Offensive Security Intro — Jr Penetration Tester — Introduction to Cyber Security — TryHackMe Walkthrough

Hack your first website (legally in a safe environment) and experience an ethical hacker’s job.

Room URL: https://tryhackme.com/r/room/offensivesecurityintro

Task 1 What is Offensive Security?

“To outsmart a hacker, you need to think like one.”

This is the core of “Offensive Security.” It involves breaking into computer systems, exploiting software bugs, and finding loopholes in applications to gain unauthorized access. The goal is to understand hacker tactics and enhance our system defences.

Beginning Your Learning Journey

In this TryHackMe room, you will be guided through hacking your first website in a legal and safe environment. The goal is to show you how an ethical hacker operates.

But before we do that, let’s review by answering the questions below. Type your answer in the text box after the question and click the “Submit” button. When you’re done, proceed to Task 2.

Answer the questions below

1. What involves simulating a hacker’s actions to find vulnerabilities and gain unauthorized access?

Answer: Offensive Security

Task 2 Hacking your first machine

Here at TryHackMe, we use Virtual Machines to create simulated environments that serve as practical complements to rooms.

In this room, we have prepared a fake bank application called Fakebank that you can safely hack. To start this machine, click on the “Start Machine” button at the top right of this task. Your screen should be split in half, showing this content on the left and the newly launched machine on the right. You should see a browser window showing the website below:

If you don’t see the one shown above, use the “Show Split View” button at the top of this page.

Stuck? See image

Your First Hack

We will use a command-line application called “Gobuster” to brute-force FakeBank’s website to find hidden directories and pages. Gobuster will take a list of potential page or directory names and try accessing a website with each of them; if the page exists, it tells you.

Step 1. Open A Terminal

A terminal, also known as the command line, allows us to interact with a computer without using a graphical user interface. On the machine, open the terminal by clicking on the Terminal icon

on the right of the screen.

Step 2. Use Gobuster To Find Hidden Website Pages

Most companies have an admin portal page, giving their staff access to basic admin controls for day-to-day operations. For a bank, an employee might need to transfer money to and from client accounts. Due to human error or negligence, there may be instances when these pages are not made private, allowing attackers to find hidden pages that show or give access to admin controls or sensitive data.

To begin, type the following command into the terminal to find potentially hidden pages on FakeBank’s website using Gobuster (a command-line security application).

gobuster -u http://fakebank.thm -w wordlist.txt dir

The command will run and show you an output similar to this:

Gobuster command to brute-force website pages

ubuntu@tryhackme:~/Desktop$ gobuster -u http://fakebank.thm -w wordlist.txt dir

=====================================================
Gobuster v2.0.1              OJ Reeves (@TheColonial)
=====================================================
[+] Mode         : dir
[+] Url/Domain   : http://fakebank.thm/
[+] Threads      : 10
[+] Wordlist     : wordlist.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout      : 10s
=====================================================
2024/05/21 10:04:38 Starting gobuster
=====================================================
/images (Status: 301)
/bank-transfer (Status: 200)
=====================================================
2024/05/21 10:04:44 Finished
=====================================================

In the command above, -u is used to state the website we're scanning, -w takes a list of words to iterate through to find hidden pages.

You will see that Gobuster scans the website with each word in the list, finding pages that exist on the site. Gobuster will have told you the pages in the list of page/directory names (indicated by Status: 200).

Step 3. Hack The Bank

You should have found a secret bank transfer page that allows you to transfer money between bank accounts (/bank-transfer). Type the hidden page into the FakeBank website using the browser's address bar.

From this page, an attacker has authorized access and can steal money from any bank account. As an ethical hacker, you would (with permission) find vulnerabilities in their application and report them to the bank to fix them before a hacker exploits them.

Your mission is to transfer $2000 from bank account 2276 to your account (account number 8881). If your transfer was successful, you should now be able to see your new balance reflected on your account page.

Go there now and confirm you got the money! (You may need to hit Refresh for the changes to appear)

Answer the questions below

2.1 Above your account balance, you should now see a message indicating the answer to this question. Can you find the answer you need? (Question Hint Make sure your new balance is a positive number. If your balance still shows a negative value (even after refreshing the page), you may need to transfer more money)

Answer: BANK-HACKED

2.2 If you were a penetration tester or security consultant, this is an exercise you’d perform for companies to test for vulnerabilities in their web applications and find hidden pages to investigate for vulnerabilities.

Answer: No answer needed

2.3 Terminate the machine by clicking the red “Terminate” button at the top of the page.

Answer: No answer needed

Task 3 Careers in cyber security

In this room, we’ve talked about offensive security and guided you through hacking your first website in a safe environment. You learned how to use Gobuster to find hidden pages in the target website and transferred a considerable amount of (fake) money to your account.

This is just a glimpse of the challenges you can expect as a member of the offensive security team. However, We want to reiterate that an ethical hacker’s goal is to identify loopholes and report them so that the defensive security team can fix them.

Speaking of defensive security, Intro to Defensive Security is the next room in this module. Learn about what the other team does by following this link here.

If you want to skip ahead and learn more about the topics discussed in this room, the following rooms are recommended:

• Web Enumeration — Learn the methodology of enumerating websites by using tools such as Gobuster, Nikto and WPScan
• Become a Hacker — Learn how TryHackMe can help you become a hacker.

Answer the questions below

Onwards to more learning!