Dive Into Pentesting — TryHackMe Walkthrough

TryHackMe · 8 Tasks · 45 Minutes · Beginner · Room Completed 100%

This is a complete walkthrough of the Dive Into Pentesting room on TryHackMe. The room covers the core fundamentals every aspiring penetration tester needs to know — from what pentesting actually is, to the mindset, ethics, and real-world decision-making that separates a professional tester from a malicious attacker.

Task 1

Introduction

Penetration testing — or pentesting — is a proactive security practice that helps organisations uncover weaknesses in their systems, applications, and networks before attackers can exploit them. As modern environments grow more complex, the value of a skilled penetration tester only increases.

This room introduces the core concepts every aspiring penetration tester should be familiar with. It covers what pentesting is, how it differs from malicious hacking, the areas of focus during a test, the relationship between vulnerability, threat, and risk, and the ethical principles that shape professional practice.

Key formula introduced: Vulnerability × Threat = Risk — the fundamental equation used to communicate findings to stakeholders.

Task 1 Answer: No answer needed ✅

Task 2

Penetration Testing vs Malicious Hacking

While penetration testers and malicious attackers may use similar tools, the way they operate is completely different. The distinction comes down to four core factors:

Core Factor✓ Penetration Tester✗ Malicious AttackerAuthorisationExplicit written consent from the system ownerNo consent — violates rights and securityScopeWorks within a clearly defined scopeNo restrictions — targets anything usefulCoverageBroad coverage, assesses multiple areasQuickest path to success or financial gainResponsibilityAccountable, professional at all timesNo responsibility for damage caused

Answers

Q: What is the common shortened term for penetration testing?
A: Pentesting

Q: Which actor aims for broad coverage and assesses multiple areas of a system?
A: Penetration Tester

Q: Which actor focuses on the quickest path to success?
A: Attacker

Task 3

Penetration Testing Focus Areas

Coverage is critical in a penetration test. There are two primary domains: Web Application and Network penetration testing.

Web Application Penetration Testing

Focuses on finding gaps through the application’s UI and APIs. Key areas tested:

• Authentication — credential handling, MFA, brute-force protection, password reset logic
• Authorisation — access control, vertical and horizontal privilege escalation
• Session Management — session fixation, idle timeout, secure cookies, CSRF
• Input/Output Validation — SQL injection, command injection, data type validation
• Security Configuration — security headers, error handling, rate-limiting, crypto config

Network Penetration Testing

External Network PentestInternal Network PentestPerspectiveOutside, unauthorised userAssumed breach — already insideTargetsInternet-facing servers, firewalls, VPNsLateral movement, privilege escalationGoalEvaluate how systems are exposed to the outside worldAssess trust relationships, segmentation, access controls

Answers

Q: What type of network penetration test focuses on internet-facing infrastructure from the perspective of an unauthorised user?
A: External

Q: During testing, session cookies remain valid after a user logs out. Which testing focus area does this fall under?
A: Session Management

Task 4

Vulnerability, Threat, and Risk

Three core concepts that are often confused — but each plays a distinct role:

• Vulnerability — A weakness or gap that could be exploited. Harmless on its own. Example: outdated web server software.
• Threat — Anything that can exploit a vulnerability. Includes attackers, automated tools, AI-powered scanners, even human error.
• Risk — The potential damage if a threat successfully exploits a vulnerability. Determined by impact × likelihood.

Vulnerability × Threat = Risk
A vulnerability with no threat = no risk. A threat with no vulnerability = no risk.

Risk Management Cycle — 4 Stages

1. Identification — Identify assets, vulnerabilities, and potential threats.
2. Analysis — Evaluate potential impact and likelihood of exploitation.
3. Mitigation — Apply patches, controls, improve configurations, monitoring.
4. Monitoring — Continuously ensure controls remain effective against new threats.

Risk can also be Accepted (when cost of mitigation outweighs the risk) or Transferred (e.g. cyber insurance).

Answers

Q: An organisation patched a high-severity issue you reported. What stage of the risk management cycle is this?
A: Mitigation

Q: Would an SQL injection vulnerability present higher risk on an external-facing or internal-facing application?
A: External-facing application

Task 5

Why Vulnerabilities Exist

Vulnerabilities don’t appear out of nowhere — they have root causes. Understanding why they exist helps testers find them more effectively.

Root CauseExample ScenarioResulting VulnerabilityHuman AssumptionsDeveloper assumes users only upload images — no file validation in placeUnrestricted file upload → attacker uploads a web shellSoftware BugsForm data concatenated into a DB query instead of parameterised inputsSQL injection → attacker extracts or modifies database recordsSystem ComplexityMultiple integrated services make it easy to overlook a misconfigured APIExposed admin API → attacker reaches admin functionsOver-CustomisationCustom auth replaces a standard framework with hard-to-maintain logicWeak authentication → broken session logic, account takeoverTechnical & Design FlawsSession cookie issued before MFA step is completedMFA bypass → attacker navigates to authenticated pages

Answer

Q: A developer implemented an “Upload Resume” feature without guardrails. What root cause applies?
A: Human Assumptions

Task 6

The Pentester Mindset

Technical skills alone are not enough. The difference between an average and an exceptional penetration tester lies in mindset and habits — not just tooling.

