I have started playing around in https://www.hackthebox.com platform and I’ll use this article to save all the pentesting tools I am learning.
nmap
nmap is a port scanner tool. By default it scan ports from 0-1000.
You should pass the -A flag which enables OS detection, version detection, script scanning, and traceroute:
nmap -A <ip>
To enable only service version detection:
nmap -sV <ip>
-sV flag does scanning and prints service and version on the found open port
To specify the default set of scripts for version identification use -sC
nmap -sC <ip>
To scan all the ports, we need to specify this flags:
namp -sV -p- --min-rate 1000 <ip>
Take into account that this operation will take a long time to complete.
--min-rate speeds up the process by sending packets not slower than X messages per second.
Be aware that this might trigger some suspicion on IDS, for that, check the -T0 or -T1 flag.
If nmap reports he has issues because could not determine if port open or closed. The machine might be protected by a firewall, instead of performing a TCP SYN scan, you can use a TCP FIN scan by providing the flag -sF
You can disable DNS resolution with -n
You can generate a nice report by using the -oX flag and --webxml, e.g.:
nmap -p- -sC -sV -n --min-rate 1000 10.129.95.187 -oX nmap_allPorts --webxml
You can disable ping scan (blocked by firewalls) by disabling host discovery: -Pn.
telnet
Telnet is a very old way of connecting to computer and by default listens on port 23.
Usage:
telnet <ip>
The prompty will ask for user/password:
telnet <ip>
Trying <ip>...
Connected to <ip>.
Escape character is '^]'.
█ █ ▐▌ ▄█▄ █ ▄▄▄▄
█▄▄█ ▀▀█ █▀▀ ▐▌▄▀ █ █▀█ █▀█ █▌▄█ ▄▀▀▄ ▀▄▀
█ █ █▄█ █▄▄ ▐█▀▄ █ █ █ █▄▄ █▌▄█ ▀▄▄▀ █▀█
Meow login: root
ftp
Stands for File transfer protocol. It listens on port 21 by deault and is unencrypted (the secure version is called sftp)
The first thing to try while trying to access ftp is user anonymous whitout password.
Commands:
ls: list directory contentspass: set passive modeget: retrieve file to computer
Examples
ftp <ip>
Connected to <ip>.
220 (vsFTPd 3.0.3)
Name (<ip>:gal): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 Illegal PORT command.
ftp: bind: Address already in use
ftp> pass
Passive mode on.
ftp> ls
227 Entering Passive Mode (10,129,103,239,82,68).
150 Here comes the directory listing.
-rw-r--r-- 1 0 0 32 Jun 04 2021 flag.txt
226 Directory send OK.
ftp> get flag.txt /tmp/flag.txt
local: /tmp/flag.txt remote: flag.txt
227 Entering Passive Mode (10,129,103,239,159,232).
150 Opening BINARY mode data connection for flag.txt (32 bytes).
226 Transfer complete.
32 bytes received in 0.00 secs (21.1291 kB/s)
- in order to use the
lscommand, we need to set the Passive mode by issuing thepasscommand
Download all contents of ftp-server:
wget -m ftp://username:password@ip.of.old.host
To see hidden files:
ls -la
smb
Stands for Server Message Block and is a protocol for file sharing between computers. It runs on port 445 by default.
The command line tool to interact with it, it’s smbclient.
To list shared directories:
smbclient -L \\<ip>
Enter WORKGROUP\gal's password:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
WorkShares Disk
SMB1 disabled -- no workgroup available
Note the \\ prefix, this comes from Windows slahes. Make sure to pass the --user flag, otherwise it will try to connect using your Linux user:
smbclient -L \\10.129.68.251 --user="Administrator"
Password for [WORKGROUP\Administrator]:
Sharename Type Comment
--------- ---- -------
ADMIN$ Disk Remote Admin
C$ Disk Default share
IPC$ IPC Remote IPC
Now, let’s connect to the shared:
smbclient \\\\<ip>\\WorkShares
Enter WORKGROUP\gal's password:
Try "help" to get a list of possible commands.
smb: \>
The commands to use once inside are the same as ftp
You can use -N flag to don’t use any password
If you see this error: protocol negotiation failed: NT_STATUS_NOT_SUPPORTED, you need to configure min/max protocol versions, see: https://unix.stackexchange.com/questions/562550/smbclient-protocol-negotiation-failed
redis
Redis is an in-memory key-value (NoSQL) database running on 6379 port by default
To connect to the database, we must use redis-cli:
redis-cli -h <ip>
Once inside we can retrieve more information by using the info command:
<ip>:6379> info
# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:66bd629f924ac924
redis_mode:standalone
os:Linux 5.4.0-77-generic x86_64
arch_bits:64
To enumerate the database with some entries, we can use the info keyspace command. This information is present in the info response as well.
