Introduction to Offensive Security TryhackMe Module

Understand what Offensive Security entails, and practice breaking into computer systems by exploiting applications and networks. Web Application Security Room | Operating System Security Room | Network Security Room

Setting up: Connect to the Tryhackme VM via “Start Machine” button or deploy the machine locally via OpenVPN

Web Application Security TryhackMe Walkthrough

Learn about web applications and explore some of their common security issues.

Task 1: Introduction

Web applications are programs that can be used without installation, as long as a modern web browser is available.

Examples include webmail, online office suites, and online shopping websites. These applications run on remote servers and access data from database servers.

A simple version of the steps an Online Shopping Web Application takes to search for products online

However, security vulnerabilities in web applications can lead to significant losses. Bug bounty programs are offered by companies like Google, Microsoft, and Facebook to reward individuals who discover and report security weaknesses. Rewards can range from a few hundred to tens of thousands of USD, depending on the severity of the vulnerability.

What do you need to access a web application?

Task 2: Web Application Security Risks

When making a purchase on an online shop, you expect to log in, search for products, add a product to cart, specify shipping address, and provide payment details, etc. However, these steps are vulnerable to various attacks such as brute force password guessing, injection of malicious code, and cryptographic failures. The vulnerabilities fall into categories such as:

• Identification and Authentication Failure: The online shop must confirm the user’s identity and authenticate them before they can use the system. Weaknesses include allowing brute force attacks, allowing weak passwords, and storing passwords in plain text.
• Broken Access Control: Access control ensures that users can only access files related to their role or work. Vulnerabilities include failing to apply the principle of least privilege, being able to view or modify someone else’s account, and browsing pages that require authentication as an unauthenticated user.
• Injection: An injection attack refers to the vulnerability where the user can insert malicious code as part of their input due to lack of proper validation and sanitization of the user’s input.
• Cryptographic Failures: Failures related to cryptography include sending sensitive data in clear text, relying on weak cryptographic algorithms, and using default or weak keys for cryptographic functions.

These vulnerabilities can lead to unauthorized access, data breaches, and weak encryption.

You discovered that the login page allows an unlimited number of login attempts without trying to slow down the user or lock the account. What is the category of this security risk?

You noticed that the username and password are sent in cleartext without encryption. What is the category of this security risk?

Task 3: Practical Example of Web Application Security

This task will investigate a vulnerable website that uses Insecure Direct Object References (IDOR). IDOR falls under the category of Broken Access Control. Broken access control means that an attacker can access information or perform actions not intended for them.

Consider the case where a web server receives user-supplied input to retrieve objects (files, data, documents) and that they are numbered sequentially. In the given example, the web server is vulnerable to Insecure Direct Object References (IDOR) as it does not validate user permissions when accessing objects. For example, a user could access other users’ photos, products, or sensitive data by manipulating sequential IDs in the URL. This vulnerability can lead to unauthorized access and potential sabotage, as demonstrated in the Inventory Management System.

💡 Exercise: We will hack the system back and undo the attacker’s steps. On “Your Activity,” you can see the activity of one of the users. We have reason to believe that this website has an IDOR vulnerability.

• Access the website and click on “View Site” to see the Inventory Management System in action
• Notice that the “Planned Shipments” tab has been tampered with by an attacker, causing the wrong tires to be sent to each assembly line
• Access “Your Activity” to view the activity of one of the users

Hack the system to undo the attacker’s steps and fix the mix-up in the planned shipments
Hint: https://inventory-management.thm/activity?user_id=9

Operating System Security TryhackMe Walkthrough

💡 This introduces users to operating system security and demonstrates SSH authentication on Linux.

Task 1: Introduction to Operating System Security

An operating system (OS) is a crucial layer between computer hardware and the applications and programs you use. It allows programs to access hardware and comes in various forms like MS Windows, macOS, iOS, Android, Chrome OS, and Linux.

Your Laptop or Desktop computer might be running MS Windows, macOS, Chrome OS, and Linux; while your smartphone might be running Android or iOS.

OS ensures that your favorite programs can run on your device. It is essential to secure your phone or computer running an OS to protect confidential data, ensuring confidentiality, integrity, and availability.

