I have started playing around in https://www.hackthebox.com platform and I’ll use this article to save all the pentesting tools I am learning.

nmap

nmap is a port scanner tool. By default it scan ports from 0-1000.

You should pass the -A flag which enables OS detection, version detection, script scanning, and traceroute:

nmap -A <ip>

To enable only service version detection:

nmap -sV <ip>

-sV flag does scanning and prints service and version on the found open port

To specify the default set of scripts for version identification use -sC

nmap -sC <ip>

To scan all the ports, we need to specify this flags:

namp -sV -p- --min-rate 1000 <ip>

Take into account that this operation will take a long time to complete.

--min-rate speeds up the process by sending packets not slower than X messages per second.

Be aware that this might trigger some suspicion on IDS, for that, check the -T0 or -T1 flag.

If nmap reports he has issues because could not determine if port open or closed. The machine might be protected by a firewall, instead of performing a TCP SYN scan, you can use a TCP FIN scan by providing the flag -sF

You can disable DNS resolution with -n

You can generate a nice report by using the -oX flag and --webxml, e.g.:

nmap -p- -sC -sV -n --min-rate 1000 10.129.95.187 -oX nmap_allPorts --webxml

You can disable ping scan (blocked by firewalls) by disabling host discovery: -Pn.

telnet

Telnet is a very old way of connecting to computer and by default listens on port 23.

Usage:

telnet <ip>

The prompty will ask for user/password:

telnet <ip>
Trying <ip>...
Connected to <ip>.
Escape character is '^]'.

  █  █         ▐▌     ▄█▄ █          ▄▄▄▄
  █▄▄█ ▀▀█ █▀▀ ▐▌▄▀    █  █▀█ █▀█    █▌▄█ ▄▀▀▄ ▀▄▀
  █  █ █▄█ █▄▄ ▐█▀▄    █  █ █ █▄▄    █▌▄█ ▀▄▄▀ █▀█


Meow login: root

ftp

Stands for File transfer protocol. It listens on port 21 by deault and is unencrypted (the secure version is called sftp)

The first thing to try while trying to access ftp is user anonymous whitout password.

Commands:

  • ls: list directory contents
  • pass: set passive mode
  • get: retrieve file to computer

Examples

ftp <ip>
Connected to <ip>.
220 (vsFTPd 3.0.3)
Name (<ip>:gal): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
500 Illegal PORT command.
ftp: bind: Address already in use
ftp> pass
Passive mode on.
ftp> ls
227 Entering Passive Mode (10,129,103,239,82,68).
150 Here comes the directory listing.
-rw-r--r--    1 0        0              32 Jun 04  2021 flag.txt
226 Directory send OK.
ftp> get flag.txt /tmp/flag.txt
local: /tmp/flag.txt remote: flag.txt
227 Entering Passive Mode (10,129,103,239,159,232).
150 Opening BINARY mode data connection for flag.txt (32 bytes).
226 Transfer complete.
32 bytes received in 0.00 secs (21.1291 kB/s)
  • in order to use the ls command, we need to set the Passive mode by issuing the pass command

Download all contents of ftp-server:

wget -m ftp://username:password@ip.of.old.host

To see hidden files:

ls -la

smb

Stands for Server Message Block and is a protocol for file sharing between computers. It runs on port 445 by default.

The command line tool to interact with it, it’s smbclient.

To list shared directories:

smbclient -L \\<ip>
Enter WORKGROUP\gal's password:

        Sharename       Type      Comment
        ---------       ----      -------
        ADMIN$          Disk      Remote Admin
        C$              Disk      Default share
        IPC$            IPC       Remote IPC
        WorkShares      Disk
SMB1 disabled -- no workgroup available

Note the \\ prefix, this comes from Windows slahes. Make sure to pass the --user flag, otherwise it will try to connect using your Linux user:

smbclient -L \\10.129.68.251 --user="Administrator"
Password for [WORKGROUP\Administrator]:

	Sharename       Type      Comment
	---------       ----      -------
	ADMIN$          Disk      Remote Admin
	C$              Disk      Default share
	IPC$            IPC       Remote IPC

Now, let’s connect to the shared:

smbclient \\\\<ip>\\WorkShares
Enter WORKGROUP\gal's password:
Try "help" to get a list of possible commands.
smb: \>

The commands to use once inside are the same as ftp

You can use -N flag to don’t use any password

If you see this error: protocol negotiation failed: NT_STATUS_NOT_SUPPORTED, you need to configure min/max protocol versions, see: https://unix.stackexchange.com/questions/562550/smbclient-protocol-negotiation-failed

redis

Redis is an in-memory key-value (NoSQL) database running on 6379 port by default

To connect to the database, we must use redis-cli:

redis-cli -h <ip>

Once inside we can retrieve more information by using the info command:

<ip>:6379> info
# Server
redis_version:5.0.7
redis_git_sha1:00000000
redis_git_dirty:0
redis_build_id:66bd629f924ac924
redis_mode:standalone
os:Linux 5.4.0-77-generic x86_64
arch_bits:64

To enumerate the database with some entries, we can use the info keyspace command. This information is present in the info response as well.

