1/10 – 10 Days of [THM]


OSI Model is a good starting point to help understand the fundamentals of Networking … But most ‘Real-World’ Networking used today is a condensed version of OSI referred too as “TCP/IP” model.

* Instead of seven, a ‘5’ Layer Model is used with TCP/IP ;

5. Application (API)

4. Transport

3. Internet

2. Network

1. Physical

TCP/IP is a ‘Connection-Based’ Protocol, Meaning a “SYN/ACK” Connection must be established between the client and server before any data can be sent between computers.

3-Way Handshake :

  • Client send request off too server (SYN)
  • Server responses with acknowledgment packet (SYN/ACK)
  • Client send back the (ACK) data received verifying that the connection was successful

PORT (V.) Proxy :

Port ( Application Level ) –

A port is a number used to uniquely identify a transaction over a network by specifying both the host, and the service. They are necessary to differentiate between many different IP services, such as web service (HTTP), mail service (SMTP), and file transfer (FTP).

Proxy ( Intermediate Level ) –

An intermediate stop in the request where the data packet is analyzed then delivered on from Proxy to end Location, can be used to mask identity when connecting to the internet ( Ex. VPN )

2/10 – 10 Days of [THM]

NMAP : A Footprinting tool for – IP / Website / Any Target ( Network discovery, Administration, and Security Auditing )

*Very noisy Scanner (Port Scanner?) – Range of IP Addresses listed

Ports Direct traffic to the right Server Application ; There are 1,024 “well-known” Ports on the Network

Command Example Explained : ” nmap -sS -p- -PS22,80,113,33334 -PAS0,113,21000 -PU19000 -PE -A -T4 -oA avatartcpscan-121503 “


Enables the efficient TCP port scanning technique known as SYN scan. Felix would have added a U at the end if he also wanted to do a UDP scan, but he is saving that for later. SYN scan is the default scan type, but stating it explicitly does not hurt.


Requests that Nmap scan every port from 1 – 65535. The default is to scan only ports one through 1024, plus about 600 others explicitly mentioned in the nmap-services database. This option format is simply a short cut for -pl-65535. He could have specified -p0-65535 if he wanted to scan the rather illegitimate port zero as well. The -p option has a very flexible syntax, even allowing the specification of a differing set of UDP and TCP ports.

(-PS22, 80, 113, 33334 -PAB0, 113, 21000 -PU19000 -PE)

These are all ping types used in combination to determine whether a host is really available and avoid wasting a lot of time scanning IP addresses that are not in use. This particular incantation sends a TCP SYN packet to ports 22, 80, 1 13, and 33334; a TCP ACK packet to ports 80, 1 13, and 21000; a UDP packet to port 19000; and a normal ICMP echo request packet. If Nmap receives a response from the target host itself to any of these probes, it considers the host to be up and available for scanning. This is more extensive than the Nmap default, which simply sends an echo request and an ACK packet to port 80. In a pen-testing situation, you often want to scan every host even if they do not seem to be up. After all, they could just be heavily filtered in such a way that the probes you selected are ignored but some other obscure port may be available. To scan every IP whether it shows an available host or not, specify the -PN option instead of all of the above. Felix starts such a scan in the background, though it may take a day to complete.


This shortcut option turns on Advanced and Aggressive features such as OS and service detection. At the time of this writing it is equivalent to -sV -sC -0 –traceroute (version detection, Nmap Scripting Engine, remote OS detection, and traceroute). More features may be added to -A later.


Adjusts timing to the aggressive level (#4 of5). This is the same as specifying -T aggressive, but is easier to type and spell. In general, the -T4 option is recommended if the connection between you and the target networks are faster than dialup modems.

(-oA avatartcpscan-121503)

Outputs results in every format (normal, XML, grepable) to files named avatartcpscan-121503 . <extension> where the extensions are .nmap, .xml, and .gnmap respectively. All of the output formats include the start date and time, but Felix likes to note the date explicitly in the filename. Normal output and errors are still sent to stdout5 as well.

