THM: Nessus

{“content”:”

Description:

\r\n\r\n

TryHackMe made familiarizing with Nessus nice and easy with this free room with 5 tasks.

\r\n\r\nMy impression is that the room authors’ sentences are clear and explanations are easy to follow, you won’t get much trouble with this room unless you don’t allocate enough of system resources to install Nessus. Yes, you have to install Nessus on your own machine and use OpenVPN configuration file provided with your THM account, not AttackBox nor subcription will help you with that.

\r\n\r\nSo, the installation will take some time… You will probably want to move on something else in the meantime or sleep on it.

\r\n\r\nRead the instructions provided in the room, i will post here only tasks that need answers, screenshots that lead to answers and spoilers. These are tasks 3-5.

\r\n\r\nNot to ruin the party for interested, answers are hidden, so if interested, click on the question below and the answer will reveal itself. Let’s go!\r\n\r\n

TASK 3: Navigation and Scans

\r\n\r\n
\r\nWhat is the name of the button which is used to launch a scan?New Scan\r\n
“} {“content”:”
\r\nWhat side menu option allows us to create custom templates?\r\nPolicies\r\n
“} {“content”:”
\r\nWhat menu allows us to change plugin properties such as hiding them or changing their severity?\r\nPlugin Rules\r\n
“} {“content”:”
\r\nIn the ‘Scan Templates’ section after clicking on ‘New Scan’, what scan allows us to see simply what hosts are alive?\r\nHost Discovery\r\n
“} {“content”:”\r\n
\r\nOne of the most useful scan types, which is considered to be ‘suitable for any host’?\r\nBasic Network Scan\r\n
\r\n\r\n
\r\nWhat scan allows you to ‘Authenticate to hosts and enumerate missing updates’?\r\nCredentialed Patch Audit\r\n
\r\n\r\n
\r\n\r\nWhat scan is specifically used for scanning Web Applications?\r\nWeb Application Tests\r\n
\r\n\r\n\r\n\r\n\r\n\r\n\r\n

Task 4: Scanning!

\r\n\r\n
\r\n\r\nCreate a new ‘Basic Network Scan’ targeting the deployed VM. What option can we set under ‘BASIC’ (on the left) to set a time for this scan to run? This can be very useful when network congestion is an issue.\r\nSchedule\r\n
“} {“content”:”
\r\n\r\nUnder ‘DISCOVERY’ (on the left) set the ‘Scan Type’ to cover ports 1-65535. What is this type called?\r\nPort scan (all ports)\r\n
“} {“content”:”
\r\n\r\nWhat ‘Scan Type’ can we change to under ‘ADVANCED’ for lower bandwidth connection?\r\nScan low bandwidth links\r\n
“} {“content”:”
\r\n\r\nAfter the scan completes, which ‘Vulnerability’ in the ‘Port scanners’ family can we view the details of to see the open ports on this host?\r\nNessus SYN scanner\r\n
“} {“content”:”
\r\n\r\nWhat Apache HTTP Server Version is reported by Nessus?\r\n2.4.99\r\n
“} {“content”:”

Task 5: Scanning a Web Application!

\r\n\r\n
\r\n\r\nWhat is the plugin id of the plugin that determines the HTTP server type and version?\r\n10107\r\n
“} {“content”:”
\r\n\r\nWhat authentication page is discovered by the scanner that transmits credentials in cleartext?\r\nlogin.php\r\n
“} {“content”:”
\r\n\r\nWhat is the file extension of the config backup?\r\n.bak\r\n
“} {“content”:”
\r\n\r\nWhich directory contains example documents? (This will be in a php directory)\r\n/external/phpids/0.6/docs/examples/\r\n
“} {“content”:”
\r\n\r\nWhat vulnerability is this application susceptible to that is associated with X-Frame-Options?\r\nClickjacking\r\n
“} {“content”:”

Other Free Resources:

\r\n “}

BTLO Challenge: Log Analysis – Privilege Escalation

{“content”:”

Description:

\r\n\r\n

This is a retired Challenge from Blue Team Labs Online, categorized as Easy and CTF-like. You can try to solve it for yourself after registering on the platform, like most of their Challenges this one is also free.
\r\nOther than Challenges they also offer Investigations, most of these require a PRO subscription, but head on to the platform and check out the current state.

\r\n\r\n

I found out about this platform from Gerald Auger, Ph.D., book author and chief conent creator of Simply Cyber, information security YouTube channel. Watching his live streams i once won a one-month PRO BTLO subscription, so if you are interested in this field and occasional InfoSec giveaways are your kind of giveaways, you don’t want to miss out on his content.

\r\n\r\n

Task:

\r\n\r\n

You are presented with a scenario description, reading material, and a log file from an attacked server.

“} {“content”:”

Looking at the log file above, you have to answer questions about the event that took place. Not to spoil the Challenge, if you want to see the answers click on the question bellow and the answer will reveal:
\r\n\r\n

\r\n1. What user (other than ‘root’) is present on the server?daniel\r\n
\r\n\r\n
\r\n2. What script did the attacker try to download to the server?linux-exploit-suggester.sh\r\n
\r\n\r\n
\r\n3. What packet analyzer tool did the attacker try to use?tcpdump\r\n
\r\n\r\n
\r\n4. What file extension did the attacker use to bypass the file upload filter implemented by the developer?.phtml\r\n
\r\n\r\n
\r\n5. Based on the commands run by the attacker before removing the php shell, what misconfiguration was exploited in the ‘python’ binary to gain root-level access? 1- Reverse Shell ; 2- File Upload ; 3- File Write ; 4- SUID ; 5- Library load4\r\n
\r\n\r\n

Other free resources:

\r\n\r\n”}