To retrieve all the keys in a given database, we can use the keys * command once we have selected the database. To access a particular key, we use the get command:

redis-cli -h <ip>
<ip>:6379> select 0
OK
<ip>:6379> keys *
1) "numb"
2) "temp"
3) "flag"
4) "stor"
<ip>:6379> keys flag
1) "flag"
<ip>:6379> get flag
"flag"

rdp

Stands for Remote Desktop Protocol and runs on port 3389.

To connect, you can use Windows tool or if in Linux, xfreerdp or any other alternative.

If checking a Windows machine, try first the Administrator user.

MongoDB

MongoDB is a document based (NoSQL) database that runs by default on port 27017.

To connect to it, we should use the mongo shell, currently mongosh.

To show all the database in the instance, use the show dbs command.

To select a database: use <db>

To show all the collections in a database use the show collections commands.

To show contents of all the documents inside a collection use the db.<collection>.find().pretty(). It will pretty print the results.

Example:

mongosh <ip>
Current Mongosh Log ID: 63999d00a5b1f19a65a9d84b
Connecting to:          mongodb://<ip>:27017/?directConnection=true&appName=mongosh+1.6.1
Using MongoDB:          3.6.8
Using Mongosh:          1.6.1

For mongosh info see: https://docs.mongodb.com/mongodb-shell/

test> show dbs
admin                  32.00 KiB
config                 72.00 KiB
local                  72.00 KiB
sensitive_information  32.00 KiB
users                  32.00 KiB
test> show collections

test> use sensitive_information
switched to db sensitive_information
sensitive_information> show collections
flag
sensitive_information> db.flag.find().pretty()
[
  {
    _id: ObjectId("630e3dbcb82540ebbd1748c5"),
    flag: 'flag'
  }
]
sensitive_information>

rsync

rsync is a tool to share files between Linux machines, it defaults to SSH port (22) or 873.

With rsync:// will use 873 port while the form user@host will use the SSH port

To list all the rsync shares:

rsync --list-only rsync://<ip>
public         	Anonymous Share

gobuster

gobuster performs dir busting on a web server. It discovers available paths using a word list.

The following examples checks all the words in /usr/share/dict/american-english-small dictionary and searches for paths with php extensions and stores the results in /tmp/found and uses 20 threads:

gobuster -x php -u http://<ip> -w /usr/share/dict/american-english-small -o /tmp/found -t 20  

gobuster can also perform sub-domain enumeration (by dns records or by virtual host) e.g:

gobuster vhost --url http://thetoppers.htb -w /usr/share/workdlists/subdomains-top1million-5000.txt -t 50 --append-domain

Consider using different wordlist for subdomains and for directories

Responder

the responder tool: https://github.com/lgandx/Responder

For getting NTLM password, responder tool will setup a rogue SMB server that will capture the challenge initiated by another machine in the network and store the hash of the challenge.

sudo responder -I tun0

John the ripper

Password cracking tool. It does not do anything magic, it just compares a hash file with a list of words (dictionary). It has a quite decente default dictionary, however, you can search for more complete dictionaries such as the rock you

Make sure to install a version >= 1.9.0, which enables support for many hash formats. In my case for 1.8.0 version I couldn’t crack a NTLMv2 hash.

You can also use zip2john tool to brute-force zip files with passwords.

You can find here https://github.com/openwall/john.

You can specify the format as well:

john --format=raw-md5 passwd.txt

evil-winrm

Once you know the user/password of a Windows target, you can use evil-winrm to connect to the Powershell. Consider this tool as the PowerShell for Linux.

The usage is quite easy:

evil-winrm -i 10.129.67.87 -u Administrator -p <password>

If you see some SSL error while connecting to the target make sure to enable support for legacy md4 hash:

Make sure the file /etc/ssl/openssl.cnf contains the following:

[provider_sect]
default = default_sect
legacy = legacy_sect

[default_sect]
activate = 1

[legacy_sect]
activate = 1

postgres

Basic commands (outisde of SQL queries):

\l list databases \c db connect to a database named db \dt list tables on given database

netcat

Listen on 1234 port:

nc -lnvp 1234

-l : Listen mode

-n: numeric-only IP addresses, no dns

-v: verbose

-p: port - we can add p to say that we want to listen on a specific port (here 1234)

impackets

https://github.com/fortra/impacket

Impacket is a collection of Python classes for working with network protocols

I’ve used it to exploit samba and mssql.

mssqlclient

mssqlclient.py -windows-auth ARCHETYPE/sql_svc@10.129.95.187

SQL> xp_cmdshell whoami
output                                                                             

--------------------------------------------------------------------------------   

archetype\sql_svc                                                                  

NULL                                                                               

SQL> 

wesg

https://github.com/bitsadmin/wesng

Checks for Windows vulnerabilities given the output of a systeminfo command.

