Module 05 - Practical

Those are the steps that I took to complete the flag-hunting session, in the current module of the CEH v12 Practical Course.

Flag 1

Search the Common Weakness Enumeration (CWE) list and find the name of the vulnerability with the CWE ID 591.

• Open your browser and go to: https://cwe.mitre.org/

• Search for “591” at ID Lookup (Top-right of the page)

Screenshot of the CWE-591

A: Sensitive Data Storage in Improperly Locked Memory

Flag 2

Search the Common Weakness Enumeration (CWE) list and find the top weakness in the list “Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors.”

• Open your browser and go to: https://cwe.mitre.org/

• In the navigator, click on CWE List

• Go down to Obsolete Views and click on CWE Top 25 (2019)

CWE Top 25 Vulnerabilities

A: Improper Restriction of Operations within the Bounds of a Memory Buffer

Flag 3

Search the Common Vulnerabilities and Exposures (CVE) list and find the name of the vulnerability with the CVE ID CVE-2020-17140.

• Open your browser and go to: https://cve.mitre.org/

• Go to Search CVE List

• Search for “CVE-2020-17140”

The only result

A: Windows SMB Information Disclosure Vulnerability

Flag 4

Search the National Vulnerability Database (NVD) and find the Common Weakness Enumeration (CWE) ID for CVE-2021-23125.

• Open your browser and go to: https://nvd.nist.gov/

• Go to Search and then Vulnerabilities – CVE

• You will be at https://nvd.nist.gov/vuln/search

• Search for “CVE-2021-23125”

• Click on the name

CVE-2021-23125 Vulnerability

• Bellow, you can find the ID

A: CWE-79

Flag 5

Search the National Vulnerability Database (NVD) and find the base score rating for CVE-2021-1723 according to CVSS Version 3.x.

• Open your browser and go to: https://nvd.nist.gov/vuln/search

• Search for “CVE-2021-1723”

• Click on the name.

• Check the score

Severity detail of the CVE-2021-1723’s Vulnerability

A: 7.5

Flag 6

Search the National Vulnerability Database (NVD) and find the base score range for High Severity in CVSS v3.0 ratings.

• Open your browser and go to: https://nvd.nist.gov/

• Go to Vulnerability Metrics and go bellow

CVSS Rating from the v2.0 and v3.0

A: 7.0-8.9

Flag 7

Search the National Vulnerability Database (NVD) and find the base score range for High Severity in CVSS v2.0 ratings.

From the previous flag, check the CVSS v2.0 Ratings table.

A: 7.0-10.0

Flag 8

Perform vulnerability analysis for the target machine (10.10.1.22) using OpenVAS and find the number of vulnerabilities in the system. Flag submission is not required for this task, enter “No flag” as the answer.

• Using Parrot, go from Applications to Pentesting –> Vulnerability Analysis –> Openvas – Greenbone –> Start Greenbone Vulnerability Manager Service

• Using the Task Wizard (The star-rod) on Scans, scan the following IP: 10.10.1.22

• After a long wait, you get the following result

Greenbone scanning’s Output

A: No flag

Flag 9

What is the default port used by Nessus to run vulnerability scans?

• When you are going to Nessus, you have to go to https://localhost:8834/, so the default port is 8834

A: 8834

Flag 10

Perform vulnerability scanning for the host at 10.10.1.22 using Nessus and find the Nessus plugin ID that detects the vulnerability “SNMP Agent Default Community Name (Public)” in the machine.

• After scanning again using the created policy from the Module 05, you get the following result

• You can see that the ID is 41028

Output from the documentation

A: 41028

Flag 11

Perform vulnerability scanning for the host 10.10.1.22 using GFI LanGuard and find the number of vulnerabilities with the severity level “Critical/High.” Hint: This flag is optional. You need to download a trial version of the GFI LanGuard tool to attempt this flag.

The Trial version of GFI Languard is not working

Flag 12

Perform vulnerability scanning for the host at 10.10.1.22 using GFI LanGuard and find the machine’s vulnerability level. Hint: This flag is optional. You need to download a trial version of the GFI LanGuard tool to attempt this flag

The Trial version of GFI Languard is not working

Flag 13

Scan web servers and application vulnerabilities for www.certifiedhacker.com using CGI Scanner Nikto with reverse tuning options and identify the uncommon header “host-header” found on the target webserver.

Parrot Terminal

nikto -h www.certifiedhacker.com -Tuning x

Nikto’s Tunning options detail from: https://fossies.org/linux/nikto/program/docs/nikto_manual.html#id287094

Nikto’s command output

A: c2hhcmVkLmJsdWVob3N0LmNvbQ==

Flag 14

Scan web servers and application vulnerabilities for www.certifiedhacker.com using CGI Scanner Nikto and find the OSVDB ID for the finding “/cpanel/: Web-based control panel.”

Parrot Terminal

Nikto -h www.certifiedhacker.com -o NiktoScanResult -F txt

• ParrotTerm: Nikto -h www.certifiedhacker.com -o NiktoScanResult -F txt

• Tip, -o and -F are just settings to save the output, for this flag you only need to wait until the normal Nikto Scan is finished. And, if you do this now, you will no longer find the answer

Image from the documentation

A: OSVDB-2117