TryHackMe — Jr Penetration Tester | Introduction to Pentesting

This would be the new series in the write-up for the TryHackMe, We will start with the learning path- Jr Penetration Tester.

Our first Chapter in this path would be, Introduction to Pentesting. This will help you to understand what a penetration test involves, including testing techniques and methodologies every pentester should know.

Our first room would be Pentesting Fundamentals, will help to learn the important ethics and methodologies behind every pentest.

Task-1 What is Penetration Testing?

Q. Only Read and Understand.

Task-2 Penetration Testing Ethics

Q. You are given permission to perform a security audit on an organization; what type of hacker would you be?

A. White Hat

Q. You attack an organization and steal their data, what type of hacker would you be?

A. Black Hat

Q. What document defines how a penetration testing engagement should be carried out?

A. Rules of Engagement

Task-3 Penetration Testing Methodologies

Q. What stage of penetration testing involves using publicly available information?

A. Information Gathering

Q. If you wanted to use a framework for pentesting telecommunications, what framework would you use? Note: We’re looking for the acronym here and not the full name.

A. OSSTMM

Q. What framework focuses on the testing of web applications?

A. OWASP

Task-4 Black box, White box, Grey box Penetration Testing

Q. You are asked to test an application but are not given access to its source code — what testing process is this?

A. Black Box

Q. You are asked to test a website, and you are given access to the source code — what testing process is this?

A. White Box

Task-5 Practical: ACME Penetration Test

Q. Complete the penetration test engagement against ACME’s infrastructure.

A. THM{PENTEST_COMPLETE}

Our second room in this chapter would be, Principles of Security which will help to learn the principles of information security that secures data and protects systems from abuse.

Task-1 Introduction

Q. Read Only

Task-2 The CIA Triad

Q. What element of the CIA triad ensures that data cannot be altered by unauthorized people?

A. Integrity

Q. What element of the CIA triad ensures that data is available?

A. Availability

Q. What element of the CIA triad ensures that data is only accessed by authorized people?

A. Confidentiality

Task-3 Principles of Privileges

Q. What does the acronym “PIM” stand for?

A. Privileged Identity Management

Q. What does the acronym “PAM” stand for?

A. Privileged Access Management

Q. If you wanted to manage the privileges a system access role had, what methodology would you use?

A. PAM

Q. If you wanted to create a system role that is based on a user's role/responsibilities with an organization, what methodology is this?

A. PIM

Task-4 Security Models Continued

Q. What is the name of the model that uses the rule “can’t read up, can read down”?

A. The Bell-LaPadula Model

Q. What is the name of the model that uses the rule “can read up, can’t read down”?

A. The Biba Model

Q. If you were military, what security model would you use?

A. The Bell-LaPadula Model

Q. If you were a software developer, what security model would the company perhaps use?

A. The Biba Model

Task-5 Threat Modelling & Incident Response

Q. What model outlines “Spoofing”?

A. STRIDE

Q. What does the acronym “IR” stand for?

A. Incident Response

Q. You are tasked with adding some measures to an application to improve the integrity of data, what STRIDE principle is this?

A. Tampering

Q. An attacker has penetrated your organization’s security and stolen data. It is your task to return the organization to business as usual. What incident response stage is this?

A. Recovery