditor and more security minded overall.

I highly recommend eJPT after taking Pentest+, followed by a hands on exam that’s focused on the specific environment you work in. I worked auditing in a Windows domain, so I did CRTP.

References

Error handling in PowerShell: https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-use-erroractionpreference-to-control-cmdlet-handling-of-errors/

Cyber Kill Chain: https://www.unifiedkillchain.com/

--

--

Rich
Rich

Written by Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.