FarrosFR

Back
Pentesting Fundamentals | TryHackMe Write-UpBlur image
4 min read
en
pentesting /
tryhackme /
write-up /
cybersecurity /
methodology

Pentesting Fundamentals | TryHackMe Write-Up

Pentesting Fundamentals | TryHackMe | Write-Up by FarrosFR.\
views | comments

Here is my article on the walkthrough of a free room: Pentesting Fundamentals. Learn the important ethics and methodologies behind every pentest. I wrote this in 2025 and hope it is useful for learning about pentesting.

Task 1: What is Penetration Testing?#

Understanding the role of a penetration tester and the processes involved is essential before delving into the technical aspects of ethical hacking. Cybersecurity’s significance continues to grow, impacting various facets of life.

Penetration testing, or pentesting, involves ethically simulating cyberattacks to identify vulnerabilities in systems and applications. This proactive approach helps organizations strengthen their defenses against potential threats.

With the increasing frequency of cyberattacks, estimated at 600 million daily globally, the need for skilled professionals in ethical hacking is more critical than ever.

No answer needed

Task 2: Penetration Testing Ethics#

Penetration testing in cybersecurity raises legal and ethical issues. While penetration tests are legal when authorized by the system owner, they may involve ethically questionable actions. Hackers are classified into:

  • White Hat (ethical)
  • Grey Hat (break laws for good causes)
  • Black Hat (criminal)

A penetration test follows the “Rules of Engagement” (ROE), a document outlining permission, test scope, and allowed techniques, ensuring legality and ethical clarity throughout the process.

Q1: You are given permission to perform a security audit on an organisation; what type of hacker would you be?

White Hat

Q2: You attack an organisation and steal their data, what type of hacker would you be?

Black Hat

Q3: What document defines how a penetration testing engagement should be carried out?

Rules of Engagement

Task 3: Penetration Testing Methodologies#

Penetration testing follows a methodology with stages that include:

  • Information Gathering: Collect public information.
  • Enumeration/Scanning: Discover system services.
  • Exploitation: Leverage vulnerabilities.
  • Privilege Escalation: Gain higher access.
  • Post-exploitation: Includes targeting other hosts, gathering data, covering tracks, and reporting.

Common methodologies:

  1. OSSTMM: Detailed, covers systems, software, and communications.
  2. OWASP: Focuses on web applications, actively maintained.
  3. NIST Cybersecurity Framework: Popular for critical infrastructure, lacks cloud computing focus.
  4. NCSC CAF: Evaluates risks and defenses for critical sectors, principle-based.

Q1: What stage of penetration testing involves using publicly available information?

Information Gathering

Q2: If you wanted to use a framework for pentesting telecommunications, what framework would you use? Note: We’re looking for the acronym here and not the full name.

OSSTMM

Q3: What framework focuses on the testing of web applications?

OWASP

Task 4: Black box, White box, Grey box Penetration Testing#

The three primary scopes in penetration testing are:

1. Black-Box Testing:#

  • No knowledge of the application’s inner workings.
  • Tester acts as a regular user, testing functionality.
  • Time-consuming due to extensive information gathering.

2. Grey-Box Testing:#

  • Combines Black-Box and White-Box testing.
  • Tester has limited knowledge of internal components.
  • Saves time and is used for well-hardened attack surfaces.

3. White-Box Testing:#

  • Tester has full knowledge of the application and its internal components.
  • Involves detailed testing of internal functions.
  • Time-consuming but ensures through validation of the attack surface.

Q1: You are asked to test an application but are not given access to its source code — what testing process is this?

Black Box

Q2: You are asked to test a website, and you are given access to the source code — what testing process is this?

White Box

Task 5: Practical: ACME Penetration Test#

ACME has tasked you with performing a penetration test on their infrastructure. You are required to visit the site and follow the guided instructions to complete the assignment.

1. Rules of Engagement: Define objectives like permission, test scope, and rules, outlining what actions the tester can perform, such as access limits to parts of the application.

2. Information Gathering: Collect publicly available information about the target, such as employee profiles or contact details, to aid in targeting and further testing.

3. Enumeration & Scanning: Identify user accounts, machines, and applications within the target network using the gathered information to create a detailed profile of the system.

Try to scan the IP that has been obtained from stage 2 in order to carry out the enumeration process

4. Exploitation: Use identified vulnerabilities to gain unauthorized access to the system or application, ethically exploiting weaknesses for penetration.

5. Post Exploitation: Maintain access and escalate privileges to higher user levels, extracting sensitive data and attempting to access other networked systems.

6. Pentest Report & Clearing-up: Create a report detailing security issues and recommendations, and clean up the environment by removing testing artifacts.

Complete the penetration test engagement against ACME’s infrastructure.

THM(****************)

Pentesting Fundamentals | TryHackMe Write-Up
https://farrosfr.com/blog/pentesting-fundamentals-tryhackme-write-up
Author Mochammad Farros Fatchur Roji
Published at May 8, 2025
Copyright CC BY-NC-SA 4.0
Buy me a cup of coffee ☕.

Jr Security Analyst Intro | TryHackMe Write-Up

Learning Cyber Security | TryHackMe Write-Up
Comment seems to stuck. Try to refresh?✨