Module 05 - Practical

Those are the steps that I took to complete the flag-hunting session, in the current module of the CEH v12 Practical Course.

Flag 1

Search the Common Weakness Enumeration (CWE) list and find the name of the vulnerability with the CWE ID 591.

A: Sensitive Data Storage in Improperly Locked Memory

Flag 2

Search the Common Weakness Enumeration (CWE) list and find the top weakness in the list “Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors.”

  • Open your browser and go to: https://cwe.mitre.org/

  • In the navigator, click on CWE List

  • Go down to Obsolete Views and click on CWE Top 25 (2019)

A: Improper Restriction of Operations within the Bounds of a Memory Buffer

Flag 3

Search the Common Vulnerabilities and Exposures (CVE) list and find the name of the vulnerability with the CVE ID CVE-2020-17140.

A: Windows SMB Information Disclosure Vulnerability

Flag 4

Search the National Vulnerability Database (NVD) and find the Common Weakness Enumeration (CWE) ID for CVE-2021-23125.

  • Bellow, you can find the ID

A: CWE-79

Flag 5

Search the National Vulnerability Database (NVD) and find the base score rating for CVE-2021-1723 according to CVSS Version 3.x.

A: 7.5

Flag 6

Search the National Vulnerability Database (NVD) and find the base score range for High Severity in CVSS v3.0 ratings.

A: 7.0-8.9

Flag 7

Search the National Vulnerability Database (NVD) and find the base score range for High Severity in CVSS v2.0 ratings.

From the previous flag, check the CVSS v2.0 Ratings table.

A: 7.0-10.0

Flag 8

Perform vulnerability analysis for the target machine (10.10.1.22) using OpenVAS and find the number of vulnerabilities in the system. Flag submission is not required for this task, enter “No flag” as the answer.

  • Using Parrot, go from Applications to Pentesting –> Vulnerability Analysis –> Openvas – Greenbone –> Start Greenbone Vulnerability Manager Service

  • Using the Task Wizard (The star-rod) on Scans, scan the following IP: 10.10.1.22

  • After a long wait, you get the following result

A: No flag

Flag 9

What is the default port used by Nessus to run vulnerability scans?

A: 8834

Flag 10

Perform vulnerability scanning for the host at 10.10.1.22 using Nessus and find the Nessus plugin ID that detects the vulnerability “SNMP Agent Default Community Name (Public)” in the machine.

  • After scanning again using the created policy from the Module 05, you get the following result

  • You can see that the ID is 41028

A: 41028

Flag 11

Perform vulnerability scanning for the host 10.10.1.22 using GFI LanGuard and find the number of vulnerabilities with the severity level “Critical/High.” Hint: This flag is optional. You need to download a trial version of the GFI LanGuard tool to attempt this flag.

The Trial version of GFI Languard is not working

Flag 12

Perform vulnerability scanning for the host at 10.10.1.22 using GFI LanGuard and find the machine’s vulnerability level. Hint: This flag is optional. You need to download a trial version of the GFI LanGuard tool to attempt this flag

The Trial version of GFI Languard is not working

Flag 13

Scan web servers and application vulnerabilities for www.certifiedhacker.com using CGI Scanner Nikto with reverse tuning options and identify the uncommon header “host-header” found on the target webserver.

Parrot Terminal
nikto -h www.certifiedhacker.com -Tuning x

A: c2hhcmVkLmJsdWVob3N0LmNvbQ==

Flag 14

Scan web servers and application vulnerabilities for www.certifiedhacker.com using CGI Scanner Nikto and find the OSVDB ID for the finding “/cpanel/: Web-based control panel.”

Parrot Terminal
Nikto -h www.certifiedhacker.com -o NiktoScanResult -F txt

  • ParrotTerm: Nikto -h www.certifiedhacker.com -o NiktoScanResult -F txt

  • Tip, -o and -F are just settings to save the output, for this flag you only need to wait until the normal Nikto Scan is finished. And, if you do this now, you will no longer find the answer

A: OSVDB-2117

PreviousModule 05 - SummaryNextPractical Engagement I

Last updated