✍️Practical Engagement I
Those are the steps that I took to complete the flag-hunting session, in the current module of the CEH v12 Practical Course.
Flag 1
Perform vulnerability scanning for the webserver hosting movies.cehorg.com using OpenVAS and identify the severity level of RPC vulnerability.
Pentesting > Vulnerability Analysis > Openvas – Greenbone > Start Greenbone Vulnerability Manager Service
You can see that the RPC vulnerability has a score of 5
A: 5
Flag 2
Perform vulnerability scanning for the Linux host in the 172.16.0.0/24 network using OpenVAS and find the number of vulnerabilities with severity level as medium.
Linux IP: 172.16.0.11
A: 0
Flag 3
You are performing reconnaissance for CEHORG and has been assigned a task to find out the physical location of one of their webservers hosting www.certifiedhacker.com. What are the GEO Coordinates of the webserver? Note: Provide answer as Latitude, Longitude.
Go to: https://tools.keycdn.com/geo?host=162.241.216.11
A: 37.751, -97.822
Flag 4
Identify if the website www.certifiedhacker.com allows DNS zone transfer. (Yes/No)
cd dnsrecon
chmod +x ./dnsrecon.py
./dnsrecon.py -d {target}
A: No
Flag 5
Identify the number of live machines in 172.16.0.0/24 subnet.
nmap -sP 172.16.0.0/24Try: nmap -sP 172.16.0.0/24
Here you are scanning even nodes, so to avoid “additional hosts” let’s try another scan option.
nmap -sP -PS22 172.16.0.0/24
nmap -PU 172.16.0.0/24A: 3
Flag 6
While performing a security assessment against the CEHORG network, you came to know that one machine in the network is running OpenSSH and is vulnerable. Identify the version of the OpenSSH running on the machine. Note: Target network 192.168.0.0/24.
nmap -sV -p 22 --script vuln 192.168.0.0/24
A: 8.9p1
Flag 7
During a security assessment, it was found that a server was hosting a website that was susceptible to blind SQL injection attacks. Further investigation revealed that the underlying database management system of the site was MySQL. Determine the machine OS that hosted the database.
nmap -T4 -A cehorg.com
A: Ubuntu
Flag 8
Find the IP address of the Domain Controller machine.
INFO: Domain controllers will show port 389 running the Microsoft Windows AD LDAP service
nmap -T4 -A movies.cehorg.com
Just to get some information, now let’s scan another batch of IPs
nmap -p389 -sV 10.10.10.0/24 --open
A 10.10.10.25
Flag 9
Perform a host discovery scanning and identify the NetBIOS name of the host at 10.10.10.25.
nmap -sV --script nbstat.nse 10.10.10.25
nmap -T4 -A 10.10.10.25
A: ADMINDEPT
Flag 10
Find the IP address of the machine which has port 21 open. Note: Target network 172.16.0.0/24
nmap -p21 -sV 172.16.0.0/24
You can try: nmap -p21 -sV 172.16.0.0/24 --open
A: 172.16.0.12
Flag 11
Perform an intense scan on 10.10.10.25 and find out the FQDN of the machine in the network.
nmap -T4 -A 10.10.10.25
A: AdminDept.CEHORG.com
Flag 12
What is the DNS Computer Name of the Domain Controller?
A: AdminDept.CEHORG.com
Flag 13
Perform LDAP enumeration on the target network and find out how many user accounts are associated with the domain.
For LDAP Enumeration I suggest to use ldapsearch, is a lot more comfortable than the search through nmap or the python script suggested by the documentation.
nmap -p 389 --script ldap-brute --script-args ldap.base=’”cn=AdminDept,dc=CEHORG,dc=com”’ 10.10.10.25
ldapsearch -x -h 10.10.10.25 -b “dc=CEHORG,dc=com” “objectclass=user”
ldapsearch -x -h 10.10.10.25 -b “dc=CEHORG,dc=com” “objectclass=user” cn=userA: 8
Flag 14
Perform an LDAP Search on the Domain Controller machine and find out the version of the LDAP protocol.
The following command ldapsearch -x -h 10.10.10.25 -b “dc=CEHORG,dc=com” “objectclass=user” shows the LDAP’s protocol version too, but in this flag I will shows the step by using the Python Script
python3import ldap3
server=ldap3.Server('10.10.10.25', get_info=ldap3.ALL, port=389
connection=ldap3.Connection(server)
connection.bind()
server.info
connection.search(search_base=’DC=CEHORG,DC=com’,search_filter='(&(objectclass=*))’,search_scope=’SUBTREE’, attributes=’*’)
connection.entries
connection.search(search_base=’DC=CEHORG,DC=com’,search_filter='(&(objectclass=person))’,search_scope=’SUBTREE’, attributes=’userpassword’)
connection.entries
A: LDAPv3
Flag 15
What is the IP address of the machine that has NFS service enabled? Note: Target network 192.168.0.0/24.
Remember: NFS Service port = 2049
nmap -p 2049 192.168.0.0/24
nmap -p 2049 192.168.0.0/24 --open
A: 192.168.0.51
Flag 16
Perform a DNS enumeration on www.certifiedhacker.com and find out the name servers used by the domain.
nmap --script=broadcast-dns-service-discovery www.certifiedhacker.com
First I tried to use nmap, but it was now precise and did not shows the answer, so I decided to use another command.
dig ns www.certifiedhacker.comTry: dig ns www.certifiedhacker.com
A: ns1.bluehost.com, ns2.bluehost.com
Flag 17
Find the IP address of the machine running SMTP service on the 192.168.0.0/24 network.
Remember: SMTP Service port is 25
nmap -p 25 --script=smtp-enum-users 192.168.0.0/24 --open
nmap -p 25 192.168.0.0/24 --open
A: 192.168.0.51
Flag 18
Perform an SMB Enumeration on 192.168.0.51 and check whether the Message signing feature is enabled or disabled. Give your response as Yes/No.
SMB Port: 445
nmap -p 445 -A 192.168.0.51
A: Yes
Flag 19
Perform vulnerability scanning for the domain controller using OpenVAS and identify the number of vulnerabilities with severity level as “medium”.
Using Greenbone, scan the IP 10.10.10.25 and watch the result
A: 2
Flag 20
Perform a vulnerability research on CVE-2022-30171 and find out the base score and impact of the vulnerability.
Google: CVE-2022-30171
A: 5.5 Medium
Last updated