Intro to Offensive Security — TrayHackMe Walkthrough 2022
Task 1: Hacking your first machine
Your first hack
Click the “Start Machine” button. Once loaded, you will have access to a machine you’ll use to hack a fake bank application called FakeBank.
We will use a command-line application called “GoBuster” to brute-force FakeBank’s website to find hidden directories and pages. GoBuster will take a list of potential page or directory names and tries accessing a website with each of them; if the page exists, it tells you.
Step 1) Open a terminal
A terminal, also known as the command line, allows us to interact with a computer without using a graphical user interface. On the machine, open the terminal using the Terminal icon:
Stuck? See video
Step 2) Find hidden website pages
Most companies will have an admin portal page, giving their staff access to basic admin controls for day-to-day operations. For a bank, an employee might need to transfer money to and from client accounts. Often these pages are not made private, allowing attackers to find hidden pages that show, or give access to, admin controls or sensitive data.
“gobuster -u http://fakebank.com -w wordlist.txt dir”
>> gobuster: Tool
>> -u: to state the website
>> -w: takes a list of words to iterate through to find hidden pages
You will see that GoBuster scans the website with each word in the list, finding pages that exist on the site. GoBuster will have told you the pages it found in the list of page/directory names (indicated by Status: 200).
Step 3) Hack the bank
You should have found a secret bank transfer page that allows you to transfer money between accounts at the bank (/bank-transfer). Type the hidden page into the FakeBank website on the machine.
Stuck? See video
This page allows an attacker to steal money from any bank account, which is a critical risk for the bank. As an ethical hacker, you would (with permission) find vulnerabilities in their application and report them to the bank to fix before a hacker exploits them.
Transfer $2000 from the bank account 2276, to your account (account number 8881).
When you’ve transferred money to your account, go back to your bank account page. What is the answer shown on your bank balance page?
Task 2: What is Offensive Security?
In short, offensive security is the process of breaking into computer systems, exploiting software bugs, and finding loopholes in applications to gain unauthorized access to them.
To beat a hacker, you need to behave like a hacker, finding vulnerabilities and recommending patches before a cybercriminal does, as you did in this room!
On the flip side, there is also defensive security, which is the process of protecting an organization’s network and computer systems by analyzing and securing any potential digital threats; learn more in the digital forensics room.
In a defensive cyber role, you could be investigating infected computers or devices to understand how it was hacked, tracking down cybercriminals, or monitoring infrastructure for malicious activity.
Follow On: Linkedin | Twitter
Written By: Pratik Dhavade