For week 10, I was expected to complete this TryHackMe room.

Firstly, it took me far to long to log in. I was rushing, and I failed to click the "I'm not a robot" radio button for capatcha and it locked me out for "five minutes" which was much, much longer than five minutes. I eventually had to change my password to get access. The whole experience was very annoying and left me feeling just a little paranoid.

The room starts with a description of Nessus: Nmap deluxe. 

Before joining the room, I checked the installation instructions. The documentation on the tenable website was a bit confusing (I'm in a hurry to complete a mountain of homework). It was talking about virtual machines and so I jumped back to the TryHackMe room. It talked about downloading a .deb package. I'm not running a Debian distro, so I found the Fedora one and downloaded. I clicked on the file, and My package manager installed it, which is something I'm not used to. I usually run a really stripped down version of Linux and install only the software I absolutely need. But I've been using a modified version of Fedora 36 recently and it's really easy to like.

Installation complete, I opened a terminal and started the service by entering:

sudo /bin/systemctl start nessusd.service

Then I tried to follow the hyperlink on TryhackMe to open https://localhost:8834/, but Firefox gave me the following message:

Bad Request

Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead, please use the HTTPS scheme to access this URL.

So I typed it in manually. Firefox warned me about the potential security risk. I don't fully understand why an https address isn't secure and I wish TryHackMe would take a moment to explain it beyond the picture with the text about certificates. Mozilla has this to say:

SEC_ERROR_UNKNOWN_ISSUER

The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.

This feels like famous last words, but I was in a hurry, so I accepted the risk and proceeded. 

Following the instructions on TryHackMe, I clicked the radio button for Nessus Essentials, I entered a passcode emailed to me by Nessus, and set up an account. I waited for plugins to compile and prepared some tea.

And at this point I realized that TryHackMe expected me to be using this on a VM. Damn. So I looked through the rest of the instructions and decided that running it natively would not be a significantly greater risk than running it in a VM. Fingers crossed 😬

So I finally joined the room and went back and checked the assignments I have already done.

The room asked me various questions about the GUI, and I immediately felt confused because I was looking for a button I already clicked. After that, I answered all the questions without much effort. But I do like something like this, because it makes me engage with the application rather than just telling me about it like a textbook does. I think most CompTIA subjects would benefit from this style of instruction.

The next section was much the same, with a question about scheduling, one about scanning all ports, and one about scanning with low bandwidth links.

Then is said to launch a scan, but Nessus wants a name and a target, but I don't know what name and target I am supposed to be scanning. So I ran it on the AttackBox and hoped that was what I was supposed to do.

TryHackMe, like most people with technical expertise, suffer from the curse of knowledge: They seem to have forgotten what it was like to not know something. This leads them to omit critical details in their instructions. Sure, it makes me figure something out for myself, but that is like teaching somebody to swim by pushing them out of a boat and saying, "You better figure it out or I'm going to regret not learning CPR."

And I got the results back from the scan... Nothing. Great. Another frustrating TryHackMe room.

I'm so frustrated with this website. I couldn't answer the next question. I terminated the machine and left the room.

At least I downloaded a really useful piece of software.