✓ Effective Mindset✗ Ineffective MindsetUnderstand the system before testingRushing to exploitation without understandingAttention to subtle behavioural differencesIgnoring context — reporting without business relevanceConstant curiosity — ask “what if?”Over-reliance on tools — missing logic flawsPrioritise critical, high-impact functionsMaking assumptions — guessing without verificationThink in context — assess real-world consequenceTunnel vision — fixating on one areaCreative thinking — chain vulnerabilities for greater impactBlindly following a checklist — missing deeper issues

Common Best Practices

• Maintaining Good Notes — Track every activity and finding so you can reproduce issues later.
• Collecting Evidence — Screenshots, tool output, and logs provide clear proof of impact.
• Managing Time — Prioritise high-impact functions. Report as you go.
• Proactive Communication — Flag blockers early and give regular progress updates.
• Staying Professional — Respect scope, handle sensitive data responsibly.

Answers

Q: What characteristic includes attacking without understanding how a functionality or system works?
A: Rushing to Exploitation

Q: What common best practice helps in reproducing findings later?
A: Maintaining Good Notes

Q: What common best practice could help prevent blockers from impacting coverage?
A: Proactive Communication

Task 7

Ethics, Permission, and Trust

These three principles allow penetration testing to exist as a professional security practice. They protect both the tester and the organisation being assessed.

⚖️ Ethics

• Respect the defined scope and avoid activities outside authorised boundaries
• Avoid actions that could disrupt systems and services
• Handle sensitive data responsibly — only access what’s needed to demonstrate impact
• Stop and report unexpected access to highly sensitive or out-of-scope systems
• Redact sensitive data in reports to prevent unintended disclosure

🔑 Permission

• Obtain written authorisation before initiating any testing
• Define a clear scope and adhere to the agreed-upon scope of testing
• Confirm testing windows and approved methods before conducting disruptive actions
• Seek clarification when uncertainty exists about whether an action is in scope
• Pause and notify the organisation if activities may exceed authorised boundaries

🤝 Trust

• Provide status updates periodically to reassure stakeholders
• Be transparent about limitations, blockers, and uncertainties
• Report findings accurately and clearly demonstrate business impact
• Provide actionable recommendations that help eliminate or mitigate risks
• Address organisational concerns promptly

Answers

Q: What defines boundaries during a penetration test?
A: Scope

Q: What type of impact should findings demonstrate clearly?
A: Business Impact

Q: What type of data must be removed from reports to prevent unintentional disclosure?
A: Sensitive Data

Task 8

Knowledge Recap — Practical Scenarios

The final task presented 8 real-world scenarios involving a penetration tester working on a fintech company’s customer web platform. For each scenario, the correct professional decision had to be chosen.

Scenario 1

The client hasn’t provided written authorisation yet. What should the tester do?

✓ Wait until written authorisation is received before performing any testing.
Why: Permission is non-negotiable. Never begin testing without formal written consent — even passive recon can be considered unauthorised.

Scenario 2

An additional domain belonging to the client is found but not listed in scope. What’s the best action?

✓ Request clarification from the client before interacting with the domain.
Why: Scope is sacred. Even if it belongs to the same org, touching out-of-scope systems without permission is unauthorised access.

Scenario 3

The tester plans automated vulnerability scans against production during business hours. What to do first?

✓ Confirm approved testing windows and scan intensity with the client.
Why: Aggressive scans on live production systems can disrupt real users. Always confirm timing and intensity before proceeding.

Scenario 4

The tester gains admin access and can view real customer data. What is the best decision?

✓ Capture minimal evidence required to prove admin access and stop further interaction.
Why: Only access data needed to demonstrate impact. Exploring real customer data violates ethics and data protection law (GDPR, PCI-DSS).

Scenario 5

Continuing an exploit could crash the application or disrupt business operations. What should the tester do?

✓ Pause testing and seek client approval before continuing.
Why: Never unilaterally decide it’s acceptable to risk crashing a production system. Communicate and let the client decide.

Scenario 6

Credentials are found that may grant access to another system not in scope. What’s most appropriate?

✓ Document the finding and notify the client without accessing the system.
Why: Out-of-scope stays out-of-scope. The credential exposure itself is a valid finding — document it and report it.

Scenario 7

One vulnerability couldn’t be fully validated due to time constraints. What should the tester do?

✓ Document it clearly as partially validated with noted limitations.
Why: Honesty builds trust. Inflating severity or reporting as confirmed when it isn’t are forms of misrepresentation.

Scenario 8

After report delivery, the client asks for clarification on findings and remediation guidance. Best action?

✓ Provide clarification and assist the client in understanding remediation recommendations.
Why: The goal of a pentest is to improve the client’s security — not just deliver a PDF. Supporting remediation builds long-term trust.

🏆 Room Complete!

THM{L3t$_d1v3_1nt0_Pen7es71ng!}

Room completed 100% · 8 tasks · 45 minutes

The key takeaway from this room is that penetration testing is far more than running tools and finding vulnerabilities. It’s a discipline built on methodology, mindset, ethics, and professional responsibility. The formula Vulnerability × Threat = Risk is the lens through which every finding should be communicated — always with business impact in mind.

If you found this writeup helpful, feel free to follow for more TryHackMe walkthroughs. Happy hacking! 🔐

Dive Into Pentesting — TryHackMe Walkthrough was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.