I just pwned Network Services 1 & 2 rooms on @RealTryHackMe, and it was an interesting deep dive into real-world service exploits. In these rooms I moved from simple port scans to footholds and privilege escalations. Here are my key takeaways.🧵 https://t.co/HrqzEUdFcW

If you’re interested in getting into: Security Engineering SOC Analysis Reverse Malware Engineering Cybersecurity Research Comment and retweet this post, and I’ll send you guidelines and tools directly in your DM.

REMINDER! We're giving away FIVE free 6-month licenses to @pentesterlab. ✅ Comment BADGELIFE and retweet this post to enter. Additionally, pre-order a custom badge at https://t.co/7CskJUfk6k for a chance to win one of FIVE Annual VIP+ subscription to @hackthebox_eu.

Got this badge from @RealTryHackMe challenge Cracking all those hashes

Take an in-depth look at scanning with Nmap, a powerful network scanning tool. https://t.co/VPf1bTu5C5

For Active Recon, learn how to use simple tools such as traceroute, ping, telnet, and even a web browser to gather information. https://t.co/lNtKQ7aXmT

Completed this room to learn essential tools for passive reconnaissance such as whois, nslookup, and dig. https://t.co/mOVryp1nlB

Just completed the Red Team Engagements room to learn steps and procedures of a red team engagement, including planning, frameworks, and documentation. https://t.co/g9zb1lwJH5

END:I've learnt that Pentesting thrives on curiosity and persistence. Every overlooked service can become a critical pivot point. Thank you for reading to this point! Keep learning! Keep hacking! 🧙‍♂️ #Pentest #CTF #CyberSecurity @akintunero @damnsec1 @Olufela_Jr @Secfortress

Other activities worthy of mentioning was on FTP and Telnet. On FTP, an anonymous login to a public share exposed a .ssh backup containing a user’s private key. On Telnet, a bespoke backdoor only responded to .HELP and .RUN commands, which ultimately yielded a shell.

The next and final step was to crack Carl’s password and then use those credentials to log in and grab the flag. So, I copied the hash into a .txt file and used John the Ripper to crack the hash and voila!

Diving deeper, the 'mysql_hashdump' module was then used to extract usernames along with their encrypted password hashes from the database. I found a non-default user named 'Carl'.🙃

Going further, I used another Metasploit module 'mysql_schemadump' to extract the schema information from the DB server. This is quite handy for understanding the overall structure, dumping the tables and columns names of the whole database.

ANother interesting one was the MySQL lab, THM gave me credentialed access here and I used it to find the service version and enumerate the databases on the target host. This was achieved with Nmap (-sV -p3306) and Metasploit's module (mysql_sql).

When brute-forcing with Hydra, I used 'rockyou.txt' (a common list that contains 14million passwords). By default, Hydra stops at the first valid credential, but you can force-quit earlier with -f. I finally got the credentials and eventually gain access to the machine

Next lab was a “wow” moment for me. It was on SMTP enumeration and exploitation. Using Metasploit and Hydra, I discovered valid usernames. A simple typo in my SSH brute-force stalled my progress but I ended up reusing the correct credentials across multiple services.

First, I sharpened my Nmap skills learning when to run a quick top-100 scan (nmap -T4 -F) versus a full all-ports scan (nmap -T4 -p-), and how to throttle packets (--min-rate) to discover potential vulnerabilities of target machines.

https://t.co/uSJ4fs7jdg

Elon Musk was asked why he still works, while being worth billions of dollars… 👀

Just finished this 'easy' but 'not-so-easy' Network Services Room on @RealTryHackMe - I learnt how enumerate and exploit a variety of network services (namely SMB, FTP, and Telnet) plus misconfigurations.