TryHackMe Pentesting Fundamentals

4 min readJan 20, 2023

From these writeups, you know what is Pentesting and what are things inside these topics and make it try this.

A penetration test, also known as a pentest, is an ethical attempt to challenge and analyze the security defenses in place to protect these assets and pieces of information. A penetration test, like an inspection, includes using the same tools, techniques, and methods that someone with bad intentions would use.

You are given permission to perform a security audit on an organisation; what type of hacker would you be?

Ans: White Hat

These hackers are regarded as the “good guys.” They stay within the law and use their abilities to help others. For instance, a penetration tester conducting an authorized engagement on behalf of a company.

You attack an organisation and steal their data, what type of hacker would you be?

Ans: Black Hat

These individuals are criminals who frequently seek to harm organizations or gain financial gain at the expense of others. Authors of ransomware, for example, infect devices with malicious code and hold data hostage for a ransom.

What document defines how a penetration testing engagement should be carried out?

Ans: Rules Of Engagement

The ROE is a document created during the early stages of a penetration testing engagement. This document is divided into three major sections (explained in the table below), each being ultimately responsible for deciding how the engagement will be carried out. You could indeed view a great example of this document online just at SANS institute.

What stage of penetration testing involves using publicly available information?

Ans: Information Gathering

It is used to gather information using publicly available information.

If you wanted to use a framework for pentesting telecommunications, what framework would you use? Note: We’re looking for the acronym here and not the full name.

Ans: OSSTMM

The Open Source Security Testing Methodology Manual offers a comprehensive framework of testing strategies for systems, software, applications, communications, and the human aspect of cybersecurity.
Because the methodology is primarily concerned with how these systems and applications communicate, it includes a methodology for:
Telecommunication (phones, VoIP, etc.)

What framework focuses on the testing of web applications?

Ans: OWASP

The “Open Web Application Security Project” framework is a community-driven, frequently updated framework that is solely used to test the security of web applications and services.

You are asked to test an application but are not given access to its source code — what testing process is this?

Ans: Black Box

The tester acts as a regular user, testing the application’s or piece of software’s functionality and interaction. This testing can include interacting with the interface, such as buttons, and seeing if the desired result is returned. This type of testing requires no programming knowledge or understanding of the program.

You are asked to test a website, and you are given access to the source code — what testing process is this?

Ans: White Box

The tester will have complete knowledge of the application and its expected behavior, and it will take much longer than black-box testing. In a White-Box testing scenario, full knowledge provides a testing approach that ensures the entire attack surface can be validated.