5stdout is the “C” notation for representing the standard output mechanism fora system, suchastothe Unix xtermorWindows command window in which Nmap was initiated.

Enables the efficient TCP port scanning technique known as SYN scan. Felix would have added a U at the end if he also wanted to do a UDP scan, but he is saving that for later. SYN scan is the default scan type, but stating it explicitly does not hurt.

{NMAP List Scan ( -sL ) : This enumerates every IP address in the given target netblock(s) and does a reverse-DNS lookup (unless -n was specified) on each.}

3/10 – 10 Days of [THM]

NMAP . . .

  • NMAP offers a 5 level “Timing” Template for Scanning (Speed of the scan)

[ ” T5 ” – Timing Template lv. 5 ]

Basic Commands

” -p- ” : Scan ALL Ports available

” -sS ” : SYN ‘Half-Open / Stealth ‘ Scan

” -sT ” : TCP Connect Scan

(-sT) : Tries to perform a 3-Way Handshake on all ports of a target to find out which ones are open based on the response they get (SYN/ACK sent back from Server)

(-sS) : Scans the TCP Port range of a target ; Attempts 3-Way Shake

(-p-) : Scans ALL 65,535 Ports

4/10 – 10 Days of [THM]

{ Finish NMAP Course } – Additional “Basic Commands” :

  • “-sN” : NULL Scans send a TCP packet request to find open ports but unlike SYN Scan (which sends out a RST packet) NULL scans send a completely empty packet
  • “-sX” XMAS Scan [ sends a malformed TCP packet and expects a RST response for closed ports. It’s referred to as an xmas scan as the flags that it sets (PSH, URG and FIN) give it the appearance of a blinking christmas tree when viewed as a packet capture in Wireshark. ]

Q- common OS may respond to a NULL, FIN or Xmas scan with a RST for every port?

A- Microsoft

Finished Setup of Open_Skipper_2

.Net Downloaded

OpenSkipper.dev Downloaded


  • CD to OpenSkipper Folder / Run DotNet Command on Terminal / Open Chrome IP Port Link

5/10 – 10 Days of [THM]

Extra Networking Tools :

  • ‘ whois ‘ – Lets you Query who a domain is registered too (Ex. whois Facebook.com)
  • ‘ traceroute ‘ – Counts the number of servers the request jumps too until it reaches the destination
  • ‘ dig ‘ – Similar to the “whois” command that finds info the on the domain register ; Dig does this through the DNS (Domain Name System) of your choice (Ex. .com / .org / .io / .uk)

[ Recursive DNS servers find the right (matching) IP for the domain you are attempting to send a request too ]

{ THM – Z to H Guide } — >

https: ____ //blog.tryhackme.com/going-from-zero-to-hero/

6/10 – 10 Days of [THM]

[THM Room] – The Find Command

The syntax of the command can be broken down as such: ” find / where / what ” . . . ( Firstly you tell the system to find something; secondly you tell it where to look; and finally, you tell it what to look for. )

How To Use The Tool :

Most of the time, you won’t be looking for something in your working directory. The first argument of your find command should be the directory you want to search. The command will search in that directory and in all its subdirectories. So, if you want to search the whole filesystem, your command should begin with find /

Two very useful flags are the -type and -name flags.

With -type, you can use d to only find directories, and f to only find files.

The -name flag is used to specify a name or pattern to look for. You can type the whole name, or use wildcards to specify only part(s) of the name.

If you use wildcards, you need to enclose your pattern in quotes, otherwise the command won’t work as intended. It is useful to know that you can also use the -iname flag; same as -name, but is case insensitive.

Questions :

Q- Find all files whose name ends with “.xml”

A- find / -type f -name “*.xml”

Q- Find all files in the /home directory (recursive) whose name is “user.txt” (case insensitive)

A- find /home -type f -iname user.txt

Q- Find all directories whose name contains the word “exploits”

A- find / -type d -name “*exploits*”

7/10 – 10 Days of [THM]

[THM Room] – The Find Command (finished..)