To retrieve all the keys in a given database, we can use the keys * command once we have selected the database. To access a particular key, we use the get command:
redis-cli -h <ip>
<ip>:6379> select 0
OK
<ip>:6379> keys *
1) "numb"
2) "temp"
3) "flag"
4) "stor"
<ip>:6379> keys flag
1) "flag"
<ip>:6379> get flag
"flag"
rdp
Stands for Remote Desktop Protocol and runs on port 3389.
To connect, you can use Windows tool or if in Linux, xfreerdp or any other alternative.
If checking a Windows machine, try first the Administrator user.
MongoDB
MongoDB is a document based (NoSQL) database that runs by default on port 27017.
To connect to it, we should use the mongo shell, currently mongosh.
To show all the database in the instance, use the show dbs command.
To select a database: use <db>
To show all the collections in a database use the show collections commands.
To show contents of all the documents inside a collection use the db.<collection>.find().pretty(). It will pretty print the results.
Example:
mongosh <ip>
Current Mongosh Log ID: 63999d00a5b1f19a65a9d84b
Connecting to: mongodb://<ip>:27017/?directConnection=true&appName=mongosh+1.6.1
Using MongoDB: 3.6.8
Using Mongosh: 1.6.1
For mongosh info see: https://docs.mongodb.com/mongodb-shell/
test> show dbs
admin 32.00 KiB
config 72.00 KiB
local 72.00 KiB
sensitive_information 32.00 KiB
users 32.00 KiB
test> show collections
test> use sensitive_information
switched to db sensitive_information
sensitive_information> show collections
flag
sensitive_information> db.flag.find().pretty()
[
{
_id: ObjectId("630e3dbcb82540ebbd1748c5"),
flag: 'flag'
}
]
sensitive_information>
rsync
rsync is a tool to share files between Linux machines, it defaults to SSH port (22) or 873.
With rsync:// will use 873 port while the form user@host will use the SSH port
To list all the rsync shares:
rsync --list-only rsync://<ip>
public Anonymous Share
gobuster
gobuster performs dir busting on a web server. It discovers available paths using a word list.
The following examples checks all the words in /usr/share/dict/american-english-small dictionary and searches for paths with php extensions and stores the results in /tmp/found and uses 20 threads:
gobuster -x php -u http://<ip> -w /usr/share/dict/american-english-small -o /tmp/found -t 20
gobuster can also perform sub-domain enumeration (by dns records or by virtual host) e.g:
gobuster vhost --url http://thetoppers.htb -w /usr/share/workdlists/subdomains-top1million-5000.txt -t 50 --append-domain
Consider using different wordlist for subdomains and for directories
Responder
the responder tool: https://github.com/lgandx/Responder
For getting NTLM password, responder tool will setup a rogue SMB server that will capture the challenge initiated by another machine in the network and store the hash of the challenge.
sudo responder -I tun0
John the ripper
Password cracking tool. It does not do anything magic, it just compares a hash file with a list of words (dictionary). It has a quite decente default dictionary, however, you can search for more complete dictionaries such as the rock you
Make sure to install a version >= 1.9.0, which enables support for many hash formats. In my case for 1.8.0 version I couldn’t crack a NTLMv2 hash.
You can also use zip2john tool to brute-force zip files with passwords.
You can find here https://github.com/openwall/john.
You can specify the format as well:
john --format=raw-md5 passwd.txt
evil-winrm
Once you know the user/password of a Windows target, you can use evil-winrm to connect to the Powershell. Consider this tool as the PowerShell for Linux.
The usage is quite easy:
evil-winrm -i 10.129.67.87 -u Administrator -p <password>
If you see some SSL error while connecting to the target make sure to enable support for legacy md4 hash:
Make sure the file /etc/ssl/openssl.cnf contains the following:
[provider_sect]
default = default_sect
legacy = legacy_sect
[default_sect]
activate = 1
[legacy_sect]
activate = 1
postgres
Basic commands (outisde of SQL queries):
\l list databases
\c db connect to a database named db
\dt list tables on given database
netcat
Listen on 1234 port:
nc -lnvp 1234
-l : Listen mode
-n: numeric-only IP addresses, no dns
-v: verbose
-p: port - we can add p to say that we want to listen on a specific port (here 1234)
impackets
https://github.com/fortra/impacket
Impacket is a collection of Python classes for working with network protocols
I’ve used it to exploit samba and mssql.
mssqlclient
mssqlclient.py -windows-auth ARCHETYPE/sql_svc@10.129.95.187
SQL> xp_cmdshell whoami
output
--------------------------------------------------------------------------------
archetype\sql_svc
NULL
SQL>
wesg
https://github.com/bitsadmin/wesng
Checks for Windows vulnerabilities given the output of a systeminfo command.