Burp suite

https://portswigger.net/burp/communitydownload

This suite has a lot of nice features such:

  • Proxy
  • Repeater
  • Generating sitemap

sqlmap

Checks certain url for SQL injection vulnerabilities:

The easiest way is to capture traffic request to the possible vulnerable URL with burp and send it to sqlmap

sqlmap -r search-request.txt

if you submit the --os-shell flag you’ll get a shell on the target

Interactive shell

When doing reverse shells, the terminal is quite shitty and it lack basic features. In order to get a better shell, we could the following commands:

python3 -c 'import pty;pty.spawn("/bin/bash")'
----
stty raw -echo
fg
export TERM=xterm

Searchsploit

Once the enumeration succeded and you have the service and version, you can use searchsploit to search for possible sploits, see example:

segal@gal-Modern-14-C12M:~$ searchsploit vsFTPd 2.3.4
---------------------------------------------- ---------------------------------
 Exploit Title                                |  Path
---------------------------------------------- ---------------------------------
vsftpd 2.3.4 - Backdoor Command Execution     | unix/remote/49757.py
vsftpd 2.3.4 - Backdoor Command Execution (Me | unix/remote/17491.rb
---------------------------------------------- ---------------------------------
Shellcodes: No Results

Ghidra

Is a decompiler/debugger tool very useful to analyse binaries and understand the logic inside

https://github.com/NationalSecurityAgency/ghidra

RsaCtfTool

Is a tool to check/attack RSA keys.

I have used it to retrieve a private key from a weak RSA public key. The key pair are generated by multiplying two prime numbers, if the prime numbers are not big enough, they can be guessed and reveal the private key.

To decypher the file encrypted with the private key use openssl:

openssl rsautl -in flag.enc -out flag.txt -decrypt -inkey key.priv

To know the length of the RSA:

openssl rsa -in key.pub --RSAPublicKey_in -text -noout
openssl rsa -in key.priv -text -noout

gdb

gdb is the GNU debugger. See the following operations:

  • Set a breakpoint: b *0x08049291
  • Run the program: r
  • Run program with input: r < pattern.txt
  • Continue the execution after breakpoint: c
  • Show file information: info file
  • Show stack: x/60x $esp
  • Show where the address points: x/i <address>, e.g.:
    gef➤  x/i 0x7ffff7d14a37
     0x7ffff7d14a37 <__GI___libc_write+23>:	cmp    rax,0xfffffffffffff000
    
  • Get variable memory address (variable named target): p &target

gdb-peda

Python Exploit Development Assistance for GDB

https://github.com/longld/peda

  • Create a pattern of 200 chars: pattern_create 200 bof.txt
  • Calculate the number of characters to do buffer overflow: pattern_offset <EIP register>
  • Get assembler code for function: disas <function>. The first line shows the address you must use to jump

gdb-gef

GDB-Enhaced Features

https://github.com/hugsy/gef

  • vmmap: show how the memory is organized, very useful to calculate memory offsets:
gef➤  vmmap 
[ Legend:  Code | Heap | Stack ]
Start              End                Offset             Perm Path
0x00555555554000 0x00555555555000 0x00000000000000 r-- /home/gal/workspace/hackthebox/spooky-time/challenge/spooky_time
0x00555555555000 0x00555555556000 0x00000000001000 r-x /home/gal/workspace/hackthebox/spooky-time/challenge/spooky_time
0x00555555556000 0x00555555557000 0x00000000002000 r-- /home/gal/workspace/hackthebox/spooky-time/challenge/spooky_time
0x00555555557000 0x00555555558000 0x00000000002000 rw- /home/gal/workspace/hackthebox/spooky-time/challenge/spooky_time
0x007ffff7d90000 0x007ffff7d93000 0x00000000000000 rw- 
0x007ffff7d93000 0x007ffff7dbb000 0x00000000000000 r-- /home/gal/workspace/hackthebox/spooky-time/challenge/glibc/libc.so.6
0x007ffff7dbb000 0x007ffff7f50000 0x00000000028000 r-x /home/gal/workspace/hackthebox/spooky-time/challenge/glibc/libc.so.6
0x007ffff7f50000 0x007ffff7fa8000 0x000000001bd000 r-- /home/gal/workspace/hackthebox/spooky-time/challenge/glibc/libc.so.6
0x007ffff7fa8000 0x007ffff7fac000 0x00000000214000 r-- /home/gal/workspace/hackthebox/spooky-time/challenge/glibc/libc.so.6
0x007ffff7fac000 0x007ffff7fae000 0x00000000218000 rw- /home/gal/workspace/hackthebox/spooky-time/challenge/glibc/libc.so.6

spooky_time memory is between address 0x00555555554000 and 0x00555555558000 libc memory is between address 0x007ffff7d93000 and 0x007ffff7fae000