TYPE Command :

With -type, use:

  • d = //Used to find directories,
  • f = //Used to find files

NAME Command :

  • -name flag is used to specify a name or pattern to look for
  • You can type the whole name, or use wildcards to specify only part(s) of the name.
  • use the -iname flag; same as -name, but case insensitive.

USER Command :

-user flag

SIZE (-size) Command

Formats -n , +n , and n

Here, n is number

  • -n = //matches values lesser than n
  • +n = //matches values greater than n
  • n = //matches values exactly n

c is the suffix for bytes,

k for KiB’s, and

M for MiB’s.


min and time, for minutes and days

The prefixes are a, m, and c, and are used to specify when a file was last accessed, modified, or had its status changed.

Examples :

  1. File was last accessed more than 30 minutes ago, the option “-amin +30” is used
  2. Modified less than 7 days ago, the option -mtime -7
  3. File was modified within the last 24 hours, the option “-mtime 0” is used

Questions (Q) & Answer (A) :

Example: Find all files owned by the user “hacked”

find / -type f -user hacked

Example: Find all files that are exactly 150 bytes in size

find / -type f -size 150c

Example: Find all files in the /home directory (recursive) with size less than 2 KiB’s and _extension “.txt”

find /home -type f -size -2k -name “*.txt”

Example: Find all files that are exactly readable and writeable by the owner, and readable by everyone else (use octal format)

find / -type f -perm 644

Example: Find all files that are only readable by anyone (use octal format)

find / -type f -perm /444

Example: Find all files with write permission for the group “others”, regardless of any other permissions, with extension “.sh” (use symbolic format)

find / -type f -perm -o=w -name “*.sh”

Example: Find all files in the /usr/bin directory (recursive) that are owned by root and have at least the SUID permission (use symbolic format)

find /usr/bin -type f -user root -perm -u=s

Example: Find all files that were not accessed in the last 10 days with extension “.png”

find / -type f -atime +10 -name “*.png

Example: Find all files in the /usr/bin directory (recursive) that have been modified within the last 2 hours

find /usr/bin -type f -mmin -120

Example: Find all world readable files

find / -perm -o+r

Example: Find all world writable files

find / -perm -o+w

Example: Find all binaries for which the setuid bit is set

find / -perm -4000

8/10 – 10 Days of [THM]

[THM Room] – Google Dorking


  • Crawler is used to ‘Index’
  • Term: Crawler / Spyder / Spider
  • Ex. of type of Contents you can Crawl: ‘Keywords’

BEEPBOOP – ‘Robots.txt’

[Keyword and there Function]


Specify the type of “Crawler” that can index your site (the asterisk being a wildcard, allowing all “User-agents”


Specify the directories or file(s) that the “Crawler” can index


Specify the directories or file(s) that the “Crawler” cannot index


Provide a reference to where the sitemap is located (improves SEO as previously discussed, we’ll come to sitemaps in the next task

Questions (Q) & Answer (A) :

Q- Where would “robots.txt” be located on the domain “ablog.com”

A- ablog.com/robots.txt

Q- If a website was to have a sitemap, where would that be located?

A- /sitemap.xml

Q- How would we only allow “Googlebot” to index the website?

A- User-agent: Googlebot

Q- How would we prevent a “Crawler” from indexing the directory “/dont-index-me/”?

A- Disallow: /dont-index-me/

Q- What is the extension of a Unix/Linux system configuration file that we might want to hide from “Crawlers”?

A- .conf


“Sitemaps” are indicative resources that are helpful for crawlers, as they specify the necessary routes to find content on the domain. The below illustration is a good example of the structure of a website, and how it may look on a “Sitemap”:

[ Image in Reddit ]

“Sitemaps” are XML formatted. The presence of “Sitemaps” holds a fair amount of weight in influencing the “optimisation” and favorability of a website. As we discussed in the “Search Engine Optimisation” task, these maps make the traversal of content much easier for the crawler!

( Why are “Sitemaps” so Favourable for Search Engines?

