Review OSCP path TryHackMe

Ploy Thanasornsawan
5 min readMay 7, 2020

--

Today i would like to review how TryHackMe good for practice to be a pentester. I still not finished OSCP path on TryHackMe yet. As far as i read review blog people talk about prepare OSCP exam.They all recommended HackTheBox and Vulnhub by following TJnull in this link

I review because i think it might have somebody who still noob and then jump to HackTheBox. Level easy on HackTheBox is not easy for normal people in basic skills and still not know technique when see the problem and you will end up yourself by mostly follow write up from other people.

You can connect to each machine on TryHackMe by openvpn or ssh to kali machine on cloud

What’s inside OSCP path on TryHackMe

  • Vulnversity
  • Blue
  • Kenobi
  • Steel Mountain
  • Alfred
  • HackPark
  • Game Zone
  • Skynet
  • Daily Bugle
  • Brainstorm
  • Brainpan 1
  • Hacking with Powershell
  • Corp
  • Lord Of The Root
  • Mr Robot CTF
  • Retro

If you practice all of these rooms, you will know all how to enumeration and pivoting to gain high privilege shell as nmap, gobuster, exploit DB, metasploit, AD attack, buffer overflow, reverse engineering, etc.

and some recommand room: windowsprivescarena to practice windows privilege escalation(https://tryhackme.com/room/windowsprivescarena)

Review some machine in OSCP path

For example, HackerPark it will provided tutorial video for you and guide you to find answer step by step to gain shell by use Metasploit and manual exploit without Mestasploit by use ExploitDB (other room may not have tutorial video but you can see write up if you follow step and stuck on the middle)
and learn burpsuit to use with Hydra bruteforce login and try winPEAS.bat to see inforamtion on machine.

It is up to you which technique you want to use from result show after run winPEAS on target machine but in this tutorial use WindowsScheduler.exe

The IP address can change all time when you terminate and Deploy again

Each task will have guide show how to use command and answer box when you do it in the correct way

Okays, you may see how to play this machine already.In the first step, you have to enumeration with nmap to see which service and port open

nmap -sV -A -T4 -p- 10.10.188.141

From nmap, you will see port 80 open, you can try open on browser to check something vulnerability for exploit but if you not see anything helpful
You can try dirbuster, gobuster, wfuzz to see path on browser.In tutorial use gobuster but i will show you another way with wfuzz

pip install wfuzz

You can see example wfuzz on kali here: https://tools.kali.org/web-applications/wfuzz

-z is for payload and in wfuzz on kali machine is in /usr/share/wordlist/wfuzz/general/… you can select whatever file you want to bruteforce directory.In this case,i pick common.txt

And then compare with gobuster

You will see wfuzz is more flexible than gobuster to find result subdirectory path or file name as picture above. In first time we see just first directory is /account same gobuster and then try /Account/FUZZ to see subdirectory path and then check file aspx because nmap result show it is IIS by /Account/FUZZ.aspx

We will found useful path is http://IP/Account/login.aspx

When we found login website,if it official site, you can try search deafult username and password from google but if it is nomal website login, you can try intercept website with Burpsuit to see pattern username, password and then try SQL injection or bruteforce with Hydra

Apologize for IP change because i terminate machine and run again

and run hydra -l {username} -P {password.txt} {Target IP} {method website,in this case is http-post-form} “{path login: cookie:message show when login fail}”

the result from Hydra bruteforce will show username and password that you can use

In another way, if it not login website but it is website for upload file which we not know which format file allow to upload on website.You can practice on room: vulnversity.In that room, you will use burpsuit in intruder mode intercept extension file like these

All extension file list can found /usr/share/seclists/Fuzzing/extensions-most-common.fuzz.txt

Another path that you can practice if you still not ready for OSCP path, you can select complete beginner or web fundamentals or want more challenge like real world hacking.You can choose Primer Series

Another website recommend for noob practice is Penetration Testing and Ethical Hacking on Cybrary.In each topic will have detail why use this command and let’s you follow step by step to know command and tools.

I saw cybrary like ebook with labs and TryHackMe is more like CTF but have guideline answer and HackTheBox is more like real OSCP which want only final answer is root.txt and user.txt.

Basic — imerdiate :TryHackMe, Cybrary
Intermediate — Advance skill: HackTheBox, Vulnhub

Expensive annual subscription: Cybrary > HackTheBox > TryHackMe

Hope all of you enjoy and happy with your dream in Cybersecurity !!

--

--

Ploy Thanasornsawan
Ploy Thanasornsawan

Responses (1)