When we talk about security, we should think of protecting three things:

CIA T

• Confidentiality: You want to ensure that secret and private files and information are only available to intended persons.
• Integrity: It is crucial that no one can tamper with the files stored on your system or while being transferred on the network.
• Availability: You want your laptop or smartphone to be available to use anytime you decide to use it.

Which of the following is not an operating system?

Task 02: Common Examples of OS Security

Security is concerned with attacks against confidentiality, integrity, and availability.

In this context, we will focus on three weaknesses targeted by malicious users:

• Authentication and Weak passwords: Authentication involves verifying identity through something you know (e.g., a password), something you are (e.g., a fingerprint), or something you have (e.g., a phone for receiving SMS). Weak passwords are commonly targeted, with many users using easily guessable passwords or reusing the same password for multiple accounts.
• Weak file permissions can compromise confidentiality and integrity by allowing unauthorized access and modification.
• Malicious programs, such as Trojan horses and ransomware, can also pose security threats by providing attackers with access to files or encrypting them to demand ransom for restoration.

It is important to use complex passwords, avoid reusing passwords, and implement proper file permissions to mitigate these security risks.

Which of the following is a strong password, in your opinion?

Task 03: Practical Example of OS Security

In this task, we will try to hack into a Linux system.

💡 Scenario: We were hired to check the security of a certain company.

When we visited our client’s office, we noticed a sticky note with two words: sammie and dragon on one of the screens.

• Try logging in to the target machine MACHINE_IP using ssh sammie@MACHINE_IP with password dragon
• Confirm the login as Sammie using the whoami command

Network Security TryhackMe Walkthrough

💡 Learn about network security, understand attack methodology, and practice hacking into a target server.

Task 1: Introduction

A computer network is a group of connected computers and devices.

Network security focuses on protecting these devices and the connections between them to ensure confidentiality, integrity, and availability of data. It involves:

• Hardware solutions like Firewall, Intrusion Detection System (IDS), Intrusion Prevention System (IPS) and Virtual Private Network (VPN)
• Software solutions like antivirus and host firewalls.

According to the Cost of a Data Breach Report 2021 by IBM Security, the average cost of a data breach in 2021 was $4.24 million per incident, with variations based on sector and country.

What type of Firewall is Windows Defender Firewall?

Task 2: Methodology

Breaking into a target network usually includes a number of steps. According to Lockheed Martin, the Cyber Kill Chain has seven steps:

1. Recon: Recon, short for reconnaissance, refers to the step where the attacker tries to learn as much as possible about the target. Information such as the types of servers, operating system, IP addresses, names of users, and email addresses, can help the attack’s success.
2. Weaponization: This step refers to preparing a file with a malicious component, for example, to provide the attacker with remote access.
3. Delivery: Delivery means delivering the “weaponized” file to the target via any feasible method, such as email or USB flash memory.
4. Exploitation: When the user opens the malicious file, their system executes the malicious component.
5. Installation: The previous step should install the malware on the target system.
6. Command & Control (C2): The successful installation of the malware provides the attacker with a command and control ability over the target system.
7. Actions on Objectives: After gaining control over one target system, the attacker has achieved their objectives. One example objective is Data Exfiltration (stealing a target’s data).

During which step of the cyber kill chain does the attacker gather information about the target?

Task 3: Practical Example of Network Security

• Nmap (nmap [MACHINE_IP]) scan reveals three open ports: 21 (FTP), 22 (SSH), and 80 (HTTP).

What is the password in the secret.txt file?

Let’s exploit the open FTP (File Transfer Protocol) port:

• Connect to the target FTP server (ftp [MACHINE_IP]) using the anonymous username
• List (ls) the available files on the FTP server
• Retrieved the “secret.txt” file using the “get secret.txt" command
• Confirmed the successful transfer of the file by
• exited the FTP client (“exit”)
• Open the “secret.txt” file using “ls” and cat secret.txt

We discover the following password: ABC789xyz1...

What is the content of the flag.txt in the /root directory?

• Use the discovered password to SSH into the machine as the root user: ssh root@[MACHINE_IP]
• Use the following commands: whoami → ls → cat flag.txt

What is the content of the flag.txt in the /home/librarian directory?

Use the following commands: pwd → ls → cd /home/librarian → cat flag.txt