Burp suite
https://portswigger.net/burp/communitydownload
This suite has a lot of nice features such:
- Proxy
- Repeater
- Generating sitemap
- …
sqlmap
Checks certain url for SQL injection vulnerabilities:
The easiest way is to capture traffic request to the possible vulnerable URL with burp and send it to sqlmap
sqlmap -r search-request.txt
if you submit the --os-shell flag you’ll get a shell on the target
Interactive shell
When doing reverse shells, the terminal is quite shitty and it lack basic features. In order to get a better shell, we could the following commands:
python3 -c 'import pty;pty.spawn("/bin/bash")'
----
stty raw -echo
fg
export TERM=xterm
Searchsploit
Once the enumeration succeded and you have the service and version, you can use searchsploit to search for possible sploits, see example:
segal@gal-Modern-14-C12M:~$ searchsploit vsFTPd 2.3.4
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Me | unix/remote/17491.rb
---------------------------------------------- ---------------------------------
Shellcodes: No Results
Ghidra
Is a decompiler/debugger tool very useful to analyse binaries and understand the logic inside
https://github.com/NationalSecurityAgency/ghidra
RsaCtfTool
Is a tool to check/attack RSA keys.
I have used it to retrieve a private key from a weak RSA public key. The key pair are generated by multiplying two prime numbers, if the prime numbers are not big enough, they can be guessed and reveal the private key.
To decypher the file encrypted with the private key use openssl:
openssl rsautl -in flag.enc -out flag.txt -decrypt -inkey key.priv
To know the length of the RSA:
openssl rsa -in key.pub --RSAPublicKey_in -text -noout
openssl rsa -in key.priv -text -noout
gdb
gdb is the GNU debugger. See the following operations:
- Set a breakpoint:
b *0x08049291 - Run the program:
r - Run program with input:
r < pattern.txt - Continue the execution after breakpoint:
c - Show file information:
info file - Show stack:
x/60x $esp - Show where the address points:
x/i <address>, e.g.:gef➤ x/i 0x7ffff7d14a37 0x7ffff7d14a37 <__GI___libc_write+23>: cmp rax,0xfffffffffffff000 - Get variable memory address (variable named target):
p &target
gdb-peda
Python Exploit Development Assistance for GDB
https://github.com/longld/peda
- Create a pattern of 200 chars:
pattern_create 200 bof.txt - Calculate the number of characters to do buffer overflow:
pattern_offset <EIP register> - Get assembler code for function:
disas <function>. The first line shows the address you must use to jump
gdb-gef
GDB-Enhaced Features
vmmap: show how the memory is organized, very useful to calculate memory offsets:
gef➤ vmmap
[ Legend: Code | Heap | Stack ]
Start End Offset Perm Path
0x00555555554000 0x00555555555000 0x00000000000000 r-- /home/gal/workspace/hackthebox/spooky-time/challenge/spooky_time
0x00555555555000 0x00555555556000 0x00000000001000 r-x /home/gal/workspace/hackthebox/spooky-time/challenge/spooky_time
0x00555555556000 0x00555555557000 0x00000000002000 r-- /home/gal/workspace/hackthebox/spooky-time/challenge/spooky_time
0x00555555557000 0x00555555558000 0x00000000002000 rw- /home/gal/workspace/hackthebox/spooky-time/challenge/spooky_time
0x007ffff7d90000 0x007ffff7d93000 0x00000000000000 rw-
0x007ffff7d93000 0x007ffff7dbb000 0x00000000000000 r-- /home/gal/workspace/hackthebox/spooky-time/challenge/glibc/libc.so.6
0x007ffff7dbb000 0x007ffff7f50000 0x00000000028000 r-x /home/gal/workspace/hackthebox/spooky-time/challenge/glibc/libc.so.6
0x007ffff7f50000 0x007ffff7fa8000 0x000000001bd000 r-- /home/gal/workspace/hackthebox/spooky-time/challenge/glibc/libc.so.6
0x007ffff7fa8000 0x007ffff7fac000 0x00000000214000 r-- /home/gal/workspace/hackthebox/spooky-time/challenge/glibc/libc.so.6
0x007ffff7fac000 0x007ffff7fae000 0x00000000218000 rw- /home/gal/workspace/hackthebox/spooky-time/challenge/glibc/libc.so.6
spooky_time memory is between address 0x00555555554000 and 0x00555555558000
libc memory is between address 0x007ffff7d93000 and 0x007ffff7fae000