This series of walkthroughs aims to help out complete beginners with finishing the Pre Security Path on the TryHackMe (thm)1 website.
It is based on the learning content provided in the Intro to Offensive Security room.
Task 1 - Hacking your first machine
Our objective in this task is to hack a fake bank application that goes by the name of “FakeBank”. Following the steps in the room, we get access to a linux machine where we can run our commands.
First we print out our current working directory (see the red circle with the 1 - referred to as #1), and list all the files and directory within (see #2).
The following commands were used:
pwd
| command name | description |
|---|---|
| pwd | print name of current/working directory |
ls -hlag
| command name | description |
|---|---|
| ls | list directory contents |
| -h | –human-readably |
| -l | use a long listing format |
| -a | –all (hidden files inclusive) |
| -g | –group-directories-first |
This is done so to verify our direct access to the wordlist file that contains a list possible directory names. With it’s help, gobuster will iterate through this list to find the directories present on the target website (http://fakebank.com/).
gobuster -u http://fakebank.com -w wordlist.txt dir
| command name | description |
|---|---|
| gobuster | used to brute-force URIs including directories and files as well as DNS subdomains |
| -u | The target URL |
| -w | Path to the wordlist |
| dir | Uses directory/file enumeration mode |
Just like in the tutorial, a website/directory called “/bank-transfer” is found on the target website. Now we can head over, and open it up in our favorite browser.
Note that we appended the site we found to the target website to get full url. (http://fakebank.com/bank-transfer)
Filling out the transfer parameters correctly and sending the money will land us the flag.
But to actually read the flag, we have to head back to the target site’s main page (http://fakebank.com/).
With this, answering the questions before proceeding to the next task should not pose any problems.
Question 1: When you’ve transferred money to your account, go back to your bank account page. What is the answer shown on your bank balance page?
flag
Question 2: If you were a penetration tester or security consultant, this is an exercise you’d perform for companies to test for vulnerabilities in their web applications; find hidden pages to investigate for vulnerabilities.
No answer needed
Question 3: Terminate the machine by clicking the red “Terminate” button at the top of the page.
No answer needed
Task 2 - What is Offensive Security?
Read the introduction to offensive security before proceeding to the next task.
Question 1: Read the above.
No answer needed
Task 3 - Careers in cyber security
Get a better idea of the possible careers in cyber security before finishing the task.
With that, we successfully finished our first room in the module. Remember to terminate the linux machine if you hadn’t done it already, before proceeding to the next room. (Check out Task 1 for further details.)
Question 1: Read the above, and continue with the next room!
No answer needed
thm - shorthand for TryhackMe from now on ↩︎