tryhackme roadmap
Last updated on May 26, 2025 pm
The passage has been polished by AI models, because I am not a English native speaker, I eager to chat technical things in English.
Linux fundamentals
grep and find, They are two kinds of things I always mixed up.
find used to search the name of the file.
1 | |
grep is used to search the content of the file.
Web
IP
Now, popular types are ipv4 and ipv6(actually not pop yet, but it can cover many devices),
xxx.xxx.xxx.xxx(IPV4) XXX means 0-255, so all contain 4.6 billion,(run out already)
a device can contain both the private IP and Public IP, private IP like 192.168.x.x, public IP is given by your ISP(without thinking proxy and VPN tools)
mac address
a twelve-character hex num, the first six characters represent company, the last six is unique number.
and you can change the mac address to access the high speed Wifi when you are in Cafe this kind of places
SMB
Server message block, means it can communicate with different machines. Client uses TCP/IP protocal.
So Let’s first study some basic usage about Nmap
nmap
SYN扫描原理
其实就是把正常的TCP握手环节的最后一步ACK改为RST,以过滤掉防火墙的影响,这样仅通过SYN包发出去后的返回就可以判断port是否是通的,由于更改了正常建立TCP三次握手的过程,所以要用
sudo。
UDP扫描原理
就是发UDP包到port看返回状态,如果不给返回,那么断定这个port是(open|filter),如果返回RST,说明这个端口关了。
SMB
thinking road:
using enum4linux to list important information and find out the share profiles.
One mistake I have made, is more “xxxx xxx.file”, should using quotation mark.
Telnet
It’s a plain text tool like ssh, usually used in LAN.
How to made a reverse shell
In the exp, using msfvenom and generate a payload, paste it into the victim machine, using netcat to connect it.
hydra
A good tool to brute force the password, and supporting many protocols (such as ftp, ssh…)
NFS EXPLOIT
NFS is a server using to mount some files, the concept of this is omitted, you can search in the Internet.
SUID: It’s a file type like
-rwsr-xr-x, made any low privileged users get the root power.
The key:
You need to firstly get the private key in remote server, download the bash file to your local place.
And chown to root and chmod +s (It’s a method to made the file have the SUID character). Then copy it back to the remote server. you can access it by using bash -p , then you can visit some folders (only root can do). At the end, I can’t access the flag, It located in the /root/root.txt.