Search engines are lazy! Well, better yet – search engines have a lot of data to process. The efficiency of how this data is collected is paramount. Resources like “Sitemaps” are extremely helpful for “Crawlers” as the necessary routes to content are already provided! All the crawler has to do is scrape this content – rather than going through the process of manually finding and scraping. Think of it as using a wordlist to find files instead of randomly guessing their names!

The easier a website is to “Crawl”, the more optimised it is for the “Search Engine” )


We can use terms such as “site” (such as bbc.co.uk) and a query (such as “gchq news”) to search the specified site for the keyword we have provided to filter out content that may be harder to find otherwise. For example, using the “site” and “query” of “bbc” and “gchq”, we have modified the order of which Google returns the results.

< site: bbc.co.uk gchq news >

9/10 – 10 Days of [THM]

[THM Room] – ‘HTTPS’ Web Fundementals

[Task 2] How do we load websites ?

  • What request verb is used to retrieve page content? GET
  • What port do web servers normally listen on ? 80
  • What’s responsible for making websites look fancy? css

[Task 3] More Http : Verbs and request format

There are 9 different HTTP “verbs”, also known as methods. Each one has a different function. We’ve mentioned GET requests already, these are used to retrieve content.

POST requests are used to send data to a web server, like adding a comment or performing a login.

Q- What verb would be used for a login? // A- POST

The response from a request follows a similar structure to the request made, but the first line describes the status rather than a verb and a path.

The status will normally be a code, you’re probably already familiar with 404: Not found.

A basic breakdown of the status codes is:

  • 100-199: Information
  • 200-299: Successes (200 OK is the “normal” response for a GET)
  • 300-399: Redirects (the information you want is elsewhere)
  • 400-499: Client errors (You did something wrong, like asking for something that doesn’t exist)
  • 500-599: Server errors (The server tried, but something went wrong on their side)

Q- What status code will you get if you need to authenticate to access some content, and you’re unauthenticated?

A- 401

[Task 4] Cookies, tasty !

10/10 – 10 Days of [THM]

[THM Room] – Metasploit

{ Task 1 }

We initiate the database with: msfdb init

Before starting Metasploit Console , we can view some of the advanced options that we can trigger when starting the console. Check these out now by using the command: msfconsole -h

Q- We can start the Metasploit console on the command line without showing the banner or any startup information as well. What switch do we add to msfconsole to start it without showing this information? This will include the ‘-‘

A- -q

START Metasploit via the command: msfconsole

After using Command: db_status

Q- We’ve connected to the database, which type of database does Metasploit 5 use? 

A- ” postgresql “

{ Task 2 }

Cool ! We’ve connected to the database, which type of database does Metasploit 5 use?

We used the command : db_statusand

to find the type of database used by Metasploit 5 postgresql.    

{ Task 3 }

Let’s go ahead and start exploring the help menu. On the Metasploit prompt type the command: < help > – – – (Metasploit promt is were we’ll be at after we start Metasploit using msfconsole)

Q – The help menu has a very short one-character alias, what is it?

A – ?

Q- Finding various modules we have at our disposal within Metasploit is one of the most common commands we will leverage in the framework. What is the base command we use for searching?

A- search

Q- Once we’ve found the module we want to leverage, what command we use to select it as the active module?

A- use

Q- How about if we want to view information about either a specific module or just the active one we have selected?

A- info

Q- Metasploit has a built-in netcat-like function where we can make a quick connection with a host simply to verify that we can ‘talk’ to it.What command is this?

A- connect

Q- Entirely one of the commands purely utilized for fun, what command displays the motd/ascii art we see when we start msfconsole (without -q flag)?

A- banner

Q- We’ll revisit these next two commands shortly, however, they’re two of the most used commands within Metasploit. First, what command do we use to change the value of a variable?

A- set

Q-Metasploit supports the use of global variables, something which is incredibly useful when you’re specifically focusing on a single box. What command changes the value of a variable globally?

A- setg

Q- Now that we’ve learned about to change the value of variables, how do we view them? There are technically several answers to this question, however, I’m looking for a specific three-letter command which is used to view the value of single variables.

A- get

Q- How about changing the value of a variable to null/no value?

