✍️Practical Engagement I
Last updated
Last updated
Those are the steps that I took to complete the flag-hunting session, in the current module of the CEH v12 Practical Course.
Perform vulnerability scanning for the webserver hosting movies.cehorg.com using OpenVAS and identify the severity level of RPC vulnerability.
Pentesting > Vulnerability Analysis > Openvas – Greenbone > Start Greenbone Vulnerability Manager Service
You can see that the RPC vulnerability has a score of 5
A: 5
Perform vulnerability scanning for the Linux host in the 172.16.0.0/24 network using OpenVAS and find the number of vulnerabilities with severity level as medium.
Linux IP: 172.16.0.11
A: 0
You are performing reconnaissance for CEHORG and has been assigned a task to find out the physical location of one of their webservers hosting www.certifiedhacker.com. What are the GEO Coordinates of the webserver? Note: Provide answer as Latitude, Longitude.
Go to: https://tools.keycdn.com/geo?host=162.241.216.11
A: 37.751, -97.822
Identify if the website www.certifiedhacker.com allows DNS zone transfer. (Yes/No)
A: No
Identify the number of live machines in 172.16.0.0/24 subnet.
Try: nmap -sP 172.16.0.0/24
Here you are scanning even nodes, so to avoid “additional hosts” let’s try another scan option.
A: 3
While performing a security assessment against the CEHORG network, you came to know that one machine in the network is running OpenSSH and is vulnerable. Identify the version of the OpenSSH running on the machine. Note: Target network 192.168.0.0/24.
A: 8.9p1
During a security assessment, it was found that a server was hosting a website that was susceptible to blind SQL injection attacks. Further investigation revealed that the underlying database management system of the site was MySQL. Determine the machine OS that hosted the database.
A: Ubuntu
Find the IP address of the Domain Controller machine.
INFO: Domain controllers will show port 389 running the Microsoft Windows AD LDAP service
Just to get some information, now let’s scan another batch of IPs
A 10.10.10.25
Perform a host discovery scanning and identify the NetBIOS name of the host at 10.10.10.25.
A: ADMINDEPT
Find the IP address of the machine which has port 21 open. Note: Target network 172.16.0.0/24
You can try: nmap -p21 -sV 172.16.0.0/24 --open
A: 172.16.0.12
Perform an intense scan on 10.10.10.25 and find out the FQDN of the machine in the network.
A: AdminDept.CEHORG.com
What is the DNS Computer Name of the Domain Controller?
A: AdminDept.CEHORG.com
Perform LDAP enumeration on the target network and find out how many user accounts are associated with the domain.
For LDAP Enumeration I suggest to use ldapsearch, is a lot more comfortable than the search through nmap or the python script suggested by the documentation.
A: 8
Perform an LDAP Search on the Domain Controller machine and find out the version of the LDAP protocol.
The following command ldapsearch -x -h 10.10.10.25 -b “dc=CEHORG,dc=com” “objectclass=user” shows the LDAP’s protocol version too, but in this flag I will shows the step by using the Python Script
A: LDAPv3
What is the IP address of the machine that has NFS service enabled? Note: Target network 192.168.0.0/24.
Remember: NFS Service port = 2049
A: 192.168.0.51
Perform a DNS enumeration on www.certifiedhacker.com and find out the name servers used by the domain.
First I tried to use nmap, but it was now precise and did not shows the answer, so I decided to use another command.
Try: dig ns www.certifiedhacker.com
A: ns1.bluehost.com, ns2.bluehost.com
Find the IP address of the machine running SMTP service on the 192.168.0.0/24 network.
Remember: SMTP Service port is 25
A: 192.168.0.51
Perform an SMB Enumeration on 192.168.0.51 and check whether the Message signing feature is enabled or disabled. Give your response as Yes/No.
SMB Port: 445
A: Yes
Perform vulnerability scanning for the domain controller using OpenVAS and identify the number of vulnerabilities with severity level as “medium”.
Using Greenbone, scan the IP 10.10.10.25 and watch the result
A: 2
Perform a vulnerability research on CVE-2022-30171 and find out the base score and impact of the vulnerability.
Google: CVE-2022-30171
A: 5.5 Medium
