Try Hack Me – Pentesting Fundamentals Room Walk through
The room can be found here.
Penetration Testing Ethics:
- “You are given permission to perform a security audit on an organisation; what type of hacker would you be?”
Answer: white hat
2.“You attack an organisation and steal their data, what type of hacker would you be?”
Answer: Black Hat
3.“What document defines how a penetration testing engagement should be carried out?”
Answer: Rules of Engagement
Penetration Testing Methodologies:
The stages are Information Gathering (OSINT), Enumeration/Scanning. Exploitation, Privilege Escalation, Post-exploitation (sub-stages: pivoting, gather additional information as a privileged user, cover your tracks, reporting)
OSSTMM – Open Source Security Testing Methodology Manual
OWASP – Open Web Application Security Project
NIST Cybersecurity Framework 1.1 – National Institute of Standards and Technology
NCSC CAF – National Cyber Security Centre Cyber Assessment Framework
- “What stage of penetration testing involves using publicly available information? ”
Answer: Information Gathering
2. “If you wanted to use a framework for pentesting telecommunications, what framework would you use?
Note: We’re looking for the acronym here and not the full name.”
Answer: OSSTMM
3. “What framework focuses on the testing of web applications?”
Answer: OWASP
Black box, White box, Grey box Penetration Testing:
Black Box testing is high level, no information given about inner workings of app/service.
Grey Box testing is most popular, tester has some knowledge of app/service
White Box testing is low level usually done by a software developer, will have full knowledge off app/service
- “You are asked to test an application but are not given access to its source code – what testing process is this?”
Answer: black box
2. “You are asked to test a website, and you are given access to the source code – what testing process is this?”
Answer: white box
Practical: ACME Penetration Test:
Follow the steps to obtain the flag