A- unset

Q- When performing a penetration test it’s quite common to record your screen either for further review or for providing evidence of any actions taken. This is often coupled with the collection of console output to a file as it can be incredibly useful to grep for different pieces of information output to the screen. What command can we use to set our console output to save to a file?

A- spool

Q- Leaving a Metasploit console running isn’t always convenient and it can be helpful to have all of our previously set values load when starting up Metasploit. What command can we use to store the settings/active datastores from Metasploit to a settings file?

This will save within your msf4 (or msf5) directory and can be undone easily by simply removing the created settings file.

A- save

{ Task 4 }

Metasploit consists of 6 MAIN MODULES :

Q- Easily the most common module utilized, which module holds all of the exploit code we will use?

A- exploit

Q- Used hand in hand with exploits, which module contains the various bits of shellcode we send to have executed following exploitation?

A- payload

Q- Which module is most commonly used in scanning and verification machines are exploitable? This is not the same as the actual exploitation of course.

A- auxiliary

Q- One of the most common activities after exploitation is looting and pivoting. Which module provides these capabilities?

A- post

Q- Commonly utilized in payload obfuscation, which module allows us to modify the ‘appearance’ of our exploit such that we may avoid signature detection?

A- encoder

Q- Last but not least, which module is used with buffer overflow and ROP attacks?


Q- Not every module is loaded in by default, what command can we use to load different modules?

A- load

{ Task 5 }

Start machine . . .

“Metasploit comes with a built-in way to run nmap and feed it’s results directly into our database. Let’s run that now by using the command : db_nmap -sV MACHINE_IP ”

* This shows what service is running on each port of the “target” (machine i deployed on thm) :

Port 135 = msrpc

Now that we’ve scanned our victim system, let’s try connecting to it with a Metasploit payload.

First, we’ll have to search for the target payload.

In Metasploit 5 (the most recent version at the time of writing) you can simply type ‘use’ followed by a unique string found within only the target exploit.

For example, try this out now with the following command use icecast

Q- What is the full path for our exploit that now appears on the msfconsole prompt?

A- exploit/windows/http/icecast_header

While that use command with the unique string can be incredibly useful that’s not quite the exploit we want here.

Let’s now run the command ‘search multi/handler’. What is the name of the column on the far left side of the console that shows up next to ‘Name’?

Go ahead and run the command use NUMBER_NEXT_TO exploit/multi/handler wherein the number will be what appears in that far left column (typically this will be 4 or 5).

In this way, we can use our search results without typing out the full name/path of the module we want to use: #

{ Task 6 }

” Now that we’ve got a shell into our victim machine, let’s take a look at several post-exploitation modules actions we can leverage!

Most of the questions in the following section can be answered by using the Meterpreter help menu which can be accessed through the ‘help’ command. This menu dynamically expands as we load more modules. “

Q- First things first, our initial shell/process typically isn’t very stable. Let’s go ahead and attempt to move to a different process. First, let’s list the processes using the command ‘ps’. What’s the name of the spool service?

A- spoolsv.exe

Q- Let’s go ahead and move into the spool process or at least attempt to! What command do we use to transfer ourselves into the process? This won’t work at the current time as we don’t have sufficient privileges but we can still try!

A- migrate

Q- Well that migration didn’t work, let’s find out some more information about the system so we can try to elevate. What command can we run to find out more information regarding the current user running the process we are in?

A- getuid

Q- How about finding more information out about the system itself?

A- sysinfo

Q- This might take a little bit of googling, what do we run to load mimikatz (more specifically the new version of mimikatz) so we can use it? load kiwi

Q- Let’s go ahead and figure out the privileges of our current user, what command do we run?

A- getprivs

Q- What command do we run to transfer files to our victim computer?

A- upload

Q- How about if we want to run a Metasploit module?

A- run

Q- A simple question but still quite necessary, what command do we run to figure out the networking information and interfaces on our victim?

A- ipconfig

Q- One quick extra question, what command can we run in our meterpreter session to spawn a normal system shell?

A- shell

[ Still Need much more work with metasploit in real world scenerios before i feel comfprtable closing off subject ]