7/7/23, 2:37 PM TryHackMe | Intro to Offensive Security


Dashboard


Learn


Compete


Leaderboards
Platform Rankings

King of the Hill
Attack & Defend

Workspace
Compete & Collaborate

Other

Resources Buy Vouchers Develop Rooms For Business For Education Swag Shop
1

Go Premium

Profile Refer a friend Badges My Rooms Access Give Feedback Logout


20717


https://tryhackme.com/room/introtooffensivesecurity 1/4
7/7/23, 2:37 PM TryHackMe | Intro to Offensive Security

Intro to Offensive Security Show Split View  Cloud Details Awards Help 

Hack your first website (legally in a safe environment) and experience an ethical hacker's job.


 Chart  Scoreboard  Discuss  Writeups  More

Difficulty: Info

Active Machine Information

Loading... Loading... Loading... Loading...

20%

Task 1  What is Offensive Security? 

Task 2  Hacking your first machine  

Before going into cyber security careers and what offensive security is, let's get you hacking (and yes, its legal, all exercises are fake simulations)  Start Machine

Your first hack

Click the "Start Machine" button. Once loaded in Split View in your browser, you will have access to a machine you'll use to hack a fake bank application called FakeBank. If you don't see the machine appear, use
the blue Show Split View button on the top-right of this page.

We will use a command-line application called "GoBuster" to brute-force FakeBank's website to find hidden directories and pages. GoBuster will take a list of potential page or directory names and tries accessing
a website with each of them; if the page exists, it tells you.

Step 1) Open a terminal

A terminal, also known as the command-line, allows us to interact with a computer without using a graphical user interface. On the machine, open the terminal using the Terminal icon:

Stuck? See video

Step 2) Find hidden website pages

Most companies will have an admin portal page, giving their staff access to basic admin controls for day-to-day operations. For a bank, an employee might need to transfer money to and from client accounts.
Often these pages are not made private, allowing attackers to find hidden pages that show, or give access to, admin controls or sensitive data.

https://tryhackme.com/room/introtooffensivesecurity 2/4
7/7/23, 2:37 PM TryHackMe | Intro to Offensive Security

Type the following command into the terminal to find potentially hidden pages on FakeBank's website using GoBuster (a command-line security application).

gobuster -u http://fakebank.com -w wordlist.txt dir

The command will run and show you an output similar to this:

GoBuster command to brute-force website pages

ubuntu@tryhackme:~/Desktop$ gobuster -u http://fakebank.com -w wordlist.txt dir

=====================================================
Gobuster v2.0.1
=====================================================
[+] Mode : dir
[+] Url/Domain : http://fakebank.com/
[+] Threads : 10
[+] Wordlist : wordlist.txt
[+] Status codes : 200,204,301,302,307,403
[+] Timeout : 10s
=====================================================
2022/04/11 18:23:28 Starting gobuster
=====================================================
/images (Status: 301)
/DIRECTORY_NAME_OUTPUT (Status: 200)
=====================================================
2022/04/11 18:23:38 Finished
=====================================================

Don't worry if you have not used a terminal before - TryHackMe walks you through everything!

In the command above, -u is used to state the website we're scanning, -w takes a list of words to iterate through to find hidden pages.

You will see that GoBuster scans the website with each word in the list, finding pages that exist on the site. GoBuster will have told you the pages it found in the list of page/directory names (indicated by Status:
200).

Step 3) Hack the bank

You should have found a secret bank transfer page that allows you to transfer money between accounts at the bank (/bank-transfer). Type the hidden page into the FakeBank website on the machine.

Stuck? See video

This page allows an attacker to steal money from any bank account, which is a critical risk for the bank. As an ethical hacker, you would (with permission) find vulnerabilities in their application and report them to
the bank to fix before a hacker exploits them.

Transfer $2000 from the bank account 2276, to your account (account number 8881).

Answer the questions below

If your transfer was successful, you should now be able to see your new balance reflected on your account page. Go there now and confirm you got the money! (You may need to hit Refresh for the changes to
appear)

Above your account balance, you should now see a message indicating the answer to this question. Can you find the answer you need?

Answer format: ***********  Submit  Hint

If you were a penetration tester or security consultant, this is an exercise you’d perform for companies to test for vulnerabilities in their web applications; find hidden pages to investigate for vulnerabilities.

No answer needed  Completed

Terminate the machine by clicking the red "Terminate" button at the top of the page.

No answer needed  Completed

Task 3  Careers in cyber security 

https://tryhackme.com/room/introtooffensivesecurity 3/4
7/7/23, 2:37 PM TryHackMe | Intro to Offensive Security

Created by ben and tryhackme

This is a free room, which means anyone can deploy virtual machines in the room (without being subscribed)! 682300 users are in here and this room is 438 days old.

https://tryhackme.com/room/introtooffensivesecurity 4/4